-
-
Notifications
You must be signed in to change notification settings - Fork 442
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(ci): add repository dispatch workflow #2442
Conversation
✅ Deploy Preview for biomejs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
if: ${{ github.event_name == 'push' }} | ||
uses: peter-evans/repository-dispatch@v3 | ||
with: | ||
token: ${{ secrets.BIOME_REPOSITORY_DISPATCH }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the PAT token we use and it should be stored as a repository secret and the name should match (I used the name BIOME_REPOSITORY_DISPATCH
, we can change the name but they should be kept the same).
The bot should up and running now. The only thing that I changed was the name of the secret: In the future, we can use it instead of the github bot if we want. |
I maybe wrong because I have no experience managing tokens for an organization. But shouldn't we have different dedicated tokens with the least permissions granted for each kind of tasks we run? A single token with many permissions may have some security risks, and |
For now, If we require different permissions, we can create a different PAT with fine-grained permissions; then, using the values of said PAT, we can create one more secret in the repository where we need said permissions. Although, you actually have a good point, and it makes sense to name the secret based on what is meant for. I will update the name of the secret. |
Done! |
Thanks, just to be sure, is the new secret name |
Yes, that's the name |
Summary
Add repository dispatch workflow. This workflow is meant to trigger the Pin submodule and run codegen workflow in biomejs/website whenever a push event is issued from the main branch.
To trigger the workflow in another repository, this workflow needs a PAT (Personal Access Token) and stores it as a repository secret. I used the secrete name
BIOME_REPOSITORY_DISPATCH
in this workflow. Further details about the token permissions can be found here: https://github.com/peter-evans/repository-dispatch?tab=readme-ov-file#tokenI suggest that we create a dedicated account under the organization (maybe with the name
biomecookie
or something like that) for token management. So personal access tokens won't be associated with any personal accounts. We should also only grant the minimal permissions for the tokens we need.A dedicated account for tokens will also let us to use it instead of
github-actions[bot]
to trigger other workflows:A bit of info on creating a machine user:
Test Plan