From 31b770b0e0c4a7a78caf01e4cc69eac5cfa07665 Mon Sep 17 00:00:00 2001 From: Nick Snyder Date: Wed, 6 Jul 2022 05:16:51 -0700 Subject: [PATCH 1/4] Update docs for authentication --- README.md | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 85cf339..54aebf4 100644 --- a/README.md +++ b/README.md @@ -42,15 +42,14 @@ jobs: codenotify: runs-on: ubuntu-latest name: codenotify + permissions: + pull-requests: write steps: - uses: actions/checkout@v2 with: ref: ${{ github.event.pull_request.head.sha }} - uses: sourcegraph/codenotify@v0.5 env: - # secrets.GITHUB_TOKEN is available by default, but it won't allow CODENOTIFY to mention GitHub teams. - # If you want CODENOTIFY to be able to mention teams, then you need to create a personal access token - # (https://github.com/settings/tokens) with scopes: repo, read:org. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # with: # # Filename in which file subscribers are defined, default is 'CODENOTIFY' @@ -59,6 +58,24 @@ jobs: # subscriber-threshold: '10' ``` +##### GITHUB_TOKEN + +The default configuration above uses [automatic token authentication](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret), but there are some limitations with this method of authentication: +* Codenotify will not be able to mention teams. +* Codenotify will fail when run on repository forks. + +If you want Codenotify to be able to mention teams or if you want Codenotify to be able to run on forks, then you need to: +1. Create a [personal access token](https://github.com/settings/tokens) with the following permissions: + * `read:org` is necessary to mention teams + * `repo` is necessary if you want to use Codenotify with private repositories. Otherwise, `public_repo` is sufficient. + * If you are an organization, consider creating the PAT under a separate bot account. +2. Store the PAT as a secret in your repository or organization (recommend naming this `CODENOTIFY_GITHUB_TOKEN`) +3. Update `.github/workflows/codenotify.yml` to use the secret you just created. For example: + ```diff + - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + GITHUB_TOKEN: ${{ secrets.CODENOTIFY_GITHUB_TOKEN }} + ``` + ## CODENOTIFY files CODENOTIFY files contain rules that define who gets notified when files change. From bac83b81712fcc3e9e7d9092f3068407a5a21740 Mon Sep 17 00:00:00 2001 From: Nick Snyder Date: Wed, 6 Jul 2022 07:19:49 -0700 Subject: [PATCH 2/4] Update README.md --- README.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 54aebf4..29ca26c 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ Add `.github/workflows/codenotify.yml` to your repository with the following con ```yaml name: codenotify on: - pull_request: + pull_request_target: types: [opened, synchronize, ready_for_review] jobs: @@ -60,11 +60,9 @@ jobs: ##### GITHUB_TOKEN -The default configuration above uses [automatic token authentication](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret), but there are some limitations with this method of authentication: -* Codenotify will not be able to mention teams. -* Codenotify will fail when run on repository forks. +The default configuration above uses [automatic token authentication](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret), but a limitation with this method of authentication is that Codenotify will not be able to mention teams. -If you want Codenotify to be able to mention teams or if you want Codenotify to be able to run on forks, then you need to: +If you want Codenotify to be able to mention teams, then you need to: 1. Create a [personal access token](https://github.com/settings/tokens) with the following permissions: * `read:org` is necessary to mention teams * `repo` is necessary if you want to use Codenotify with private repositories. Otherwise, `public_repo` is sufficient. @@ -75,6 +73,10 @@ If you want Codenotify to be able to mention teams or if you want Codenotify to - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.CODENOTIFY_GITHUB_TOKEN }} ``` + +##### Behavior on forks + +Codenotify does not work on forks ## CODENOTIFY files From 24acfe654f6f82b6849a229f8a301da6d03d4329 Mon Sep 17 00:00:00 2001 From: Nick Snyder Date: Wed, 6 Jul 2022 10:24:08 -0400 Subject: [PATCH 3/4] better error message --- main.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/main.go b/main.go index bfd0351..d9d6eef 100644 --- a/main.go +++ b/main.go @@ -341,6 +341,9 @@ func graphql(query string, variables map[string]interface{}, responseData interf } token := os.Getenv("GITHUB_TOKEN") + if token == "" { + return fmt.Errorf("GITHUB_TOKEN is not set") + } req.Header.Set("Authorization", "bearer "+token) reqdump, err := httputil.DumpRequestOut(req, true) From 56ff499c99ce32cdd2007dc085b1e44c4f9d14ee Mon Sep 17 00:00:00 2001 From: Nick Snyder Date: Wed, 6 Jul 2022 10:27:00 -0400 Subject: [PATCH 4/4] Update README.md --- README.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/README.md b/README.md index 29ca26c..3076299 100644 --- a/README.md +++ b/README.md @@ -74,10 +74,6 @@ If you want Codenotify to be able to mention teams, then you need to: + GITHUB_TOKEN: ${{ secrets.CODENOTIFY_GITHUB_TOKEN }} ``` -##### Behavior on forks - -Codenotify does not work on forks - ## CODENOTIFY files CODENOTIFY files contain rules that define who gets notified when files change.