Restore Open Collective sponsors to site

[rossabaker]

I tried with #3972 and made it worse, because I used a non-CORS endpoint after hacking CORS locally. The conversation continued on that issue, but it is very important we find and publish a solution. This is to hold us accountable for doing so quickly, or to revert #3972 and manually add a couple more sponsors if there is no quick solution.

@armanbilge has PR'ed a fix upstream, and also has a backup plan.

[armanbilge]

I'll invoke the backup plan first thing tomorrow unless upstream moves fast tonight.

[armanbilge]

FYI some movement on my upstream PR with the promise that "Maybe not today, but it could be landed sometime this week."

Therefore, backup plan it is.

[rossabaker]

Leaving open so we can revert the static build when Open Collective adds the CORS support. But this is less urgent than it was five minutes ago thanks to #3977.

[armanbilge]

Tracking the CORS support at opencollective/opencollective-rest#362.

[rossabaker]

We had a build time out, and its last words were a 403 fetching the JSON. I don't know whether they clamp down on or rate limit GitHub Actions. I'm also not 100% certain that's what hung the build. Maybe we need a more "sbt way" to fail than throwing here?

https://github.com/typelevel/cats/pull/3871/checks?check_run_id=3440181444#step:7:262

[armanbilge]

Darn, it never just works, does it!

its last words were a 403 fetching the JSON

Can somebody get the API key for Typelevel and set it as a secret? Instructions here: https://medium.com/open-collective/open-collective-graphql-api-preview-3b42ed1d55ff

Maybe we need a more "sbt way" to fail than throwing here?

My bad, never quite figured out sbt. I think I know how to fix this.

[rossabaker]

@djspiewak is the only admin right now, so I think he'd need to provide the key.

This means we're going to have to keep it as part of the build process, doesn't it? And if we do that, periodically refresh the site? I guess we could have a scheduled GitHub workflow just to fetch this JSON, and then our fetch could fetch that.

[armanbilge]

This means we're going to have to keep it as part of the build process, doesn't it?

Well, until I bug them enough to get my CORS fix live 😛

Alternatives:

1. We can host a tiny proxy (e.g., a free cloudflare worker) that adds CORS to the request and point to that. Actually, I tried this first but ran into problems without the API key.
2. With an API key, we may be able to use the GraphQL API directly in the site. Not sure, I'm confused about whether the key should be kept private, and if so, how it's even possible to use GraphQL in the frontend. I'll research this again.
3. Use your idea to extract the sponsors from the transactions API which does have CORS enabled. I'm sorry I was stubborn and tried to find "better" ways, but more and more that might be the best fix.