CI Notify on failure #453
CI Notify on failure #453
Conversation
csgui
force-pushed
the
ci/notify-on-failure
branch
from
22d4c55
to
319e940
Compare
csgui
force-pushed
the
ci/notify-on-failure
branch
from
02e2503
to
be135b8
Compare
I reviewed the source of that action and it doesn't look like it tries to do anything fishy. Can we lock in that specific version to ensure it remains safe? I remember @wileyj looked at this situation before. |
it all depends really - for the stacks-core repo, we lock any external actions to a specific hash vs a version. on occasion, we've forked actions (usually in the case of unclear maintainer) or simply re-implemented ourselves. and another where we emulated what an external workflow was doing: https://github.com/stacks-network/actions/blob/main/cleanup/workflows/action.yml tl;dr: it depends. |
|
I think the main concern would be that a rogue action has access to the secrets and then can do bad things with the Github token, so it's better to be safe. |
|
I like the idea of adding the hash to ensure this version does not change. |
indeed - let me look into this a little bit. right now, the workflow is using the org secret, but we can set a new repo secret that is better scoped (i.e. only allow an workflow to create an issue). however, a lot of the ACL's we'd really like to use are only available for gh enterprise |
|
i think adding something like this to the workflow would be best: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs you may also try using the if using an external workflow makes you nervous here, there are options to roll your own to create an issue (curl or the gh tool would both work here): |
In order to get the message to Slack feature working there needs to be created two secrets, one with the respective SlackBot token with chat:write permission and the other one with the channel_id where the message is going to be sent.
.github/workflows/scheduled.yaml
Outdated
| - name: Create GitHub Issue on Failure | ||
| uses: jayqi/failed-build-issue-action@v1 | ||
| if: ${{ failure() }} | ||
| with: | ||
| github-token: ${{ secrets.GH_TOKEN }} | ||
| label-name: "property-testing-failure" | ||
| title-template: "Property testing failure" | ||
| body-template: | | ||
| GitHub Actions workflow [{{workflow}} #{{runNumber}}](https://github.com/{{repo.owner}}/{{repo.repo}}/actions/runs/{{runId}}) Clarity::V${{ matrix.clarity_version }} failed. | ||
| ```log | ||
| ${{ env.failure_section }} | ||
| ``` |
There was a problem hiding this comment.
@BowTiedWoo Can we use ${{ secrets.GITHUB_TOKEN }} instead of ${{ secrets.GH_TOKEN }}? GITHUB_TOKEN seems more secure and is automatically created for workflow use, with permissions configured directly in the workflow settings.
Can we simplify this by using the GitHub CLI command gh issue create instead of a third-party action for that purpose?
There was a problem hiding this comment.
I removed the third party action and it's now using gh issue create for creating the issue.
Add a job to notify @stacks-network/clarity-wasm team when property testing has failed.
We can also have a Slack integration as a compliment to the automated issue. To be handled in other PR, if the case.
Issue generated as a test: #455