第一次貢獻開源專案 - datastrato/gravitino

在 Facebook 上面看見 源來適你 的 posts ,得知 Datastrato gravitino 這個專案,在他的 issue 中我發現一個 good-first-issue 是需要解決 CI 相關的一個 issue, 因此就來嘗試解決看看!

問題是什麼?

當有 backport PR 被 github bot 自動發起的時候,github action workflow 裡面的 integration test 並不會被自動 trigger, 因此專案裡面的人員要自行 close and reopen PR 來手動 trigger integration test。

分析問題

  1. 進一步先去檢查是不是 workflow 的 trigger 寫錯了呢? 很遺憾在 .github/workflows/integration-test.yml 裡面可以很清楚的看到, trigger 寫的寫法是正確的
  2. 那為什麼沒有 trigger? 仔細去觀察的話可以發現,如果是一般 user 的 backport PR 是可以成功被 trigger 的。
  3. 那這樣推測是不是 github bot 自動發起的 PR 是不會抑或是不能 trigger integration test 呢?
    • Google search: github action bot opened pr doesn’t trigger pull_request

我發現這篇 discussions 中有人貼出官方手冊中的其中一段話:

When you use the repository’s GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository’s GITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.

可以看到為了避免 recursive workflow runs, 因此 backport PR 並不會自動 trigger workflow! 官方手冊裡也有提到這件事情,叫做 triggering a workflow from a workflow

找解法

OK, 那該如何解決這個問題?

官方推薦:

  1. 使用 personal access token(PAT) 來避免掉 github-bot 使用 GITHUB_TOKEN, 這樣就可以 trigger 了,但需要處理 PAT 的隱私問題

我另外發現有人提出幾種 workarounds method

  1. 手動 close ane reopen PR.
  2. PAT, 同上面的官方推薦
  3. Use a GitHub App to generate a token that can be used with this action.
  4. 建立新的 github user, 並使用這個 new github user 來 fork repo, 並且在 main repo 裡設定 MACHINE_USER_PAT 為 new user 的 PAT, 然後設定 workflow:
- uses: actions/checkout@v4
  # Make changes to pull request here
- uses: peter-evans/create-pull-request@v5
with:
  token: ${{ secrets.MACHINE_USER_PAT }}
  push-to-fork: machine-user/fork-of-repository

其實跟官方推薦差不多,但是直接隔離出一個帳號好像會比較安全(?

不過如果是這個專案的話,他是使用 github-cherry-pick-action 這個 action 來自動產生 backport PR, 所以我在他的 documentation 裡面發現,他是可以調整 token 的,那只要建立一個 PAT token 應該就可以解決掉這個 issue!

向專案提出解法

Hi,

After researching the solution to this issue, I found that this issue is caused by the default setting of GitHub, which prevents triggering a workflow from a workflow.

The solution might be to set the token input used in the github-cherry-pick-action in auto-cherry-pick.yml to some Personal Access Token (PAT), instead of the default token, GITHUB_TOKEN.

According to the official GitHub action documentation, triggering a workflow from a workflow that is generated by the repository’s GITHUB_TOKEN is prohibited by default.

When you use the repository’s GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run.

To solve this issue, the documentation gives us some methods:

If you do want to trigger a workflow from within a workflow run, you can use a GitHub App installation access token or a personal access token instead of GITHUB_TOKEN to trigger events that require a token.

The auto-cherry-pick workflow uses carloscastrojumo/github-cherry-pick-action@v1.0.9 to push a backport PR and the default token that this action used is GITHUB_TOKEN as shown in its documentation. Thus, we can set the token that github-cherry-pick-action use to some Personal Access Token (PAT) to solve this issue.

Tim

隨後我收到專案相關人員的回覆:

Thanks a lot @BWbwchen for your investigation, greatly appreciated. Let me see how to use PAT to solve this issue.

看起來我的提案有被認可!但是因為這個解法需要使用到 organization PAT, 這部份我沒有相關設定權限,因此還需要專案相關人員協助設定 token 我才能真的解掉這個 issue. 我回覆:

It seems that we can use the PAT of the organization.

I can help to contribute to the auto-cherry-pick workflow file. Since I don’t have permission to set the PAT for the organization, I need your help to set a PAT for solving this issue.

最後我透過修改 auto-cherry-pick workflow 中 token 來解決這個 issue. This is my PR.