-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Give release action permissions to push to main #251
Give release action permissions to push to main #251
Conversation
Suspected binary incompatible evictions across all projects (summary)
See individual evictions stages for more detail |
eef42f3
to
8882728
Compare
8882728
to
a1df1f9
Compare
50370de
to
137fd2f
Compare
137fd2f
to
a67ae68
Compare
Very nice! 🙌 |
Would it be safe to store this private key as an organisation GHA secret? that way we can let more repos use it as needed, but maybe it's safer to have different keys for different repos or even different workflows |
This reverts commit 0ad415f.
@agnesgaroux Good idea, the key is now an organisation secret |
What does this change?
Gives the
release
GitHub action the necessary permissions to push changes directly into main.This is done by configuring the
release
action to assume the role of the Wellcome Collection GitHub app when pushing changes to main. The implementation involves creating a token from the app's private key and follows official GitHub documentation.Separately, the Wellcome Collection GitHub app was given the necessary permissions to bypass the requires-review rule.
How to test
I tested this change by temporarily removing the part of the workflow which publishes to Sonatype and running the GitHub action from this branch, which resulted in a successful push to main (see here), which I subsequently reverted.
How can we measure success?
The
release
action runs successfully.Have we considered potential risks?
Giving the GitHub action full repo access comes with security risks. However, the original Buildkite pipeline was using a similar setup, so this should not introduce any new risks.
I have considered alternative release setups which do not involve pushing directly into main, but these setups have significant limitations (see here) and are not viable alternatives.