Mirror-Tools
/
shaka-packager
mirror of https://github.com/shaka-project/shaka-packager.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make CI workflows safe when testing in a fork 

Testing CI workflows is a pain.  This usually involves forking the
main repo and testing various operations there, where the results will
not break the main repo.

However, some things like NPM and Docker package names were initially
hard-coded.  This meant that a fork would need to customize those in
the workflows to avoid pushing official-looking packages during CI
testing.

This change moves those hard-coded names to GitHub Secrets.  Though
the names are not actually secret, the secret store is per-repo, and
will be independent in a fork.  This makes it easier to avoid
accidentally pushing official-looking releases during testing, even if
the fork has access to the same auth tokens.

Change-Id: Ide8f7aa92a028dd217200fca60881333bf8ae579
This commit is contained in:
Joey Parrish 2021-06-17 13:36:56 -07:00
parent a2e07a901e
commit acafc0fd93
5 changed files with 21 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/README.md vendored
View File

@ -33,10 +33,16 @@
- `DOCKERHUB_CI_USERNAME`: The username of the Docker Hub CI account - `DOCKERHUB_CI_USERNAME`: The username of the Docker Hub CI account
- `DOCKERHUB_CI_TOKEN`: An access token for Docker Hub - `DOCKERHUB_CI_TOKEN`: An access token for Docker Hub
- To generate, visit https://hub.docker.com/settings/security - To generate, visit https://hub.docker.com/settings/security
- `DOCKERHUB_PACKAGE_NAME`: Not a true "secret", but stored here to avoid
someone pushing bogus packages to Docker Hub during CI testing from a fork
- In a fork, set to a private name which differs from the production one
- `NPM_CI_TOKEN`: An "Automation"-type access token for NPM for the `shaka-bot` - `NPM_CI_TOKEN`: An "Automation"-type access token for NPM for the `shaka-bot`
account account
- To generate, visit https://www.npmjs.com/settings/shaka-bot/tokens and - To generate, visit https://www.npmjs.com/settings/shaka-bot/tokens and
select the "Automation" type select the "Automation" type
- `NPM_PACKAGE_NAME`: Not a true "secret", but stored here to avoid someone
pushing bogus packages to NPM during CI testing from a fork
- In a fork, set to a private name which differs from the production one
- `SHAKA_BOT_TOKEN`: A GitHub personal access token for the `shaka-bot` - `SHAKA_BOT_TOKEN`: A GitHub personal access token for the `shaka-bot`
account, with `workflow` scope account, with `workflow` scope
- To generate, visit https://github.com/settings/tokens/new and select the - To generate, visit https://github.com/settings/tokens/new and select the

2
.github/workflows/docker_hub_release.yaml vendored
View File

@ -44,4 +44,4 @@ jobs:
with: with:
push: true push: true
context: src/ context: src/
tags: google/shaka-packager:latest,google/shaka-packager:${{ env.TARGET_REF }} tags: ${{ secrets.DOCKERHUB_PACKAGE_NAME }}:latest,${{ secrets.DOCKERHUB_PACKAGE_NAME }}:${{ env.TARGET_REF }}

7
.github/workflows/npm_release.yaml vendored
View File

@ -38,10 +38,12 @@ jobs:
with: with:
node-version: 10 node-version: 10
- name: Set package version - name: Set package name and version
run: | run: |
cd src/npm cd src/npm
npm version ${{ env.TARGET_REF }} sed package.json -i \
-e 's/"name": ""/"name": "${{ secrets.NPM_PACKAGE_NAME }}"/' \
-e 's/"version": ""/"version": "${{ env.TARGET_REF }}"/'
- name: Publish NPM package - name: Publish NPM package
uses: JS-DevTools/npm-publish@v1 uses: JS-DevTools/npm-publish@v1
@ -49,3 +51,4 @@ jobs:
token: ${{ secrets.NPM_CI_TOKEN }} token: ${{ secrets.NPM_CI_TOKEN }}
package: src/npm/package.json package: src/npm/package.json
check-version: false check-version: false
access: public

2
npm/package.json
View File

@ -1,5 +1,5 @@
{ {
"name": "shaka-packager", "name": "",
"description": "A media packaging tool and SDK.", "description": "A media packaging tool and SDK.",
"version": "", "version": "",
"homepage": "https://github.com/google/shaka-packager", "homepage": "https://github.com/google/shaka-packager",

11
npm/prepublish.js
View File

@ -16,8 +16,13 @@ var commandNames = {
var package = require(path.resolve(__dirname, 'package.json')); var package = require(path.resolve(__dirname, 'package.json'));
console.log('Preparing Shaka Packager v' + package.version); console.log('Preparing Shaka Packager v' + package.version);
// Calculate the repo name. In GitHub Actions context, this will pull binaries
// correctly from a fork. When run by hand, it will default to the official
// repo.
var repo = process.env.GITHUB_REPOSITORY || 'google/shaka-packager';
// For fetching binaries from GitHub: // For fetching binaries from GitHub:
var urlBase = 'https://github.com/google/shaka-packager/releases/download/v' + var urlBase = 'https://github.com/' + repo + '/releases/download/v' +
package.version + '/'; package.version + '/';
// For spawning curl subprocesses: // For spawning curl subprocesses:
@ -49,11 +54,11 @@ for (var platform in commandNames) {
// Fetch LICENSE and README files from the same tag, and include them in the // Fetch LICENSE and README files from the same tag, and include them in the
// package. // package.
var licenseUrl = 'https://raw.githubusercontent.com/google/shaka-packager/' + var licenseUrl = 'https://raw.githubusercontent.com/' + repo + '/' +
'v' + package.version + '/LICENSE'; 'v' + package.version + '/LICENSE';
download(licenseUrl, 'LICENSE'); download(licenseUrl, 'LICENSE');
var readmeUrl = 'https://raw.githubusercontent.com/google/shaka-packager/' + var readmeUrl = 'https://raw.githubusercontent.com/' + repo + '/' +
'v' + package.version + '/README.md'; 'v' + package.version + '/README.md';
download(readmeUrl, 'README.md'); download(readmeUrl, 'README.md');