Why is the token needed?

[najamelan]

Hi, thanks for creating this. I am wondering why this needs a github token. I was looking for something that would use a checkout action and run the mdbook build with plugins. AFAICT this does not deploy eg. to github pages. Hence, it's a bit strange for me that it wants a token and goes looking through older releases of the project.

[jontze]

Hey @najamelan, thanks for your input and your question regarding the github token.

First, the reason why this action checks older releases of a project is to give users the possibility to use a specific version of a plugin and not only the latest. That's why the action fetches all releases of a mdbook plugin and then searches for the matching release comparing the release number with the user provided semver string (see Advanced Setup ).

The github token is mainly requested to eliminate the risk of potential rate limits. If you send unauthorized requests to the github api there is a rate limit of 60 requests per hour. You can check this with curl -I https://api.github.com/jontze/action-mdbook and in the response header you will see the x-ratelimit-* parameters. But if we authenticate us to the api with the github token of an github workflow the limit will be increased to 1.000 (https://docs.github.com/en/rest/overview/resources-in-the-rest-api#requests-from-github-actions).

However, the action actually doesn't send more than 60 requests. But if you activate all currently supported plugins there are between between 10-20 requests submitted to the github api. Therefore this could lead quickly to a rate limit if these requests would be unauthorized and the user would use the action in multiple jobs of a workflow. I'm actually not quire sure if the rate limit will reset if the whole workflow or a single job of a workflow will be restarted.

Additionally I'm currently using the @actions/github lib (which requires the token) to consume the rest api as the client from these lib:

Returns an authenticated Octokit client that follows the machine proxy settings and correctly sets GHES base urls. See https://octokit.github.io/rest.js for the API.Returns an authenticated Octokit client that follows the machine proxy settings and correctly sets GHES base urls. See https://octokit.github.io/rest.js for the API.

Source: https://github.com/actions/toolkit/tree/main/packages/github

But I'm open to remove the github token from the action. The main reason to keep it, is probably the rate limit of 60 requests per hour which we could reach quickly in the "worst case" (=all plugins enabled with version string and multiple jobs in a workflow that use the action). If we add support for more plugins in the future, this could get a problem even quicker.

[najamelan]

Thanks a lot for clarifying. Is that because the action can be used on a third party host, or do the rate limits also apply on githubs own CI servers?

In the mean time I have managed to get my workflow running with plugins by running the docker image from Michael-F-Bryan and adapting the gitlab instructions from the mdbook-linkcheck plugin readme to github: https://github.com/thespis-rs/thespis_guide/blob/dev/.github/workflows/gh-pages.yml

[jontze]

Thanks a lot for clarifying. Is that because the action can be used on a third party host, or do the rate limits also apply on githubs own CI servers?

The rate limit sadly also applies on githubs own CI server. I just tested this with the above mentioned curl command in a workflow.

The docker image approach is as well a nice solution to get the plugins running! :smile:

Btw, regarding the link to your workflow: You don't have to create manually a new github token to use the peaceiris/actions-gh-pages action. You can just use the secrets.GITHUB_TOKEN that is automatically generated for each CI run from github. This token will be revoked after the CI run,so it's only valid during the workflow run.

[najamelan]

GITHUB_TOKEN

Thanks. That's a great tip for QOL.

I will close the issue as I think it's clarified now.

[jontze]

Your welcome! I'm looking into thespis-rs/thespis. An interesting project!

[najamelan]

Thanks, working hard on it. The guide level docs are the most up to date. I have to re-write the readme on the main repo.