-
Notifications
You must be signed in to change notification settings - Fork 20
GitHub Actions
In case of third-party GitHub Actions (not the official actions/...) use commit hash instead of tag names. This way the author cannot change the behaviour unnoticed and it can be reviewed before usage.
uses: maxheld83/ghpages@68f783a4f5313d776c1599e18479607e71c9c738 # v0.3.0Or fork the repository to have control over the tags. (src)
Personal access token grants access to all of your repository. Consider using deploy key for Git operations or PAT of a new machine user (bot) for API calls. You can try the new fine-grained personal access token (beta) if applicable.
By default GitHub Actions have a GITHUB_TOKEN with write permission to the repo (code, issues, PRs, etc.). (source)
- if possible, limit to read-only
contentsandmetadataaccess in repo settings: guide - if not, set per workflow and per job permissions
- limit the workflow to have only
readaccess tocontentsby default (example)permissions: contents: read
- add extra permissions to jobs needing them
permissionskey syntax
- limit the workflow to have only
If running on master branch, overwrite the content of gh-pages branch with the current out folder.
https://github.com/JamesIves/github-pages-deploy-action
- name: Deploy 🚀
uses: JamesIves/github-pages-deploy-action@ba1486788b0490a235422264426c45848eac35c6 # v4.4.1
with:
branch: gh-pages
folder: out
single-commit: true
if: github.event_name == 'push' && github.ref == 'refs/heads/master'Notes:
- You have to grant write permission to GitHub Actions. Go to repository settings:
Settings/Actions/Generaland setWorkflow permissionstoRead and write permissions. - GitHub Pages in the "Deploy from a branch" setting seems to use the person activated GH Pages as author for the deployment.
- If this person loses access, turn off and on GH Pages by deleting
gh-pagesbranch then push to the branch and configure Pages settings as previously. (Or try Build and deployment source: GitHub Actions.)
- If this person loses access, turn off and on GH Pages by deleting
- GitHub Pages action
- Add & Commit
- Git Auto Commit
- Replace maxheld83/ghpages@v0.3.0 action as it is failing with "fatal: not in a git directory" error.
if: github.event_name == 'push' && github.ref == 'refs/heads/master'(source)
https://github.com/nektos/act
(not tested)
Official manual suggests avoiding USER instruction in Dockerfile and run as root inside the container to access /github/workspace folder.
When using jobs.<job_id>.container
you can set options: --user 1001 like in the following example
(cf. 1,
2,
3).
container:
image: {hub-user}/{repo}:{tag}
options: --user rootWhen using uses: docker://{hub-user}/{repo}:{tag}
a workaround could be changing permissions first, then restoring them:
- name: Change permissions for Docker image
run: sudo chown -R 1000:100 .
- name: Run notebook
uses: docker://jupyter/scipy-notebook
with:
entrypoint: /bin/bash
args: -c "jupyter nbconvert --execute --to notebook notebook.ipynb"
- name: Restore permissions
run: sudo chown -R $(id -u):$(id -g) .Possible solutions:
- https://github.com/marketplace/actions/debugging-with-tmate (worked)
- https://github.com/peter-evans/create-pull-request/blob/0fd77ba8cc62a99a51b9c5596ca941a84442bd41/docs/examples.md#debugging-github-actions (untested)
Possible (untested) solutions:
- how to authenticate: here
- https://gh.neting.ccmunity/t/github-workflow-trigger-from-another-repository/17461
- http://blog.marcnuri.com/triggering-github-actions-across-different-repositories/
- https://github.com/peter-evans/create-pull-request/blob/0fd77ba8cc62a99a51b9c5596ca941a84442bd41/docs/examples.md#call-the-github-api-from-another-github-actions-workflow
Try out these:
- log disk space left: https://github.com/actions/virtual-environments/issues/1860#issuecomment-712957915
- build.yml step: https://github.com/actions/virtual-environments/issues/709#issuecomment-615370473
- partial lists:
- relevant issue: https://github.com/actions/virtual-environments/issues/709