mirror of
https://github.com/shaka-project/shaka-packager.git
synced 2026-04-03 03:40:05 +00:00
89d59a3601
Since the introduction of `vars` to GitHub Actions, I started using that instead of the "environments" trick I used in Packager. However, it has become clear now that the `vars` strategy has major drawbacks, such as requiring the use of `pull_request_target`, which should only be used for actions that do not execute PR-author-controlled code. This updates the comments to clarify why this is used. This reusable settings workflow will also be deployed now in other repos to standardize on this "environments" mechanism, which is safer than `vars`.
GitHub Actions CI
Reusable workflows
-
build.yaml: Build and test all combinations of OS & build settings. Also builds docs on Linux. -
build-docs.yaml: Build Packager docs. Runs only on Linux. -
build-docker.yaml: Build the official Docker image. -
lint.yaml: Lint Shaka Packager. -
publish-docs.yaml: Publish Packager docs. Runs on the latest release. -
publish-docker.yaml: Publish the official docker image. Runs on all releases. -
publish-npm.yaml: Publish binaries to NPM. Runs on all releases. -
test-linux-distros.yaml: Test the build on all Linux distros via docker.
Composed workflows
- On PR (
pr.yaml), invoke:lint.yamlbuild.yamlbuild-docs.yamlbuild-docker.yamltest-linux-distros.yaml
Release workflow
release-please.yaml- Updates changelogs, version numbers based on conventional commits syntax and semantic versioning
- Generates/updates a PR on each push
- When the PR is merged, runs additional steps:
- Creates a GitHub release
- Invokes
publish-docs.yamlto publish the docs - Invokes
publish-docker.yamlto publish the docker image - Invokes
build.yaml - Attaches the binaries from
build.yamlto the GitHub release - Invokes
publish-npm.yamlto publish the binaries to NPM
Common workflows from shaka-project
sync-labels.yamlupdate-issues.yamlvalidate-pr-title.yaml
Required Repo Secrets
RELEASE_PLEASE_TOKEN: A PAT forshaka-botto run therelease-pleaseaction. If missing, the release workflow will use the defaultGITHUB_TOKENDOCKERHUB_CI_USERNAME: The username of the Docker Hub CI accountDOCKERHUB_CI_TOKEN: An access token for Docker Hub- To generate, visit https://hub.docker.com/settings/security
DOCKERHUB_PACKAGE_NAME: Not a true "secret", but stored here to avoid someone pushing bogus packages to Docker Hub during CI testing from a fork- In a fork, set to a private name which differs from the production one
NPM_CI_TOKEN: An "Automation"-type access token for NPM for theshaka-botaccount- To generate, visit https://www.npmjs.com/settings/shaka-bot/tokens and select the "Automation" type
NPM_PACKAGE_NAME: Not a true "secret", but stored here to avoid someone pushing bogus packages to NPM during CI testing from a fork- In a fork, set to a private name which differs from the production one
Repo Settings
Each of these workflow features can be enabled by creating a "GitHub Environment" with the same name in your repo settings. Forks will not have these enabled by default.
debug: enable debugging via SSH after a failureself_hosted: enable self-hosted runners in the build matrix