CI: Add workflow to avoid scheduled workflows becoming disabled #18
Conversation
| - name: Create a minimal payload | ||
| run: | | ||
| mkdir _pass | ||
| touch _pass/pass.txt |
There was a problem hiding this comment.
peaceiris/actions-gh-pages requires a non-empty payload directory, so this just provides payload of an empty file.
| touch _pass/pass.txt | ||
|
|
||
| - name: Keep workflow alive | ||
| uses: peaceiris/actions-gh-pages@v3 |
There was a problem hiding this comment.
I think the security risk of using a @v3 tag here is probably fine as we aren't deploying thing, but as we are pushing back to the repo I can see some motivation to go with a more security cautious approach. I'll defer to others here.
There was a problem hiding this comment.
I don't see why this is less risky than other cases: the action gets your secret and can push a new tag to do anything with it.
There was a problem hiding this comment.
I think what @matthewfeickert is @v3 pins to any v3, while @v3.9.1 or @<commit-ish> would pin to a given version so if upstream is compromised we are safe.
There was a problem hiding this comment.
Presumably v3.9.1 is a tag, so only hashes are secure in this sense?
There was a problem hiding this comment.
the action gets your secret and can push a new tag to do anything with it.
The default GITHUB_TOKEN secret created by GitHub Actions at runtime has its permissions limited to the repository that contains the workflow. So it can't perform arbitrary actions. Though, it can write (and so rewrite) commits, so given that
so only hashes are secure in this sense?
yes, probably.
| publish_branch: keep-alive | ||
| publish_dir: _pass | ||
| enable_jekyll: true # avoid extra files | ||
| force_orphan: true # overwirte |
There was a problem hiding this comment.
force pushes to the branch
* Run a cron job on a monthly basis that force pushes a commit to a keep-alive branch.
matthewfeickert
force-pushed
the
ci/add-keep-alive-workflow
branch
from
09fcc14 to
336ab09
Compare
| user_name: 'github-actions[bot]' | ||
| user_email: 'github-actions[bot]@users.noreply.github.com' |
There was a problem hiding this comment.
Avoids the commit being associated with a real user (this really doesn't matter much IMO, but some people like it to make it clear that "hey this wasn't me this was an automated system").
| touch _pass/pass.txt | ||
|
|
||
| - name: Keep workflow alive | ||
| uses: peaceiris/actions-gh-pages@v3 |
There was a problem hiding this comment.
I don't see why this is less risky than other cases: the action gets your secret and can push a new tag to do anything with it.
@stefanv If you mean https://github.com/actions/deploy-pages, that GitHub Action doesn't allow for configuration of the target branch. It will only deploy to the |
|
That makes sense, thanks! |
Resolves #17
Run a cron job on a monthly basis that force pushes a commit to a
keep-alivebranch.(There might be more interesting or intelligent ways to do this, but this works. Revisions welcome!)