Workflows: Use Gutenberg token for version bump, changelog commits #30212
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I like this plan :P |
youknowriad
approved these changes
Mar 24, 2021
|
Size Change: 0 B Total Size: 1.41 MB ℹ️ View Unchanged
|
|
It failed again, with a similar error 😭 : https://github.com/WordPress/gutenberg/runs/2188123299?check_suite_focus=true
Note that it now says
rather than
|
|
I'll try bumping the |
|
Seems to have worked! 🎉 https://github.com/WordPress/gutenberg/runs/2188220126?check_suite_focus=true |
|
Nice, awesome work @ockham. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
When @gziolo attempted running the release workflow to create the 10.3.0 RC earlier today, the workflow errored:
After a short discussion in #core-editor, @youknowriad, Grzegorz, and I concluded that the problem is probably that we're protecting
trunkagainst direct pushes from anyone, except for members of thegutenberg-coreteam. (I probably didn't catch this error while developing the new workflow (#28138) since I was testing it in my personal fork, where I didn't have branch protection fortrunkenabled.)In our GitHub Actions (GHA) workflows however, we're using the default
GITHUB_TOKENprovided by GitHub for some default permissions for a given repository. Those permissions do not include pushing to a protected branch. In fact, there are a number of github.community threads (e.g.) asking for that behavior to be allowed -- so far to no avail. The suggested workaround is to create a Personal Access Token for a user that has those permissions, store it in a (repository-level) secret, and use that in GHA workflows in order to vest them with those permissions.Since we don't want to couple that Personal Access Token (PAT) with any one individual, I've created a new GitHub user account , added it to the
WordPress/gutenbergrepo, added it to the list of users and teams that are allowed to push totrunk, and created a new PAT that we can use in our workflows.I've then created a repository-level secret called
GUTENBERG_TOKEN, and set it to that PAT.The final step is then to use this token in any of our GHA jobs that attempt to push to
trunk. It should be sufficient to pass them astokenargument to theactions/checkoutaction, since it's then persisted it the local git config (and used for allgitcommands run by the job 🤞 ), and only destroyed after the job ends.How has this been tested?
We could test this by running it in a fork again, this time enabling branch protection for
trunk. Furthermore, we'd need to add an repository-level secret calledGUTENBERG_TOKENthat contains a Personal Access Token.Or maybe we'll just merge this, delete the
release/10.3branch, and try kicking off the release process again 😬 Worst thing that happens is that we create anotherrelease/10.3branch with another version bump commit before the workflow chokes 🤷♂️