Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GitHub Actions Configuration #204

Open
scottyhq opened this issue Apr 21, 2021 · 2 comments
Open

GitHub Actions Configuration #204

scottyhq opened this issue Apr 21, 2021 · 2 comments

Comments

@scottyhq
Copy link
Member

scottyhq commented Apr 21, 2021

The GitHub Actions in the repository are fairly complex, mainly stemming from the fact that we want to add environment lock files from any PR. But PRs coming from forks only have read access by default, which is why we use our pangeo-bot user access token and /slash commands to have write access.

I recently learned a lot from this blog post https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ on best practices for structuring this style of CI. Likely could make some modifications and improvements to how things are currently structured.

@scottyhq
Copy link
Member Author

Could also utilize some newer github actions, such as:

  1. Docker images with Buildx
    https://github.com/docker/build-push-action

  2. Or as a Docker alternative build and push with podman to quay.io
    https://github.com/redhat-actions/push-to-registry

@scottyhq
Copy link
Member Author

copying some discussion from #282

The miniforge version is currently specified in a couple places, because of how we generate a lockfile for every PR via github actions.

- name: Setup Conda Environment with Miniforge
uses: conda-incubator/setup-miniconda@v2
with:
# Match base-image/Dockerfile version
miniforge-version: 4.10.3-7
environment-file: environment-condalock.yml
activate-environment: condalock
use-only-tar-bz2: true # IMPORTANT: This needs to be set for caching to work properly!

I think a better strategy going forward might be to install conda-lock in the base image Dockerfile and then actually run conda-lock via that Docker image. That way, conda, mamba, and conda-lock versions will be consistent throughout this repository...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant