I have a project with Github Actions that implements multiple workflows that can be triggered by a single push event (depending on path filter).
So a push with a single commit can trigger multiple workflows, so far so good.
In each workflow I am running actions/github-script to create dynamic run-checks with the following step:
- uses: actions/github-script#v4
with:
github-token: ${{ inputs.github-token }}
script: |
const date = new Date();
const check = await github.checks.create({
owner: "${{ steps.vars.outputs.owner }}",
repo: "${{ steps.vars.outputs.repo }}",
name: "Custom Script",
started_at: date.toISOString(),
completed_at: date.toISOString(),
head_sha: "${{ inputs.sha }}",
external_id: "${{ github.run_id }}",
status: "completed",
conclusion: "success",
output: {
title: "Some funny title",
summary: "Build successful",
text: "Image pushed to https://${{ inputs.region }}.console.aws.amazon.com/ecr/repositories/private/${{ inputs.customer-id }}/modix/base/${{ inputs.image }}"
}
});
It is working like a charm, when a single workflow is triggered, but as soon as a push triggers multiple workflows, then only the first one that runs is showing the added check. all others but the first don't show the check but also no error?
Before I have tried the LouisBrunner/checks-action and it had the same problem so I created an issue: https://github.com/LouisBrunner/checks-action/issues/26. But now that it also fails by directly using octokit with github-script action, it feels like the problem is somewhere else...
UPDATE:
According to Gregors answer, I have tried giving the check a different name in each workflow by appending the run-id, I found that each parallel workflow is adding the check to the workflow that runs first... so the question now is, how to send it to a specific workflow run?
according to these docs, there is no dedicated parameter for that, it seems that it automatically detects the workflow using the head_sha?
name: "Custom Script ${{ github.run_id }}",
Try setting Custom Script to something different for each check run you create. I think multiple check runs with the same names are collapsed into only showing the last one. The reason is that that way you can override an status on a commit, by using the same name.
Sadly I found that it is simply impossible to attach a check to a specific workflow-run or check-suite. The problem is known for over a year now, but they didn't provide any solution yet. See in this thread.
In the name of a big automotive company, I have now submitted a feature request in the official feedback form of github.
PS: If the feature will be implemented in the future, I am going to create and accept another answer here.
Related
I am trying to use GitHub Actions to validate the book-keeping side of pull requests. Basically, the idea is that merging should be blocked unless certain tags, milestones, and other information is present in the PR. The logic I am currently struggling with is this: The PR needs to have one of two labels, "no release notes" or "public release notes" and if the "public release notes" label is present, then a specially formatted comment should be present with the release notes in question.
I have succeeded in getting the action to fire and update the check when the PR is created, or a label is added or removed. These paths modify the check status on the PR itself.
However, while I can get the Action to run when I add a PR comment (issue comment) this does not seem to update the check status. Is it possible to use an issue comment event to modify the check status of the PR directly?
The YML for the action is:
name: Github PR Audit
on:
pull_request:
types:
- opened
- edited
- labeled
- unlabeled
issue_comment:
types:
- created
- edited
- deleted
jobs:
Audit-Pull-Request:
runs-on: ubuntu-latest
steps:
You can use the GitHub Script GH Action + Branch protection rules configuration.
GitHub Script Action provides an easy and elegant way to run scripts in your workflow and Branch protection rules allow configuring which status checks must pass before branches can be merged.
Example workflow:
name: Github PR Audit
on:
pull_request:
types:
- opened
- edited
- labeled
- unlabeled
issue_comment:
types:
- created
- edited
- deleted
jobs:
Audit-Pull-Request:
runs-on: ubuntu-latest
steps:
- uses: actions/github-script#v6
with:
script: |
const requiredLabels = ['no release notes', 'public release notes'];
let labels = [];
if (context.payload.pull_request) {
labels = context.payload.pull_request.labels;
} else if (context.payload.issue) {
labels = context.payload.issue.labels;
}
if (labels.filter(l => requiredLabels.includes(l.name)).length === 0) {
throw new Error(`Required labels: ${requiredLabels.join(', ')}`);
}
This script will check if its context has the corresponding labels and will fail if not.
Example failing run:
Branch protection rule configuration:
Creating a branch protection rule
I have a workflow with 2 jobs, One job should run Terraform Plan when a pull request is created without a label and the other job should run Terraform Apply when a pull request is merged and does not have a label. currently my workflow is running on both occasions. The issue I'm having is that Terraform Plan is also running when the pull request is closed without merge. I only want Terraform Plan to run when a pull request is created without a label.
Below is a snippet of the triggers if I am missing something
name: Plan and merge to Main
on:
pull_request:
types: [ labeled, closed, opened ]
jobs:
Plan:
name: "Terraform Plan"'
if: github.base_ref == 'main' && join(github.event.pull_request.labels.*.name, '') == ''
Apply:
name: "Run Terraform Apply"
if: github.base_ref == 'main' && github.event.pull_request.merged == true && join(github.event.pull_request.labels.*.name, '') == ''
There’s no way to specify that a workflow should be triggered when a pull request is merged. However, because a merged pull request always results in a push, you can use the push event to accomplish your goal.
For example, let’s say that you want to run a workflow whenever a pull request is merged to your main branch. You can do something like this:
on:
push:
branches:
- main
also if you want to prevent push directly to main it's part of github pro plan.
I am trying to start a workflow only if the merged pull_request has a specific label.
The merged key is referenced here within an action. The Pull object itself is documented here. But I don't see merged documented by itself or with other keys.
Is pull_request.label available to a Github Action? Is there a comprehensive doc that shows all the keys available to a pull_request?
To list all labels you can use something like this
x=${{ toJson(github.event.pull_request.labels.*.name) }}
echo $x
Also to use a single label you can try
steps:
- name: deploy
if: contains(github.event.pull_request.labels.*.name, 'deploy')
run: |
echo "deploy"
This is what I am trying:
- name: Create tag
uses: actions/github-script#v3
with:
script: |
console.log(await github.git.getRef({
owner: context.repo.owner,
ref: "refs/tags/v0.0.1",
repo: context.repo.repo,
}));
However, it is producing "Not Found" error.
If I check using git, I can see that tag exists:
$ git ls-remote
From git#github.com:contra/contra-deploy-tools.git
fc857fff2008eca7c4a547ad4bb35cd7ef5f3891 HEAD
fc857fff2008eca7c4a547ad4bb35cd7ef5f3891 refs/heads/main
b4e20f75a51aac030e3d8ca1360ee1ff84f10c18 refs/tags/v0.0.1
It appears like this is a permission issue. However, I am able to create a tag, and workflow permissions are configured to "Read and write permissions".
What's more surprising is that I am able to list references within the workflow:
Run git ls-remote
From https://github.com/contra/contra-deploy-tools
f0191b469168aa48ee177d270fa2af507d3f7710 HEAD
f0191b469168aa48ee177d270fa2af507d3f7710 refs/heads/main
b4e20f75a51aac030e3d8ca1360ee1ff84f10c18 refs/tags/v0.0.1
This seems to be API specific issue.
What am I missing?
You don't need the refs/ prefix in that API. Looking at the docs, it says that:
Returns a single reference from your Git database. The :ref in the URL must be formatted as heads/ for branches and tags/ for tags.
So if you change your step to the below, it should work.
- name: Create tag
uses: actions/github-script#v3
with:
script: |
console.log(await github.git.getRef({
owner: context.repo.owner,
ref: "tags/v0.0.1",
repo: context.repo.repo,
}));
NB: You're using github-script version 3, but there's already v5. If you want to keep your actions up to date, I previously described how that can be done using dependabot: https://stackoverflow.com/a/70196496/1080523
I have an action job which upload the context to other website. The token was set and stored in the secret.MY_TOKEN.
But others who make the pull request also trigger this action job using the token I set.
How to limit the privilege of executing the jobs that only I can run this action job.
fyi my ci.yml as follow:
name: foobar
on: [push, pull_request]
jobs:
upload:
runs-on: ubuntu-latest
steps:
....
- name: execute upload
env:
TOKEN: ${{ secrets.MYTOKEN }}
run:
upl --token ${TOKEN}
I assume there are two security problems here.
The token is printed in log file.
others who can use this private token by trigger action with their own purpose.
Use the github.repository_owner context
https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context
The syntax should be something like:
- if: github.repository_owner == 'owner_name'
There is a new feature which could help, since July 2022:
Differentiating triggering actor from executing actor
Starting next week, workflow re-runs in GitHub Actions will use the initial run’s actor for privilege evaluation.
The actor who triggered the re-run will continue to be displayed in the UI, and can be accessed in a workflow via the triggering_actor field in the GitHub context.
Currently, the privileges (e.g. – secrets, permissions) of a run are derived from the triggering actor.
This poses a challenge in situations where the actor triggering a re-run is different than the original executing actor.
The upcoming change will differentiate the initial executing actor from the triggering actor, enabling the stable execution of re-runs.
For more details see Re-running workflows and jobs.
I don't believe allowing actions to run only for certain users is a native feature.
However, you could simply check the action context actor and exit early if the actor is not the yourself (or the owner of the repo, or whatever condition you'd like).