From a96ba72d84832308d17278dc756d780ed1e757ce Mon Sep 17 00:00:00 2001 From: Maxime Beauchemin Date: Wed, 24 Jan 2024 13:14:41 -0800 Subject: [PATCH 1/5] chore: refactor the github actions has-secrets logic While working on https://github.com/apache/superset/pull/26772, I realized that the has-secret logic was broken for unclear reasons. Now after doing this fix, I looked and realized that there's similar logic across about a dozen other gh actions, and thought it'd be a good thing to refactor/fix this with a reusable action. Now many of these workflows are set to trigger on push-on-master only meaning it's less of an issue since a false positive on has-secret dpesn't matter in that context since there's always a secret. I still thought I should refactor this to something we can trust and build upon. The solution introduces this new simple reusable action. One minor note is in cases where we need multiple secrets, as in say DOCKERHUB_TOKEN and DOCKERHUB_USER, we simply look at one and assume that's clear-enough of an indicator. --- .github/workflows/check-secrets.yml | 22 ++++++++++++++++ .github/workflows/chromatic-master.yml | 21 +++++---------- .github/workflows/docker-release.yml | 21 +++++---------- .github/workflows/ephemeral-env-pr-close.yml | 21 +++++---------- .github/workflows/ephemeral-env.yml | 26 ++++++------------- .github/workflows/license-check.yml | 21 +++++---------- .github/workflows/release.yml | 21 +++++---------- .../workflows/superset-applitool-cypress.yml | 21 +++++---------- .../superset-applitools-storybook.yml | 21 +++++---------- .github/workflows/superset-docs.yml | 21 +++++---------- 10 files changed, 78 insertions(+), 138 deletions(-) create mode 100644 .github/workflows/check-secrets.yml diff --git a/.github/workflows/check-secrets.yml b/.github/workflows/check-secrets.yml new file mode 100644 index 0000000000000..5c1105996b3d4 --- /dev/null +++ b/.github/workflows/check-secrets.yml @@ -0,0 +1,22 @@ +name: Check Secrets + +on: + workflow_call: + inputs: + secret_name: + required: true + type: string + +jobs: + check-secrets: + runs-on: ubuntu-latest + outputs: + has-secrets: ${{ steps.check.outputs.has-secrets }} + steps: + - id: check + run: | + if [[ -n "${{ secrets[inputs.secret_name] }}" ]]; then + echo "has-secrets=true" >> "$GITHUB_ENV" + else + echo "has-secrets=false" >> "$GITHUB_ENV" + fi diff --git a/.github/workflows/chromatic-master.yml b/.github/workflows/chromatic-master.yml index efdbfec2f65bb..f1a9646d21750 100644 --- a/.github/workflows/chromatic-master.yml +++ b/.github/workflows/chromatic-master.yml @@ -32,22 +32,13 @@ on: # List of jobs jobs: - config: - runs-on: "ubuntu-latest" - outputs: - has-secrets: ${{ steps.check.outputs.has-secrets }} - steps: - - name: "Check for secrets" - id: check - shell: bash - run: | - if [ -n "${{ (secrets.CHROMATIC_PROJECT_TOKEN != '') || '' }}" ]; then - echo "has-secrets=1" >> "$GITHUB_OUTPUT" - fi - + check-secrets: + uses: ./.github/workflows/check-secrets.yml + with: + secret_name: 'CHROMATIC_PROJECT_TOKEN' chromatic-deployment: - needs: config - if: needs.config.outputs.has-secrets + needs: check-secrets + if: needs.check-secrets.outputs.has-secrets == 'true' # Operating System runs-on: ubuntu-latest # Job steps diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml index 3e205fdeffaaf..34f11e79ca4a5 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release.yml @@ -4,22 +4,13 @@ on: release: types: [published] jobs: - config: - runs-on: "ubuntu-latest" - outputs: - has-secrets: ${{ steps.check.outputs.has-secrets }} - steps: - - name: "Check for secrets" - id: check - shell: bash - run: | - if [ -n "${{ (secrets.DOCKERHUB_USER != '' && secrets.DOCKERHUB_TOKEN != '') || '' }}" ]; then - echo "has-secrets=1" >> "$GITHUB_OUTPUT" - fi - + check-secrets: + uses: ./.github/workflows/check-secrets.yml + with: + secret_name: 'DOCKERHUB_USER' docker-release: - needs: config - if: needs.config.outputs.has-secrets + needs: check-secrets + if: needs.check-secrets.outputs.has-secrets == 'true' name: docker-release runs-on: ubuntu-latest strategy: diff --git a/.github/workflows/ephemeral-env-pr-close.yml b/.github/workflows/ephemeral-env-pr-close.yml index 7430950b453f6..6b7a728202e86 100644 --- a/.github/workflows/ephemeral-env-pr-close.yml +++ b/.github/workflows/ephemeral-env-pr-close.yml @@ -5,22 +5,13 @@ on: types: [closed] jobs: - config: - runs-on: "ubuntu-latest" - outputs: - has-secrets: ${{ steps.check.outputs.has-secrets }} - steps: - - name: "Check for secrets" - id: check - shell: bash - run: | - if [ -n "${{ (secrets.AWS_ACCESS_KEY_ID != '' && secrets.AWS_SECRET_ACCESS_KEY != '') || '' }}" ]; then - echo "has-secrets=1" >> "$GITHUB_OUTPUT" - fi - + check-secrets: + uses: ./.github/workflows/check-secrets.yml + with: + secret_name: 'AWS_SECRET_ACCESS_KEY' ephemeral-env-cleanup: - needs: config - if: needs.config.outputs.has-secrets + needs: check-secrets + if: needs.check-secrets.outputs.has-secrets == 'true' name: Cleanup ephemeral envs runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/ephemeral-env.yml b/.github/workflows/ephemeral-env.yml index 2e8178199f1fd..2ff931b9a9ee8 100644 --- a/.github/workflows/ephemeral-env.yml +++ b/.github/workflows/ephemeral-env.yml @@ -5,23 +5,13 @@ on: types: [created] jobs: - config: - runs-on: "ubuntu-latest" - if: github.event.issue.pull_request - outputs: - has-secrets: ${{ steps.check.outputs.has-secrets }} - steps: - - name: "Check for secrets" - id: check - shell: bash - run: | - if [ -n "${{ (secrets.AWS_ACCESS_KEY_ID != '' && secrets.AWS_SECRET_ACCESS_KEY != '') || '' }}" ]; then - echo "has-secrets=1" >> "$GITHUB_OUTPUT" - fi - + check-secrets: + uses: ./.github/workflows/check-secrets.yml + with: + secret_name: 'AWS_SECRET_ACCESS_KEY' ephemeral_env_comment: - needs: config - if: needs.config.outputs.has-secrets + needs: check-secrets + if: needs.check-secrets.outputs.has-secrets == 'true' name: Evaluate ephemeral env comment trigger (/testenv) runs-on: ubuntu-latest permissions: @@ -80,8 +70,8 @@ jobs: core.setFailed(errMsg) docker_ephemeral_env: - needs: config - if: needs.config.outputs.has-secrets + needs: check-secrets + if: needs.check-secrets.outputs.has-secrets == 'true' name: Push ephemeral env Docker image to ECR runs-on: ubuntu-latest diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml index e9b75a100983a..574213e54248f 100644 --- a/.github/workflows/license-check.yml +++ b/.github/workflows/license-check.yml @@ -8,22 +8,13 @@ on: types: [synchronize, opened, reopened, ready_for_review] jobs: - config: - runs-on: "ubuntu-latest" - outputs: - has-secrets: ${{ steps.check.outputs.has-secrets }} - steps: - - name: "Check for secrets" - id: check - shell: bash - run: | - if [ -n "${{ (secrets.FOSSA_API_KEY != '' ) || '' }}" ]; then - echo "has-secrets=1" >> "$GITHUB_OUTPUT" - fi - + check-secrets: + uses: ./.github/workflows/check-secrets.yml + with: + secret_name: 'FOSSA_API_KEY' license_check: - needs: config - if: needs.config.outputs.has-secrets + needs: check-secrets + if: needs.check-secrets.outputs.has-secrets == 'true' name: License Check runs-on: ubuntu-20.04 steps: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7080620c95939..36255f6540195 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,22 +6,13 @@ on: - 'master' jobs: - config: - runs-on: "ubuntu-latest" - outputs: - has-secrets: ${{ steps.check.outputs.has-secrets }} - steps: - - name: "Check for secrets" - id: check - shell: bash - run: | - if [ -n "${{ (secrets.NPM_TOKEN != '' && secrets.GH_PERSONAL_ACCESS_TOKEN != '') || '' }}" ]; then - echo "has-secrets=1" >> "$GITHUB_OUTPUT" - fi - + check-secrets: + uses: ./.github/workflows/check-secrets.yml + with: + secret_name: 'NPM_TOKEN' # also note that GH_PERSONAL_ACCESS_TOKEN is used build: - needs: config - if: needs.config.outputs.has-secrets + needs: check-secrets + if: needs.check-secrets.outputs.has-secrets == 'true' name: Bump version and publish package(s) runs-on: ubuntu-20.04 diff --git a/.github/workflows/superset-applitool-cypress.yml b/.github/workflows/superset-applitool-cypress.yml index 21ace62b02a4e..ff7827103f768 100644 --- a/.github/workflows/superset-applitool-cypress.yml +++ b/.github/workflows/superset-applitool-cypress.yml @@ -5,22 +5,13 @@ on: - cron: "0 1 * * *" jobs: - config: - runs-on: "ubuntu-latest" - outputs: - has-secrets: ${{ steps.check.outputs.has-secrets }} - steps: - - name: "Check for secrets" - id: check - shell: bash - run: | - if [ -n "${{ (secrets.APPLITOOLS_API_KEY != '' && secrets.APPLITOOLS_API_KEY != '') || '' }}" ]; then - echo "has-secrets=1" >> "$GITHUB_OUTPUT" - fi - + check-secrets: + uses: ./.github/workflows/check-secrets.yml + with: + secret_name: 'APPLITOOLS_API_KEY' cypress-applitools: - needs: config - if: needs.config.outputs.has-secrets + needs: check-secrets + if: needs.check-secrets.outputs.has-secrets == 'true' runs-on: ubuntu-20.04 strategy: fail-fast: false diff --git a/.github/workflows/superset-applitools-storybook.yml b/.github/workflows/superset-applitools-storybook.yml index 4225509e3a1a0..b7f5c4a6f33c5 100644 --- a/.github/workflows/superset-applitools-storybook.yml +++ b/.github/workflows/superset-applitools-storybook.yml @@ -11,22 +11,13 @@ env: APPLITOOLS_BATCH_NAME: Superset Storybook jobs: - config: - runs-on: "ubuntu-latest" - outputs: - has-secrets: ${{ steps.check.outputs.has-secrets }} - steps: - - name: "Check for secrets" - id: check - shell: bash - run: | - if [ -n "${{ (secrets.APPLITOOLS_API_KEY != '' && secrets.APPLITOOLS_API_KEY != '') || '' }}" ]; then - echo "has-secrets=1" >> "$GITHUB_OUTPUT" - fi - + check-secrets: + uses: ./.github/workflows/check-secrets.yml + with: + secret_name: 'APPLITOOLS_API_KEY' cron: - needs: config - if: needs.config.outputs.has-secrets + needs: check-secrets + if: needs.check-secrets.outputs.has-secrets == 'true' runs-on: ubuntu-20.04 strategy: matrix: diff --git a/.github/workflows/superset-docs.yml b/.github/workflows/superset-docs.yml index e1c2df7d1261b..91499cacb5416 100644 --- a/.github/workflows/superset-docs.yml +++ b/.github/workflows/superset-docs.yml @@ -12,22 +12,13 @@ on: types: [synchronize, opened, reopened, ready_for_review] jobs: - config: - runs-on: "ubuntu-latest" - outputs: - has-secrets: ${{ steps.check.outputs.has-secrets }} - steps: - - name: "Check for secrets" - id: check - shell: bash - run: | - if [ -n "${{ (secrets.SUPERSET_SITE_BUILD != '' && secrets.SUPERSET_SITE_BUILD != '') || '' }}" ]; then - echo "has-secrets=1" >> "$GITHUB_OUTPUT" - fi - + check-secrets: + uses: ./.github/workflows/check-secrets.yml + with: + secret_name: 'SUPERSET_SITE_BUILD' build-deploy: - needs: config - if: needs.config.outputs.has-secrets + needs: check-secrets + if: needs.check-secrets.outputs.has-secrets == 'true' name: Build & Deploy runs-on: ubuntu-20.04 defaults: From 1221b91211be5d386b64e3645ff96dd4b3fb2290 Mon Sep 17 00:00:00 2001 From: Maxime Beauchemin Date: Thu, 25 Jan 2024 11:58:26 -0800 Subject: [PATCH 2/5] pre-rebase sqash --- .github/workflows/check-secrets.yml | 4 ++-- .github/workflows/superset-translations.yml | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check-secrets.yml b/.github/workflows/check-secrets.yml index 5c1105996b3d4..417f99a222f49 100644 --- a/.github/workflows/check-secrets.yml +++ b/.github/workflows/check-secrets.yml @@ -16,7 +16,7 @@ jobs: - id: check run: | if [[ -n "${{ secrets[inputs.secret_name] }}" ]]; then - echo "has-secrets=true" >> "$GITHUB_ENV" + echo "has-secrets=true" >> "$GITHUB_OUTPUT" else - echo "has-secrets=false" >> "$GITHUB_ENV" + echo "has-secrets=false" >> "$GITHUB_OUTPUT" fi diff --git a/.github/workflows/superset-translations.yml b/.github/workflows/superset-translations.yml index d3d957fde2f27..028e35f8b31b7 100644 --- a/.github/workflows/superset-translations.yml +++ b/.github/workflows/superset-translations.yml @@ -4,8 +4,12 @@ on: push: branches: - 'master' + paths: + - "superset-frontend/**" pull_request: types: [synchronize, opened, reopened, ready_for_review] + paths: + - "superset-frontend/**" jobs: frontend-check: From 0f34934acae76878b736558142e507251caad330 Mon Sep 17 00:00:00 2001 From: Maxime Beauchemin Date: Thu, 25 Jan 2024 12:18:55 -0800 Subject: [PATCH 3/5] dummy docs build --- .github/workflows/check-secrets.yml | 2 ++ .github/workflows/release.yml | 2 +- docs/README.md | 1 - 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check-secrets.yml b/.github/workflows/check-secrets.yml index 417f99a222f49..5b96e4a71d3cd 100644 --- a/.github/workflows/check-secrets.yml +++ b/.github/workflows/check-secrets.yml @@ -17,6 +17,8 @@ jobs: run: | if [[ -n "${{ secrets[inputs.secret_name] }}" ]]; then echo "has-secrets=true" >> "$GITHUB_OUTPUT" + echo "Secret ${{ inputs.secret_name }} is available" else echo "has-secrets=false" >> "$GITHUB_OUTPUT" + echo "Secret ${{ inputs.secret_name }} is NOT available" fi diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 36255f6540195..8da7bfbae3096 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: release-workflow +name: npm-release-workflow on: push: diff --git a/docs/README.md b/docs/README.md index 1427f21640a2c..1e6107564ae5c 100644 --- a/docs/README.md +++ b/docs/README.md @@ -16,5 +16,4 @@ KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> - This is the public documentation site for Superset, built using [Docusaurus 2](https://docusaurus.io/). See [CONTRIBUTING.md](../CONTRIBUTING.md#documentation) for documentation on contributing to documentation. From be7279568819fef3b82972b6cdb6af1b677b254d Mon Sep 17 00:00:00 2001 From: Maxime Beauchemin Date: Thu, 25 Jan 2024 12:20:28 -0800 Subject: [PATCH 4/5] minor name change --- ...-translations.yml => superset-frontend-translations.yml} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename .github/workflows/{superset-translations.yml => superset-frontend-translations.yml} (95%) diff --git a/.github/workflows/superset-translations.yml b/.github/workflows/superset-frontend-translations.yml similarity index 95% rename from .github/workflows/superset-translations.yml rename to .github/workflows/superset-frontend-translations.yml index 028e35f8b31b7..aedd15f956f80 100644 --- a/.github/workflows/superset-translations.yml +++ b/.github/workflows/superset-frontend-translations.yml @@ -1,9 +1,9 @@ -name: Translations +name: Frontend Translations on: push: branches: - - 'master' + - "master" paths: - "superset-frontend/**" pull_request: @@ -23,7 +23,7 @@ jobs: - name: Setup Node.js uses: actions/setup-node@v3 with: - node-version: '16' + node-version: "16" - name: Install dependencies uses: ./.github/actions/cached-dependencies with: From 16a80db484abd0cb98ae52954bf3181f099c4bab Mon Sep 17 00:00:00 2001 From: Maxime Beauchemin Date: Thu, 25 Jan 2024 12:01:12 -0800 Subject: [PATCH 5/5] dummy commit --- scripts/docker_build_push.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/docker_build_push.sh b/scripts/docker_build_push.sh index 3d0271cb2b4d2..cd060aa9f2616 100755 --- a/scripts/docker_build_push.sh +++ b/scripts/docker_build_push.sh @@ -112,6 +112,7 @@ cat<