Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Simplify condalock workflow to work without chatops #414

Open
scottyhq opened this issue Dec 7, 2022 · 6 comments
Open

Simplify condalock workflow to work without chatops #414

scottyhq opened this issue Dec 7, 2022 · 6 comments

Comments

@scottyhq
Copy link
Member

scottyhq commented Dec 7, 2022

Discussed in detail here CryoInTheCloud/hub-image#18

A less convoluted workflow for creating and installing from a unified lockfile from conda-lock would be nice.

The chatops /condalock command was a fun solution at the time to allow administrators to trigger the condalock workflow (that requires a token with write permissions to add files to a PR), but there are alternatives now such as manually triggered workflow_dispatch or adding a label to an open PR
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

@weiji14
Copy link
Member

weiji14 commented May 23, 2023

Hi @scottyhq, I've been discussing with @yuvipanda and a few others on turning the /condalock chatops into a GitHub Action or GitHub App in a dedicated repo under the jupyter org (though we'll probably test things on CryoInTheCloud or some other org first). There's been some interest from 2i2c and the folks at NASA IMPACT/VEDA to put some effort into this, and we can rope you into the discussion if you're interested!

The chatops /condalock command was a fun solution at the time to allow administrators to trigger the condalock workflow (that requires a token with write permissions to add files to a PR), but there are alternatives now such as manually triggered workflow_dispatch or adding a label to an open PR
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

On this conda-lock trigger mechanism, could you elaborate on what's the ideal way to set things up from a repo maintainer perspective? Currently the /condalock chatops is a bit hacky, though it allows just about any GitHub user to trigger the locking mechanism. Were you thinking of a more secure way of triggering the workflow that requires approval on first run (like most GitHub Actions) instead?

@cisaacstern
Copy link
Member

In case it's useful, here's a snippet from a workflow over in pangeo-forge-runner that triggers an integration test based on the presence of a particular label:

https://github.com/pangeo-forge/pangeo-forge-runner/blob/3b71752c3654b3fbab39ad242ba7901b166902ac/.github/workflows/dataflow.yaml#L1-L24

The workflow triggers on every commit to a PR (if the specified label is also present at commit time). It also triggers against the latest commit, if the label is added.

@yuvipanda
Copy link
Member

I do think just typing /condalock is perfectly fine, and the way to automate it is perhaps to have another bot that does /condalock whenever an update is done - or even be automatically triggered each time a push is made (similar to how pre-commit.ci does it). It's a fairly harmless action (unlike pangeo-forge runs!) that we can hand out broader control to the world to

@scottyhq
Copy link
Member Author

There's been some interest from 2i2c and the folks at NASA IMPACT/VEDA to put some effort into this, and we can rope you into the discussion if you're interested

Cool! Thanks @weiji14 @cisaacstern @yuvipanda for the ideas. I'm definitely interested but don't really have time to work on it. Any simplifications to the current setup or ways to make it more easily setup in other repositories would be fantastic.

@weiji14
Copy link
Member

weiji14 commented Jun 10, 2023

There's been some interest from 2i2c and the folks at NASA IMPACT/VEDA to put some effort into this, and we can rope you into the discussion if you're interested

Cool! Thanks @weiji14 @cisaacstern @yuvipanda for the ideas. I'm definitely interested but don't really have time to work on it. Any simplifications to the current setup or ways to make it more easily setup in other repositories would be fantastic.

Totally understand, I'll keep you in the loop on the outcome when we start implementing this 😄. If it's ok, I might open a few PRs on pangeo-docker-images to test things out in the next few months. Have recently got conda-lock=2.0 to work on CryoInTheCloud/hub-image#14, and would be nice to roll that out to pangeo-docker-images soon too!

@weiji14
Copy link
Member

weiji14 commented Aug 23, 2023

Started initial implementation of a composite GitHub Action at https://github.com/weiji14/conda-lock-refresh, with related demo repo at https://github.com/weiji14/conda-lock-refresh-demo. Note that I'm still testing this out, and there's still a few bugs (e.g. the 'bot' pushes to the main branch instead of the Pull Request branch, gets triggered on regular comments without /condalock, etc Edit: those two bugs have been fixed, see weiji14/conda-lock-refresh-demo#6 (comment)), but it's looking promising 🙂

Once this work is a bit more polished, I can transfer ownership of these repos to a more official organization.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants