search

rancher / highlander

2 stars 2 forks source link

Deprecate unapproved GHA used in workflows #89

Closed alexander-demicev closed 4 months ago

alexander-demicev commented 4 months ago

Soon only approved GHA will be allowed to be used in our workflows. We have some GHAs which are not approved and don't fit the criteria to be approved:

EKS/AKS/GKE Operators:

https://github.com/rancher/aks-operator/blob/archive/.github/workflows/apidiff.yaml#L14 https://github.com/rancher/aks-operator/blob/archive/.github/workflows/e2e.yaml#L75 https://github.com/rancher-sandbox/highlander-reusable-workflows/blob/main/.github/workflows/update-rancher-charts.yaml#L71

GKE https://github.com/rancher/gke-operator/blob/main/.github/workflows/update-rancher-charts.yaml#L59

Turtles https://github.com/rancher/turtles/blob/main/.github/workflows/dependabot.yml#L30 https://github.com/rancher/turtles/blob/main/.github/workflows/nightly-test-release.yaml#L120 https://github.com/rancher/turtles/blob/main/.github/workflows/nightly-test-release.yaml#L158 https://github.com/rancher/turtles/blob/main/.github/workflows/pr-md-link-check.yaml#L18 https://github.com/rancher/turtles/blob/main/.github/workflows/pr_size_labeler.yml#L12 https://github.com/rancher/turtles/blob/main/.github/workflows/pr_type.yaml#L12 https://github.com/rancher/turtles/blob/main/.github/workflows/test_chart.yaml#L59

We need to deprecate these by replacing them with bash scripts or creating an alternative in https://github.com/rancher-sandbox/highlander-reusable-workflows/

yiannistri commented 4 months ago

In order to create PRs we can use either the gh cli (which should be installed by default on the runner) or the actions/github-script@v7 GHA:

- name: cli
  run: gh pr create -B main -H new-feature --title 'New feature' --body 'Created by Github action'
  env:
    GITHUB_TOKEN: ${{ secrets.CUSTOM_TOKEN }}

vs

- name: action
  uses: actions/github-script@v7
  with:
    github-token: ${{ secrets.CUSTOM_TOKEN }}
    script: |
      github.rest.pulls.create({
          owner: context.repo.owner,
          repo: context.repo.repo,
          head: 'new-feature',
          base: 'main',
          title: 'New feature',
          body: 'Created by Github action'
        })

Thoughts / preferences @alexander-demicev ? My preference would be for the latter (script) unless we want to invoke it via a Makefile target instead.

alexander-demicev commented 4 months ago

@yiannistri Yes, we can use the script action

Danil-Grigorev commented 4 months ago

From the turtles side there is also needed: https://github.com/rancher/turtles-docs/issues/94