-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use a PR for Release Commits #521
Conversation
Thanks a lot @blink1073 this is a nice improvement; the new token required will indeed be far better. |
Hmm in that case maybe we should keep using the bots, so the PRs are opened from the bot account, so it's more "neutral"? Otherwise it would be a bit strange if the GitHub account used for opening the PR does not correspond to the person doing the release. |
Otherwise a maintainer who wants to make a new release would have to go to the repository settings and put their token. Then after the release remove the secret. The next maintainer would also have to use their token to make a release. The downside is that this adds a couple more clicks and burden for making a release, but should help associate the PR with the maintainer the release. |
Or maybe the workflow dispatch could take the user token as input as a mandatory field. Although not sure this can be done securely without potentially leaking the token. |
That could be up to the project. Personally, I don't think it would be worth it, since the commits are still in the workflow runner's username. |
👍 |
This commit has the docs and example updates: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @blink1073
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
@fcollonval @jtpio I have an idea: instead of using the personal access token, we can add an option to |
This would also be useful to trigger CI after Playwright snapshots updates: jupyterlab/jupyterlab#13505 |
Yeah I like that idea. The alternative would be to add a PAT to the workflow, but I don't think we want to start doing that in general, because it would be easy to introduce a security hole. |
Now that that the PR bot can close/reopen, the next step is to add that as an option, and make the comment if it is given, and update the instructions accordingly. |
I think this actually conflicts with the ability to have silent releases, since we'd have to have a PR instead of a push. New idea: use the user's To handle forwardport and silent changelog PRs, we add an option to make the PR comment to toggle the PR. |
Fixes #505
ADMIN_GITHUB_TOKEN
@