Open KyleFromNVIDIA opened 4 months ago
Can we make the docs build into a separate CI job, and end with calling rapids-upload-docs? Try to mirror this script: https://github.com/rapidsai/cudf/blob/branch-24.06/ci/build_docs.sh Then we'll be able to preview the docs as CI artifacts.
Can we make the docs build into a separate CI job, and end with calling rapids-upload-docs? Try to mirror this script: https://github.com/rapidsai/cudf/blob/branch-24.06/ci/build_docs.sh
rapids-upload-docs
Then we'll be able to preview the docs as CI artifacts.
There's a few things to be aware of here.
rapids-upload-docs requires AWS credentials to upload to S3.
We use this OIDC action to obtain temporary AWS credentials https://github.com/aws-actions/configure-aws-credentials/.
That action requires that the id-token permission on the calling workflow be set to write.
id-token
write
However, when using the pull_request event to trigger workflows from forks, that permission can only ever have a maximum permission of read: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token.
pull_request
read
Therefore if you want to set id-token: write, you'll need to either move away from using forked PRs (e.g. open PRs from branches within the source repository) or switch to copy-pr-bot, which is how we get away with it in other RAPIDS libraries.
id-token: write
copy-pr-bot
There's a few things to be aware of here.
rapids-upload-docsrequires AWS credentials to upload to S3.We use this OIDC action to obtain temporary AWS credentials https://github.com/aws-actions/configure-aws-credentials/.
That action requires that the
id-tokenpermission on the calling workflow be set towrite.However, when using the
pull_requestevent to trigger workflows from forks, that permission can only ever have a maximum permission ofread: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token.Therefore if you want to set
id-token: write, you'll need to either move away from using forked PRs (e.g. open PRs from branches within the source repository) or switch tocopy-pr-bot, which is how we get away with it in other RAPIDS libraries.