Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] Fix exposed push tokens through gh workflow_run #379

Merged
merged 10 commits into from
Jun 7, 2023
Merged

[security] Fix exposed push tokens through gh workflow_run #379

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
ff7bab3
[security] Fix exposed push tokens through gh `workflow_run`
mishig25 Jun 2, 2023
7935dc2
[dev change for testing it in actual runs]
mishig25 Jun 5, 2023
6aa8390
old docs are already deleted auto atically
mishig25 Jun 5, 2023
cd04227
simplify delete_doc_comment.yml
mishig25 Jun 5, 2023
c50e175
Use secret for comment bot as well
mishig25 Jun 6, 2023
93a5c58
test github.event.workflow_run
mishig25 Jun 6, 2023
d955206
⚗️ Test github.event.workflow_run
coyotte508 Jun 6, 2023
80d7258
Revert "⚗️ Test github.event.workflow_run"
mishig25 Jun 7, 2023
57c531f
Revert "test github.event.workflow_run"
mishig25 Jun 7, 2023
faac33f
revert dev changes
mishig25 Jun 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .github/workflows/build_main_documentation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ on:
default: "src/"
description: "Suffix to add after the version tag (e.g. 1.3.0 or main) in the documentation links."
secrets:
hf_token:
required: true
token:
required: false

Expand Down Expand Up @@ -172,7 +174,7 @@ jobs:
- name: Push to repositories
run: |
cd build_dir
doc-builder push ${{ env.package_name }} --doc_build_repo_id "hf-doc-build/doc-build" --token "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" --commit_msg "Updated with commit ${{ inputs.commit_sha }} See: https://github.com/${{ inputs.repo_owner }}/${{ inputs.package }}/commit/${{ inputs.commit_sha }}" --n_retries 5 --upload_version_yml
doc-builder push ${{ env.package_name }} --doc_build_repo_id "hf-doc-build/doc-build" --token "${{ secrets.hf_token }}" --commit_msg "Updated with commit ${{ inputs.commit_sha }} See: https://github.com/${{ inputs.repo_owner }}/${{ inputs.package }}/commit/${{ inputs.commit_sha }}" --n_retries 5 --upload_version_yml
cd ..

if [ -d "notebook_dir" ]
Expand Down
54 changes: 8 additions & 46 deletions .github/workflows/build_pr_documentation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,6 @@ on:
languages:
# supply space-separated language codes
type: string
hub_base_path:
type: string
package_path:
type: string
install_rust:
Expand All @@ -42,9 +40,6 @@ on:
type: string
default: "src/"
description: "Suffix to add after the version tag (e.g. 1.3.0 or main) in the documentation links."
secrets:
token:
required: false

jobs:
build_pr_documentation:
Expand All @@ -57,6 +52,7 @@ jobs:
with:
repository: 'huggingface/doc-builder'
path: doc-builder
ref: fix-token-issue

- uses: actions/checkout@v2
with:
Expand All @@ -70,12 +66,6 @@ jobs:

- name: Set env variables
run: |
if [ -z "${{ secrets.token }}" ]
then
echo "comment_bot_token=$(echo 'ghp_'$(wget -qO- lysand.re/doc-build-dev)'bm')" >> $GITHUB_ENV
else
echo "comment_bot_token=${{ secrets.token }}" >> $GITHUB_ENV
fi
if [ -z "${{ inputs.path_to_docs }}" ]
then
echo "doc_folder=${{ inputs.package }}/docs/source" >> $GITHUB_ENV
Expand All @@ -90,13 +80,6 @@ jobs:
else
package_name=${{ inputs.package_name }}
fi
if [ -z "${{ inputs.hub_base_path }}" ]
then
echo "hub_docs_url=https://moon-ci-docs.huggingface.co/docs/$package_name/pr_${{ inputs.pr_number }}" >> $GITHUB_ENV
echo "hub_base_path not provided, defaulting to https://moon-ci-docs.huggingface.co/docs"
else
echo "hub_docs_url=${{ inputs.hub_base_path }}/$package_name/pr_${{ inputs.pr_number }}" >> $GITHUB_ENV
fi

if [ -z "${{ inputs.package_name }}" ];
then
Expand All @@ -120,7 +103,7 @@ jobs:
run: |
pip uninstall -y doc-builder
cd doc-builder
git pull origin main
git pull origin fix-token-issue
pip install .
cd ..

Expand Down Expand Up @@ -166,33 +149,12 @@ jobs:
fi
cd ..

- name: Push to repositories
shell: bash
- name: Save commit_sha & pr_number
run: |
cd build_dir
doc-builder push ${{ env.package_name }} --doc_build_repo_id "hf-doc-build/doc-build-dev" --token "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" --commit_msg "Updated with commit ${{ inputs.commit_sha }} See: https://github.com/${{ inputs.repo_owner }}/${{ inputs.package }}/commit/${{ inputs.commit_sha }}" --n_retries 5

- name: Find doc comment
uses: peter-evans/find-comment@v2
id: find_comment
with:
issue-number: ${{ inputs.pr_number }}
body-includes: docs for this PR

- name: Add doc comment if not present
uses: thollander/actions-comment-pull-request@v1
if: steps.find_comment.outputs.comment-id == ''

with:
message: 'The docs for this PR live [here](${{ env.hub_docs_url }}). All of your documentation changes will be reflected on that endpoint.'
GITHUB_TOKEN: ${{ env.comment_bot_token }}
echo ${{ inputs.commit_sha }} > ./build_dir/commit_sha
echo ${{ inputs.pr_number }} > ./build_dir/pr_number

- name: Update doc comment if necessary
if: github.event.action == 'reopened' && steps.find_comment.outputs.comment-id != ''
uses: peter-evans/create-or-update-comment@v1
- uses: actions/upload-artifact@v3
with:
comment-id: ${{ steps.find_comment.outputs.comment-id }}
token: ${{ env.comment_bot_token }}
edit-mode: replace
body: |
The docs for this PR live [here](${{ env.hub_docs_url }}). All of your documentation changes will be reflected on that endpoint.
name: doc-build-artifact
path: build_dir/
26 changes: 9 additions & 17 deletions .github/workflows/delete_doc_comment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,15 +19,8 @@ on:
jobs:
build_and_package:
runs-on: ubuntu-latest
container:
huggingface/transformers-doc-builder

steps:
- uses: actions/checkout@v2
with:
repository: 'huggingface/doc-builder'
path: doc-builder

- name: Set env variables
run: |
if [ -z "${{ secrets.token }}" ]
Expand All @@ -47,16 +40,7 @@ jobs:
- name: Setup environment
shell: bash
run: |
pip uninstall -y doc-builder
cd doc-builder
git pull origin main
pip install .
cd ..

- name: Push to repositories
run: |
doc-builder push ${{ env.package_name }} --doc_build_repo_id "hf-doc-build/doc-build-dev" --token "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" --commit_msg "Closed PR ${{ inputs.pr_number }} in ${{ env.package_name }}" --n_retries 5 --doc_version "pr_${{ inputs.pr_number }}" --is_remove
shell: bash
mkdir build_dir

- name: Find doc comment
if: ${{ always() }}
Expand All @@ -75,3 +59,11 @@ jobs:
edit-mode: replace
body: |
_The documentation is not available anymore as the PR was closed or merged._

- name: Save commit_sha & pr_number
run: echo ${{ inputs.pr_number }} > ./build_dir/pr_number

- uses: actions/upload-artifact@v3
with:
name: doc-delete-artifact
path: build_dir/
72 changes: 72 additions & 0 deletions .github/workflows/delete_pr_documentation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: Delete PR Documentation

on:
workflow_call:
inputs:
package_name:
required: true
type: string
secrets:
hf_token:
required: true

jobs:
upload_pr_documentation:
mishig25 marked this conversation as resolved.
Show resolved Hide resolved
runs-on: ubuntu-latest
if: >
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success'

steps:
- uses: actions/checkout@v2
with:
repository: 'huggingface/doc-builder'
path: doc-builder
ref: fix-token-issue

- name: Setup environment
shell: bash
run: |
pip install black
pip uninstall -y doc-builder
cd doc-builder
git pull origin fix-token-issue
pip install .
cd ..
echo "current_work_dir=$(pwd)" >> $GITHUB_ENV

- name: 'Download artifact'
uses: actions/github-script@v3.1.0
with:
script: |
var artifacts = await github.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: ${{github.event.workflow_run.id }},
});
coyotte508 marked this conversation as resolved.
Show resolved Hide resolved
var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "doc-delete-artifact"
})[0];
var download = await github.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
var fs = require('fs');
fs.writeFileSync('${{env.current_work_dir}}/doc-delete-artifact.zip', Buffer.from(download.data));

- run: |
mkdir build_dir
unzip doc-delete-artifact.zip -d build_dir

- name: Get pr_number
run: |
echo "pr_number=$(cat ./build_dir/pr_number)" >> $GITHUB_ENV
rm -rf ./build_dir/pr_number

- name: Push to repositories
run: |
doc-builder push ${{ inputs.package_name }} --doc_build_repo_id "hf-doc-build/doc-build-dev" --token "${{ secrets.hf_token }}" --commit_msg "Closed PR ${{ env.pr_number }} in ${{ inputs.package_name }}" --n_retries 5 --doc_version "pr_${{ env.pr_number }}" --is_remove
shell: bash

130 changes: 130 additions & 0 deletions .github/workflows/upload_pr_documentation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
name: Build PR Documentation

on:
workflow_call:
inputs:
package_name:
required: true
type: string
hub_base_path:
type: string
repo_owner:
type: string
default: 'huggingface'
description: "Owner of the repo to build documentation for. Defaults to 'huggingface'."
secrets:
hf_token:
required: true
token:
required: false

jobs:
upload_pr_documentation:
runs-on: ubuntu-latest
if: >
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success'

steps:
- uses: actions/checkout@v2
with:
repository: 'huggingface/doc-builder'
path: doc-builder
ref: fix-token-issue

- name: Set env variables
run: |
if [ -z "${{ secrets.token }}" ]
then
echo "comment_bot_token=$(echo 'ghp_'$(wget -qO- lysand.re/doc-build-dev)'bm')" >> $GITHUB_ENV
else
coyotte508 marked this conversation as resolved.
Show resolved Hide resolved
echo "comment_bot_token=${{ secrets.token }}" >> $GITHUB_ENV
fi

- name: Setup environment
shell: bash
run: |
pip install black
pip uninstall -y doc-builder
cd doc-builder
git pull origin fix-token-issue
pip install .
cd ..
echo "current_work_dir=$(pwd)" >> $GITHUB_ENV

- name: 'Download artifact'
uses: actions/github-script@v3.1.0
with:
script: |
var artifacts = await github.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: ${{github.event.workflow_run.id }},
});
var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "doc-build-artifact"
})[0];
var download = await github.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
var fs = require('fs');
fs.writeFileSync('${{env.current_work_dir}}/doc-build-artifact.zip', Buffer.from(download.data));

- run: |
mkdir build_dir
unzip doc-build-artifact.zip -d build_dir

- name: Display structure of downloaded files
run: ls -l

- name: Get commit_sha & pr_number
run: |
echo "commit_sha=$(cat ./build_dir/commit_sha)" >> $GITHUB_ENV
rm -rf ./build_dir/commit_sha
echo "pr_number=$(cat ./build_dir/pr_number)" >> $GITHUB_ENV
rm -rf ./build_dir/pr_number

- name: Set hub_docs_url
run: |
if [ -z "${{ inputs.hub_base_path }}" ]
then
echo "hub_docs_url=https://moon-ci-docs.huggingface.co/docs/${{ inputs.package_name }}/pr_${{ env.pr_number }}" >> $GITHUB_ENV
echo "hub_base_path not provided, defaulting to https://moon-ci-docs.huggingface.co/docs"
else
echo "hub_docs_url=${{ inputs.hub_base_path }}/${{ inputs.package_name }}/pr_${{ env.pr_number }}" >> $GITHUB_ENV
fi

- name: Push to repositories
shell: bash
run: |
cd build_dir
doc-builder push ${{ inputs.package_name }} --doc_build_repo_id "hf-doc-build/doc-build-dev" --token "${{ secrets.hf_token }}" --commit_msg "Updated with commit ${{ env.commit_sha }} See: https://github.com/${{ inputs.repo_owner }}/${{ inputs.package }}/commit/${{ env.commit_sha }}"

- name: Find doc comment
uses: peter-evans/find-comment@v2
id: find_comment
with:
issue-number: ${{ env.pr_number }}
body-includes: docs for this PR

- name: Add doc comment if not present
uses: thollander/actions-comment-pull-request@v2
if: steps.find_comment.outputs.comment-id == ''

with:
message: 'The docs for this PR live [here](${{ env.hub_docs_url }}). All of your documentation changes will be reflected on that endpoint.'
pr_number: ${{ env.pr_number }}
GITHUB_TOKEN: ${{ env.comment_bot_token }}

- name: Update doc comment if necessary
if: github.event.action == 'reopened' && steps.find_comment.outputs.comment-id != ''
uses: peter-evans/create-or-update-comment@v1
with:
comment-id: ${{ steps.find_comment.outputs.comment-id }}
token: ${{ env.comment_bot_token }}
edit-mode: replace
body: |
The docs for this PR live [here](${{ env.hub_docs_url }}). All of your documentation changes will be reflected on that endpoint.