New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable more automated workflows by allowing publishing from the workflow_dispatch
trigger
#7177
Comments
One solution could be for pub to also allow
|
@spydon: I am not that familiar with the workflow internals. Is there a document that describes what the users are doing and what the system is doing in such case? |
@isoos So It can also be connected to a tag, so the rest of the server-side checks on your side should still be the same as they are for |
I'm more interested in what kind of problem it solves. I remember @jonasfj doing interesting things with workflows+tagging+approvals, and I don't know how this related. |
Ah sorry, maybe I didn't clarify that properly in the initial post. What I'm building in the melos-action is so that people can set up the following flow for their monorepos:
So it really is just an unfortunate combination of the rule from GitHub and the one from pub.dev that blocks this flow, but by allowing |
I've seen people use git tagging and |
If you do that from a GitHub workflow it can't trigger another action, so you can only do that locally. |
@isoos to clarify in case it wasn't clear, when you run |
push
@isoos I found a TODO from you about possibly allowing for more event types 😄 I can implement the PR so that you can see what it would look like with |
You can use a GCP service account instead. Ideally, not be exporting the service-account keys, but by running on Google Cloud Build or by using Workload Identity Federation to allow your Github JWTs to be used to obtain permission to impersonate the GCP service account. This is obviously, quite complicated -- just saying it's possible 🙈 On topic we do have concerns, there are reasons we did it the way we did. Some of these concerns include:
I think (3) is really nice. I don't know if (1) could be solved by other means -- maybe, but it's definitely a concern that if we make publishing too easy, someone will publish on every commit. I think (2) is a really be concern though. I'd be very curious is hear what kind of workflow you envision? What are the kind of tasks people would use melos for? What are the steps in each scenario? |
Isn't this kind of strange, that you allow this to be done through one service, but not another?
That is the good thing with
Melos tags all packages when it creates versions, the problem is that when these tags are created within a pipeline another action is not allowed to be triggered by those tags (https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow).
The simplest flow would be this:
Number 1 here can be changed to for example writing "Trigger release" or something like that in a previous PR description, but a user will still have the manual step of reviewing the PR with the release in it, which I guess could be compared with the manual intervention of creating a tag today. |
What do you think @jonasfj, does it make sense? :) |
push
push
I have now run into this problem. This is essentially preventing me from making a single trigger workflow that
Because pub.dev only allows This makes the setup much more complicated than it could be, and also much less reusable. Each repository where I want this I now have to copy both workflows and setup a new key and secret everytime. This is essentially a combination of all well meant security measures, but they are making my CD very difficult right now. |
@spydon, the idea being that with
As outlined by @clragon in #7177 (comment) I don't think that's a bad idea. Off the top of my head I don't think have any objections to enabling Though we might need to investigate further exactly who can trigger a I'm a little bit conservative about opening up features like this, because they are really hard to remove once we ship them. And currently focus is somewhere else. Ideally, I'd want a Using the flow above, you'll end up with git commits in the tag, that have not necessarily be landed on Note: I'm not saying we shouldn't do this. Just we should make sure it what we really want. And that it's the right flow. And that maybe it's not super urgent, because we have workaround for people who want really complicated automation. Crazy idea What about creating a release preparation workflow, to be triggered with
In the pull-request comment it could include a link as follows:
Then all a human has to do is:
Another variant of this could be to make the release preparation workflow create a "draft release". Again, you'd have to open it and click "Publish release", but everything else can be automated. Just an idea. It also really depends on what flow you have. |
It will be the same people as can create releases today by creating tags, so what tooling etc would need to be written for this?
Makes sense, I think this is quite an important feature though.
There is no problem creating tags from GitHub actions when a PR is closed, that is exactly what will be done with the melos action once
No, the tags are created automatically upon merge of the release PR.
The workflow will be even simpler than that:
|
So "another workflow" will publish to By merging the pull-request? Because that would imply publishing from a And publishing from push to
Agreed, but the big feature with automated publishing is that you don't need credentials on your laptop or long-lived credentials in environment variables on Github Actions. |
You can trigger
Understandable, I think since it is a bit complicated to build these workflows manually I think that most people will rely on pre-made actions like ours that sets this up for them and thus avoiding the footguns. It could even be undocumented that
I think since virtually every other big language ecosystem supports this I think we would have heard of a lot these problems before if it would result in a big problem. 🙂 |
Undocumented ways to publish things sounds a lot like a future security vulnerability 🙈 I suspect that it would have to be opt-in, with a checkbox on the "admin page" for each event that should be allowed to publish. Or maybe a radio button is better, no need to allow publishing from multiple events. But I can see an argument for not being too worried about Overall, I like the idea of allowing There is still an open question around how provenance will look for such workflows. |
This is not a full design, let's reach consensus on what the right thing to do is before we start adding new settings. |
Agree, I was grasping for straws to get this in. 😅
I would just allow it by default after enabling publishing from GitHub actions, I don't see how a logged in user with admin rights can be a security threat, because I guess that is your thinking? If we go with opt-in, I would make them checkboxes and not radio buttons, because you might want to both push tags manually and press a button in the UI at the same time. |
@jonasfj any thoughts on not having any checkboxes at all? 😃 |
You don't need an extra commit, you just need to push the tag. Or create the tag through the releases UI on github. Which can be done from an easy link, as outlined in "crazy idea" in #7177 (comment) I actually suspect it might be worth prototyping something like that. |
Then you have to manually create tags in the UI, as I explained here you can't trigger workflows from a tag created in another workflow. And to create each tag manually in the UI is even more effort than creating them from the terminal. What I'm building is specifically for monorepos which are the ones that need this the most, so in the case of Flame for example you'd have to click ~30 links if you'd follow the structure in your "crazy idea" plan. Or for flutterfire for example I suspect it would be up to 50 links. I don't understand what is blocking you from just having |
Here's an example of how such a PR could look like: |
Non-trivial changes generally trigger a formal launch process, which in-turn means that:
Once I get to actually push the buttons, some of these can be trivial. Not all features involve storing new user-data. And many changes don't have security implications. This change has a non-trivial probability of having both security and privacy implications. While this can take time, it's perhaps a good thing that we don't tweak authorization without having a fully conceived strategy. Right now, I don't think there is bandwidth for driving the process. I have other stuff cooking, but figuring out what other triggers we should consider, and what the limitations of those might be, could get us a lot closer to a design doc. So far I'm sort of reaching the conclusion that a lot of use-cases could be covered by So maybe we'll want to:
At-least that'd facilitate a lot of the use-cases here.
I suspect it would be risky, given the two reasons below (a), and (b). (a) New authorization mechanisms have to be opt-in If someone read the documentation (http://dart.dev/go/automated-publishing) and enabled automated publishing, they may have a release process with security that relies on the documented properties. If we change the authorization model to allow new ways of publishing, then they may unwittingly have security vulnerabilities. When it comes to authorization, I think it might be bad to allow something that wasn't allowed before. Without explicitly having people opt-in to this new "feature". We didn't enable automated publishing from Github without opt-in. I doubt we can extend it without making this an opt-in feature either. (b) You should only allow the required event types Regardless, if whether you opt-in or not. I think that if you are only using Because if you are designing a publishing workflow, you should want to prevent anyone from your team from accidentally publishing around the workflow -- either manually or by pushing a tag.
Do you publish all these packages in lock-step? If so I'd be curious why. Why not make a single package? |
Thanks for the elaborate reply!
I agree, that should cover all use-cases I can think of.
That makes sense.
We can't know what types of processes the users have though, there might sometimes be a need for manual publishing, so I think that it should be possible to have all enabled if one wants to (i.e. checkboxes, not radio buttons).
Yes, the ones that have changes, they are published through
Because they are versioned differently and have different dependencies, a breaking change in one bridge package should not be regarded as a breaking change in all the packages for example. Usually Flame users depend on the core package and then possibly one or two of the bridge packages.
Is there a template for this? Maybe I could help out with this and it could be a collaborative effort in a google doc? :) |
push
workflow_dispatch
trigger
@jonasfj I wrote up a design doc for it: https://flutter.dev/go/pub-automated-publishing |
Thank you @spydon for your engagement. I just ran into this and found this issue, and wanted to give my two cents. I definitely think that there should be no limitation on what types of workflows should be allowed to publish - or at least allow for the configuration to include all available options. Having said that, I'll definitely take |
@jonasfj did you have a chance to look at the design doc yet? Are there any other people that should/could review it too? :) |
@jonasfj I know some firebase folks have had a look at the design doc now (since it would simplify the maintenance for flutterfire a lot), have you had a chance to have a look at it yet? @sigurdm @isoos any of you that could have a look at it too (it's quite short)? |
I understand the reasoning here, but this also makes it impossible to do fully automated publishing since a tag that is created by another workflow isn't allowed to trigger other workflows. So with this restriction from pub.dev in place the publishing will always need manual intervention from the command-line/IDE, since a user has to push a tag manually to trigger the workflow.
What we would like is to trigger the workflow that publishes the new versions from another workflow by using the
workflow_dispatch
trigger (currently onlypush
is allowed).The simplest flow for our use-case would be this:
For context this will for example be used by the melos-action that should semi-automate (PRs are still used) the whole publishing flow in monorepos, or any repositories using melos.
Design doc: https://flutter.dev/go/pub-automated-publishing
The text was updated successfully, but these errors were encountered: