zan1456/flutter
1
0
Fork 0
forked from firka/flutter
Code Pull Requests Activity
Files
23c08bf08ffaa2dc1063d0e0746df8e402cfe69b
flutter/.github/workflows/easy-cp.yml
Xilai Zhang 23c08bf08f [github actions] FINALLY fix the mysterious token error in github actions (#142058) 
This should finally (with high confidence) fix https://github.com/flutter/flutter/issues/141980, the mysterious error where git push sometimes fail.

**Root cause**:
When a pull request merges onto flutter's master branch, it is actually a merge from a branch on a flutter contributor's repository, to flutter's repository. Therefore, the [actor](https://stackoverflow.com/questions/58737785/github-actions-empty-env-secrets) of the pull request event, is the user that opened the pull request. And this actor would not have write access to repo and therefore the repo secret resolves to empty.

Therefore [running your pull_request workflow when a pull request merges](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-your-pull_request-workflow-when-a-pull-request-merges) doesn't work because even though we are not running our workflows on a forked repository, the **actor** of the pull_request event comes from a forked repository, and secrets are not passed to this actor.

The correct way is using [pull_request_target](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target) event instead of pull_request event. In workflows triggered by this event, GITHUB_TOKEN is granted read/write repository permission unless the permissions key is specified and the workflow **can** access secrets, even when the actor of the workflow trigger comes from a fork.
Note that workflows of this event runs in the context of the base commit and not the merge commit. But this doesn't matter for our use case since we are good with using the actions file from the base commit in the pull request event.

**Tested**:
I was finally able to reproduce the error by:
1. create a pull request under the username of different user other than the repository owner
2. merge and label the pull request, and use the token of this different user, but use it as repository secrets in the workflow
[reproduced error](https://github.com/XilaiZhang/miscellaneous-side-project/actions/runs/7619699924/job/20753210562)

previously I wasn't able to reproduce this error on my personal repo because the actors in my tests are the same user.

Also tested on my personal repo, following the steps mentioned above, that using the pull_request_event type fixes the error. [succeeded run](https://github.com/XilaiZhang/miscellaneous-side-project/actions/runs/7630017020/job/20784762242) 

**The Debug Process**:
spent quite a while looking at other things during debugging, but they turned out to be unrelated. things that we experimented with are workflow conditions, ssh setup, git push url, manual trigger, workflow env, secret setup, dependency on market place actions (actions/checkout and peter-evans/create-pullrequest)
2024-01-24 03:50:00 +00:00

74 lines
3.5 KiB
YAML
Raw Blame History

# Copyright 2023 The Flutter Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
name: Cherry-pick Labeled PR to Release Branch
on:
pull_request_target:
branches: master
types: [labeled]
permissions: write-all
jobs:
cherrypick_to_release:
name: cherrypick_to_release
runs-on: ubuntu-latest
if: |
(github.event.label.name == format('cp{0} beta', ':') || github.event.label.name == format('cp{0} stable', ':')) &&
(github.event.pull_request.merged == true)
steps:
- name: Get Release Channel
run: |
echo "CHANNEL=$(echo ${{ github.event.label.name }} | cut -d ':' -f 2 | xargs)" >> $GITHUB_ENV
- name: Get Release Candidate Branch
run: |
RELEASE_BRANCH=$(curl https://raw.githubusercontent.com/flutter/flutter/$CHANNEL/bin/internal/release-candidate-branch.version)
echo "RELEASE_BRANCH=$(echo $RELEASE_BRANCH | tr -d '\n')" >> $GITHUB_ENV
- name: Get Cherry Pick PR
run: |
echo "COMMIT_SHA=$(echo ${{ github.event.pull_request.merge_commit_sha }})" >> $GITHUB_ENV
- name: Checkout Flutter Repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
repository: flutteractionsbot/flutter
path: flutter
ref: master
persist-credentials: false
# Checkout all history commits on master branch, so that the cp commit is a known object
fetch-depth: 0
# use same name when checking out branch, since the marketplace action does a hard reset.
- name: Attempt CP
id: attempt-cp
working-directory: ./flutter
run: |
git config user.name "GitHub Actions Bot"
git config user.email "<>"
git remote add upstream https://github.com/flutter/flutter.git
git fetch upstream $RELEASE_BRANCH
git fetch upstream master
git checkout -b cp-${CHANNEL}-${COMMIT_SHA} --track upstream/$RELEASE_BRANCH
git cherry-pick $COMMIT_SHA
# TODO(xilaizhang): remove this step once the template is available on release branches.
- name: Get CP Template
run: |
curl -o PULL_REQUEST_CP_TEMPLATE.md https://raw.githubusercontent.com/flutter/flutter/master/.github/PR_TEMPLATE/PULL_REQUEST_CP_TEMPLATE.md
- name: Create PR on CP success
if: ${{ steps.attempt-cp.conclusion == 'success' }}
working-directory: ./flutter
run: |
git push https://${{ env.GITHUB_TOKEN }}@github.com/flutteractionsbot/flutter cp-${CHANNEL}-${COMMIT_SHA}
gh pr create --title "[CP-${CHANNEL}]${PR_TITLE}" --body-file ../PULL_REQUEST_CP_TEMPLATE.md --base ${RELEASE_BRANCH} --label "cp: review" --repo flutter/flutter --head flutteractionsbot:cp-${CHANNEL}-${COMMIT_SHA}
env:
GITHUB_TOKEN: ${{ secrets.FLUTTERACTIONSBOT_CP_TOKEN }}
PR_TITLE: ${{ github.event.pull_request.title }}
- name: Leave Comment on CP failure
if: ${{ failure() && steps.attempt-cp.conclusion == 'failure' }}
run: |
FAILURE_MSG="Failed to create CP due to merge conflicts.<br>"
FAILURE_MSG+="You will need to create the PR manually. See [the cherrypick wiki](https://github.com/flutter/flutter/wiki/Flutter-Cherrypick-Process) for more info."
gh pr comment ${{ github.event.pull_request.number }} -R flutter/flutter -b "${FAILURE_MSG}"
env:
GITHUB_TOKEN: ${{ secrets.FLUTTERACTIONSBOT_CP_TOKEN }}
View Git Blame Copy Permalink