/ok-to-test should trigger GitHub Actions to run
#3057
Comments
|
There is an API for this. https://docs.github.com/en/rest/reference/actions#approve-a-workflow-run-for-a-fork-pull-request |
|
I think this could be accomplished by a new GitHub action that checks for the addition of the ok-to-test tag and copy the action to the necessary repos via knobots rather that relying on Prow for this |
|
/assign |
|
I'm making good progress on this here but I've hit a roadblock because at every attempt to approve I get the following message {"message":"Resource not accessible by integration","documentation_url":"https://docs.github.com/rest/reference/actions#approve-a-workflow-run-for-a-fork-pull-request"}I think it's possible that the token in my fork doesn't have the appropriate permissions but the one used in the actual knative project would work. Should I create it on a repo to try it out @dprotaso @upodroid ? |
|
For security reasons, the token available for the PR from the fork is read-only to avoid bad actors making changes. https://gh.neting.ccmunity/t/token-permissions-for-forks-once-again/16468/5 You'll need to wrap it around a prow job with a privileged github oauth token. |
|
@upodroid the post you linked is very informative but also suggests using an |
|
I'm fine with either. Try |
|
Since this is a prow command wouldn't prow have the authority/token to approve the GitHub actions to run? |
|
It definitely should be possible to do it in Prow but the GitHub actions approach seemed easier to implement for me |
But now we have to worry about propagating this action everywhere we want to use this feature. I think it's just simpler to maintain this across many repos if it's a prow plugin vs. a GitHub action |
|
That's fair, I'm not sure if a Prow job would do, seems a bit easier than making a plugin. Mind if I try that option first @dprotaso ? |
|
Consensus in the productivity WG meeting is to open an issue in upstream Prow and have Prow take care of approving the GitHub workflow runs, let's explore that first @dprotaso I'm opening the issue so we can have the Prow folks input |
|
Sounds good. To clarify I wasn't suggesting a job but it being part of the plugin. The same way that you implemented |
|
It also looks like the approval needs to occur any time there's a new change (ie. pushed a commit) on the PR. |
|
We discussed this issue in Productivity WG meeting and we came to the consensus that the |
That's a bit worrying because we would have to make at least one GitHub API call for every commit for every user unless somehow Prow or GitHub actions has some context on who is a new contributor, then we could approve runs only for those users. If that's not an option we should be aware of the GitHub token usage related to #2962 |
|
upstream issue: kubernetes/test-infra#25210 |
|
This issue is stale because it has been open for 90 days with no |
github-actions
bot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
knative-prow
bot
removed
the
lifecycle/stale
upodroid
added
priority/important-soon
|
This issue is stale because it has been open for 90 days with no |
github-actions
bot
added
the
lifecycle/stale
|
/lifecycle-frozen |
github-actions
bot
removed
the
lifecycle/stale
|
This issue is stale because it has been open for 90 days with no |
github-actions
bot
added
the
lifecycle/stale
|
/lifecycle frozen |
knative-prow
bot
added
lifecycle/frozen
For non-members GitHub Actions don't run. They need approval from a member or maybe admin https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks
Similarly prow gates running prow jobs for non-members until an
/ok-to-testcomment that adds anok-to-testlabel.It would be great when we comment
/ok-to-testit also approves the GitHub Actions workflows to runcc @shinigambit @kvmware
The text was updated successfully, but these errors were encountered: