Skip to content

Enable "Arduino IDE" workflow use by contributors #1115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 28, 2022
Merged

Enable "Arduino IDE" workflow use by contributors #1115

merged 2 commits into from
Jun 28, 2022

Conversation

per1234
Copy link
Contributor

@per1234 per1234 commented Jun 26, 2022

GitHub Actions workflows may require access to privileged information in order to perform certain operations. GitHub provides the capability for doing this via "repository secrets".

For security reasons, repository secrets are only accessible to a GitHub Actions workflow run when it is triggered by an event from within the repository containing the secret. This means that a workflow which requires such secrets would fail when run in a fork (unless the fork owner has set up their own secrets with suitable values).

In order to make the relevant components of the CI system friendly for use in forks by contributors validating their work in preparation for submitting a PR, when the operations that require access to a secret are supplemental, those operations should be configured to only run from branches of the parent repository.

Due to its unfortunate monolithic design, in addition to operations useful to contributors, the "Arduino IDE" workflow contains several such supplemental operations:

  • Code signing
  • Publishing release artifacts to Arduino's server

Some attempt was previously made to configure the workflow to skip these operations when run in forks, but that configuration was not done correctly. This made the workflow only usable by contributors with a deep enough understanding of GitHub Actions to be able to make the necessary modifications provisionally every time they needed to use the workflow.

The average contributor would not be capable or willing to do this, which might result in PRs being submitted in a less validated state, increasing the burden on maintainers.

The specific misconfigurations

build job conditional on the workflow running from arduino/arduino-ide

The job itself can run just fine in a fork, so there is no reason to impose this restriction.

Since the time this conditional was added, some changes have been made to the GitHub Actions system which makes this sort of configuration unnecessary:

  • GitHub Actions is globally disabled in forks by default
  • Workflows which contain a schedule trigger (as is the case with this one) are individually disabled by default, requiring the repository owner to enable it specifically even after enabling GitHub Actions in general.

This means this workflow will never run unexpectedly in a fork. The fork owner will always have intentionally enabled it.

So this conditional can be removed completely.

Code signing conditional on PR being submitted from a branch of the base repo

This would cause a spurious failure of the signing operation on PRs made within the contributor's fork when the signing secrets were not defined.

The more appropriate condition of whether the signing secrets are defined or not is now used. The environment variable name has been updated accordingly.

release job conditional on running from arduino/arduino-ide

The GitHub release creation step of this job can run in any repository. It is only the step that uploads to Arduino's AWS server which would only make sense to run from arduino/arduino-ide.

So the conditional is moved to the AWS upload step, allowing contributors to test the workflow's release operation in their forks to validate related proposals.

Reviewer checklist

  • PR addresses a single concern.
  • The PR has no duplicates (please search among the Pull Requests before creating one)
  • PR title and description are properly filled.
  • Docs have been added / updated (for bug fixes / features)

@per1234 per1234 added type: enhancement Proposed improvement topic: infrastructure Related to project infrastructure labels Jun 26, 2022
@per1234 per1234 self-assigned this Jun 26, 2022
AlbyIanna
AlbyIanna approved these changes Jun 28, 2022
View reviewed changes
Copy link
Contributor

@AlbyIanna AlbyIanna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @per1234 !

per1234 added 2 commits June 28, 2022 09:37
@per1234
Refactor signing certificate handling in "Arduino IDE" workflow
fcf7952 
Previously, there was some code duplication of the complex code signing certificate handling commands, which made the
related code more difficult to understand, maintain, and develop.

The cause of this duplication is that there is a separate certificate for each operating system, each of which is stored
in separate repository secrets, as well as a different certificate file extension for each OS. Since the secret names
and file extensions are associated with the operating system, it is most logical to define them via attributes alongside
the operating system definition in the job matrix configuration already used to generate the parallel job runs for
native build on each OS.

That done, the certificate handling commands are universal and the system can easily expand to additional host targets
(e.g., Apple M1) as time goes on.
@per1234
Enable "Arduino IDE" workflow use by contributors
abf4aed 
GitHub Actions workflows may require access to privileged information in order to perform certain operations. GitHub
provides the capability for doing this via "repository secrets".

For security reasons, repository secrets are only accessible to a GitHub Actions workflow run when it is triggered by an
event from within the repository containing the secret. This means that a workflow which requires such secrets would
fail when run in a fork (unless the fork owner was able to set up their own secrets with suitable values).

In order to make the relevant components of the CI system friendly for use in forks by contributors validating their
work in preparation for submitting a PR, when the operations that require access to a secret are supplemental, those
operations should be configured to only run from branches of the parent repository.

Due to its unfortunate monolithic design, in addition to operations useful to contributors, the "Arduino IDE" workflow
contains several such supplemental operations:

- Code signing
- Publishing release artifacts to Arduino's server

Some attempt was previously made to configure the workflow to skip these operations when run in forks, but that
configuration was not done correctly. This made the workflow only usable by contributors with a deep enough
understanding of GitHub Actions to be able to make the necessary modifications provisionally every time they needed to
use the workflow.

The average contributor would not be capable or willing to do this, which might result in PRs being
submitted in a less validated state, increasing the burden on maintainers.

The specific misconfigurations:

**`build` job was conditional on the workflow running from `arduino/arduino-ide`**

The job itself can run just fine in a fork, so there is no reason to impose this restriction.

Since the time this conditional was added, some changes have been made to the GitHub Actions system which makes this
sort of configuration unnecessary:

- GitHub Actions is globally disabled in forks by default
- Workflows which contain a `schedule` trigger (as is the case with this one) are individually disabled by default,
  requiring the repository owner to enable it specifically even after enabling GitHub Actions in general.

This means this workflow will never run unexpectedly in a fork. The fork owner will always have intentionally enabled it.

So this conditional can be removed completely.

**Code signing was conditional on PR being submitted from a branch of the base repo**

This would cause a spurious failure of the signing operation on PRs made within the contributor's fork when the signing
secrets were not defined.

The more appropriate condition of whether the signing secrets are defined or not is now used. The environment variable
name has been updated accordingly.

**`release` job was conditional on running from `arduino/arduino-ide`**

The GitHub release creation step of this job can run in any repository. It is only the step that uploads to Arduino's
AWS server which would only make sense to run from `arduino/arduino-ide`.

So the conditional is moved to the AWS upload step, allowing contributors to test the workflow's release operation in
their forks to validate related proposals.
@per1234 per1234 merged commit 34ef25c into arduino:main Jun 28, 2022
@per1234 per1234 deleted the enable-workflow-for-contributors branch June 28, 2022 17:36
@per1234 per1234 mentioned this pull request Nov 18, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlbyIanna AlbyIanna AlbyIanna approved these changes

@kittaakos kittaakos Awaiting requested review from kittaakos

@davegarthsimpson davegarthsimpson Awaiting requested review from davegarthsimpson

@francescospissu francescospissu Awaiting requested review from francescospissu

Assignees

@per1234 per1234

Labels
topic: infrastructure Related to project infrastructure type: enhancement Proposed improvement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@per1234 @AlbyIanna