shcheklein
commented
5 months ago @skshetry CI errors seem unrelated (or even expected)?
Closed shcheklein closed 5 months ago
shcheklein
commented
5 months ago @skshetry CI errors seem unrelated (or even expected)?
skshetry
commented
5 months ago Needed when update template touches workflow files (and fails to create a PR)
Where is it failing to create a PR? I think you are looking for py-template's action, which already supports token as an input.
https://github.com/iterative/py-template/blob/e4ec95f4cfd03d4af0a8604d462ee11d07d63b42/action.yml#L7
shcheklein
commented
5 months ago @skshetry I mean a run like this:
https://github.com/iterative/dvcx-server/actions/runs/8413748292
/usr/bin/git push --force-with-lease origin create-pull-request/patch:refs/heads/create-pull-request/patch
To https://github.com/iterative/dvcx-server
! [remote rejected] create-pull-request/patch -> create-pull-request/patch (refusing to allow a GitHub App to create or update workflow `.github/workflows/tests.yml` without `workflows` permission)
error: failed to push some refs to 'https://github.com/iterative/dvcx-server'
Error: The process '/usr/bin/git' failed with exit code 1I haven's spent much time researching it tbh though.
skshetry
commented
5 months ago GITHUB_TOKEN does not allow updating workflow files. In dvcx-server, you have to add your own PAT as a secret, with workflows permissions (+ contents/pull-requests which are always required) and pass it to py-template. py-template action already supports token.
You'll have to update update-template.yaml workflow with something like follows:
- name: Update template
uses: iterative/py-template@main
with:
token: ${{ secrets.MY_GH_PAT }}You'll have to update update-template.yaml workflow with something like follows:
yep, that's what I was trying to generalize i guess. Should we make it token: ${{ secrets.PY_TEMPLATE_TOKEN || secrets.GITHUB_TOKEN }} ? (we can keep or drop manual dispatch then)?
skshetry
commented
5 months ago Do you need this PR in py-template at all? You can pass a token in dvcx-server side if you want to use a PAT.
shcheklein
commented
5 months ago Hmm, may be I'm missing something ... I'm trying to update the template so that all repos that are using it have a way to pass PAT.
You can pass a token in dvcx-server side if you want to use a PAT.
how? (I made a change to use input there, but that was more like an ad-hoc solution, your idea with secrets sounds better to me - probably we could use some bot's account PAT for this)
skshetry
commented
5 months ago @shcheklein, you'll have to set up a token in each of the repos individually. This cannot be done by py-template here.
As I said, you need to set the PAT as a secret and then modify update-template.yaml in dvcx-server to pass the token (a single line change).
- name: Update template
uses: iterative/py-template@main
with:
token: ${{ secrets.MY_GH_PAT }}I understand, with this PR, I'm trying to generalize it, so that we don't have to update dvcx/update-template.yaml, dvcx-server/update-template.yaml, etc. Does it makes sense?
skshetry
commented
5 months ago I understand what you are trying to propose. But I don't see a need for generalizing it yet. Copying on one or two repositories is okay.
Auto-updating a template is a nice-to-have feature, and it's up to each maintainer to decide. On open-source projects, we are unlikely to set any tokens, and I don't expect workflow files to be updated that frequently.
shcheklein
commented
5 months ago okay, yep, sounds good!
Needed when update template touches workflow files (and fails to create a PR)