Fix deployment of docs to netlify #34984
Conversation
Codecov ReportBase: 88.60% // Head: 88.58% // Decreases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## develop #34984 +/- ##
===========================================
- Coverage 88.60% 88.58% -0.02%
===========================================
Files 2136 2136
Lines 396142 396142
===========================================
- Hits 350990 350923 -67
- Misses 45152 45219 +67
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
|
Did you do something to automatically add the "Codecov Report" for every PR? I hate it. It looks like a spam. It is distracting than helpful. I looked at it for some time, but I still don't know what it's doing. Please turn it off. Or make it one of the checks. |
|
This should do it. However, the "publish docs" workflow need to be included in the default branch to run, so I'm not sure how to test it (maybe in my fork once #34983 is reviewed).
Yes, this is part of #33355. I agree that the comments are not very helpful and reliable at the moment. But this is due to the rename of the sage repo, which confused codecov. Should be fixed with the next beta release. If you then still have issues, please open a new issue. |
|
Sorry, I was a bit too quick with adding the "needs review" label. But now everything should work. A preview can be found at tobiasdiez#2 (with the added comment + status check). |
| @@ -15,14 +15,13 @@ jobs: | |||
| build-docs: | |||
| runs-on: ubuntu-latest | |||
| container: ghcr.io/sagemath/sage/sage-docker-ubuntu-focal-standard-with-targets:dev | |||
| env: | |||
| CAN_DEPLOY: ${{ secrets.NETLIFY_AUTH_TOKEN != '' }} | |||
There was a problem hiding this comment.
I think this conditionalization should not be dropped but moved into the new doc-publish workflow.
We don't want the doc-publish workflow to fail on users' repos that have GH Actions enabled.
There was a problem hiding this comment.
We don't want the doc-publish workflow to fail on users' repos that have GH Actions enabled.
Why not? It's not doing its intended job and a red workflow doesn't hurt anyone. Don't you think its better to be notified by the failing workflow in case the auth token is not config correctly in the main repo?
There was a problem hiding this comment.
If you want to have this kind of monitoring in our main repo, restrict the error to that repo only.
There was a problem hiding this comment.
Thanks for your suggestion, but I don't plan to invest more time into what feels like an edge case. If you (or someone else) gets annoyed by the red workflow and you don't want to setup your own netlify deploy, you can simply disable this workflow in the github ui (or change the config in your default branch).
There was a problem hiding this comment.
It was already implemented.
Just don't cut it out.
|
Reviewer's patch: commit 2a17508774e83fd273bc5b76338f4003894f3061 (HEAD -> fix-netlify)
Author: Matthias Koeppe <mkoeppe@math.ucdavis.edu>
Date: Fri Feb 10 23:08:59 2023 -0800
.github/workflows/doc-publish.yml: Restore CAN_DEPLOY
diff --git a/.github/workflows/doc-publish.yml b/.github/workflows/doc-publish.yml
index c7be4a46d3..b743ea722e 100644
--- a/.github/workflows/doc-publish.yml
+++ b/.github/workflows/doc-publish.yml
@@ -13,10 +13,13 @@ permissions:
checks: write
pull-requests: write
+env:
+ CAN_DEPLOY: ${{ secrets.NETLIFY_AUTH_TOKEN != '' }}
+
jobs:
upload-docs:
runs-on: ubuntu-latest
- if: github.event.workflow_run.conclusion == 'success'
+ if: github.event.workflow_run.conclusion == 'success' && (env.CAN_DEPLOY == 'true' || github.repository == 'sagemath/sage')
steps:
- name: Get information about workflow origin
uses: potiuk/get-workflow-origin@v1_5 |
Protecting against the failure mode "someone removed the secret from the repository" is not believable. |
Yes its not very likely. But if the cost is "click two buttons if you are annoyed by the red workflow in a personal fork that you choose to enable the actions in and which has absolutely no negative consequences", then I strongly prefer that. I would appreciate if you could accept this wish to easily test the netlify deployment from the main repo and my fork, or alternatively take over the hosting on netlify yourself. |
|
where are we here now? I'd like build-doc runs like https://github.com/sagemath/sage/actions/runs/4151818607/jobs/7182360271 |
That's a rather inappropriate negotiating tactic. |
|
In any case, we need to merge this ASAP. |
Thanks for the review!
The Please squash this PR instead of merging it, since there are quite a few intermediate testing commits that don't need to be preserved. |
|
Have we converged here? There is still "Changes requested" open. |
|
let's put it in |
I had already set it to positive review. I've removed the "changes requested" to remove any ambiguity. |
I've merged this now, as this is a purely ci-related PR and we got the thumbs up from @vbraun to merge such PRs. |
|
In my fork of sagemath/sage, for a PR in the repo, I received this comment
the link in which doesn't work, of course. In my opinion, this comment should not be sent in the first place. |
|
Seems to be a bug in the netlify action: netlify/actions#67. For now you can disable the workflow in your fork (https://github.com/kwankyu/sage/actions/workflows/doc-publish.yml in the dropdown menu of "..." in the right upper corner) |
|
Thanks for filing the bug. |
Normally, on github, netlify takes care of the build + deploy fully automatically. However, our build takes to long so that we would hit the free build mins relatively quickly. So we continue deploying the docs via github actions. But PR workflows don't have access to secrets, so we need to split the upload of the docs in a new workflow, see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/.
Moreover, the netlify deploy cli doesn't take care of adding a PR comment and status check linking to the deployed website (netlify does this automatically if it would build + deploy the page). So we add this functionality manually.