From e36d45192dd71586d896524b03f2ee11c565c1df Mon Sep 17 00:00:00 2001 From: Matej Focko Date: Mon, 6 Sep 2021 14:23:53 +0200 Subject: [PATCH 1/2] Add outline of GitHub Action SPIKE Signed-off-by: Matej Focko --- github-actions/README.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 github-actions/README.md diff --git a/github-actions/README.md b/github-actions/README.md new file mode 100644 index 0000000..c54e326 --- /dev/null +++ b/github-actions/README.md @@ -0,0 +1,33 @@ +# GitHub Actions + +## Benefits and options for Packit and users of Packit + +_TODO_ + +## Disadvantages and caveats + +_TODO_ + +## How can we use it + +_TODO_ + +### Rough estimation of time required + +_TODO_ + +## Sharing the work done with GitLab (and potentially Pagure) + +_TODO_ + +## Testing Farm + +_TODO_ + +### Running tests in GitHub Action + +_TODO_ + +### Testing farm via API from GitHub Action + +_TODO_ From c38fd56295a29e0efb445cea3ea1a699f0e34e9b Mon Sep 17 00:00:00 2001 From: Matej Focko Date: Fri, 10 Sep 2021 11:55:01 +0200 Subject: [PATCH 2/2] add advantages and disadvantages Signed-off-by: Matej Focko --- github-actions/README.md | 68 +++++++++++++++++++++++++++++++++++----- 1 file changed, 61 insertions(+), 7 deletions(-) diff --git a/github-actions/README.md b/github-actions/README.md index c54e326..396d31c 100644 --- a/github-actions/README.md +++ b/github-actions/README.md @@ -2,32 +2,86 @@ ## Benefits and options for Packit and users of Packit -_TODO_ +### Customization as a whole + +In case of providing Packit API via GitHub Actions it allows to run pipeline (SRPM → Copr → +Testing Farm) after: + +- running some initial CI checks (saves resources on our side) +- preparing archives (eliminates need for retries and failed jobs on our side, if they are blocked + by some external action) + +### SRPM builds + +- Allows user to **easily** customize the dependencies, i.e. does not require changes to be made to + the Sandcastle image. +- Provides access to created SRPMs without dependency on Copr or Packit Service. ## Disadvantages and caveats -_TODO_ +### SRPM builds + +- If we were to trigger Copr builds with SRPM created in GitHub Action we introduce blocking action of + acquiring the SRPM from GitHub. +- No cache is present, which also introduces: + - slower build time + - potential time out, since Actions are time limited (iirc 24 hrs per action) + +### Security concerns + +In case of utilizing API via GitHub Actions there is a risk of modifying actions that could result +in leaking of the secrets. GitHub mitigates this by censoring the output of GitHub Actions, but with +our use-case it would be still possible to (indirectly) modify scripts that are run and leak the +secrets. + +Possible options how to prevent this are: + +- inject secrets after running all customizable actions +- do not run the action if user has no write-access (enforces check by the maintainer) + - differentiating «maintainer approved»? + - how to decide if changes can be evaluated or not? (i.e. user is trusted to modify the files) + - list of files that cannot be modified externally? However it might be required to get those + from the default branch, since branch where changes are merged may be compromised. + +### Versioning + +In case we do not provide specialized images on which Packit can be run, we can run into issues with +different versions of Packit being used (RPM vs PyPI vs images). ## How can we use it +### SRPM build + _TODO_ -### Rough estimation of time required +### Local RPM build _TODO_ -## Sharing the work done with GitLab (and potentially Pagure) +### Mock RPM build _TODO_ -## Testing Farm +### Copr RPM build _TODO_ -### Running tests in GitHub Action +### Testing Farm _TODO_ -### Testing farm via API from GitHub Action +#### Running tests in GitHub Action + +_TODO_ + +#### Testing farm via API from GitHub Action + +_TODO_ + +### Rough estimation of time required + +_TODO_ + +## Sharing the work done with GitLab (and potentially Pagure) _TODO_