-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sync Translations workflow: run checks without manual open/close #15887
Comments
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
Agreed with the general analysis. Using a machine account set as collaborator here with a PAT from that account seems like the right balance of cost vs security vs functionality. I'll set one up |
From the docs, you may provide a token like so: https://github.com/marketplace/actions/github-script#using-a-separate-github-token I have done this in this direct commit to main (forgive me, but...there's literally no way to really test this stuff other than YOLO+carefully-watch-next-run) --> 34a0a8a
The combination of all of the above should mean that the PR creation attempt is made as this machine account, and since that machine account has repo write access the PR creation should succeed. Then, since it is not the default github token, checks should run. Verification will be watching the next i18n translation sync to see if the checks just run. |
(note I have a little sub-thread I'm reading through where the |
Indeed, I believe the git push case with PR already existing would have been unable to re-run checks You may specify a I just committed a secondary change that switches all git interaction to use the PAT and disables all permissions for the default token --> 89ae15f |
Initial PR creation worked on a run just now https://github.com/ankidroid/Anki-Android/actions/runs/11106884150/job/30856202415 This validates that git interaction via the PAT was also successful, as the push to the branch would have failed if the token was not working. And what luck, it requires repair, so I will immediately be able to test the "push only, no PR creation" case ;-)
|
The push-only case works. We're done here, enough of this open/close faffery on that PR. Wish I had paid attention to this earlier and taken advantage of the new (to me) knowledge that the issue was default github token not triggering workflows 🫡 |
We need to decide on a path, then implement it.
I suspect a machine account is the way to go
The text was updated successfully, but these errors were encountered: