Description
Describe the problem
Some of the GitHub Actions workflows used by the repository generate pull requests to propose automatically generated changes to the contents of the repository:
The repository also has an "Arduino IDE" workflow that normally performs the following operations for PRs that modify relevant files:
- Run tests
- Provide basic "smoke test" by building the application package
- Create build artifacts to facilitate beta testing
🐛 This important workflow is not triggered by the pull requests generated by other workflows due to a safety measure put in place by GitHub in order to prevent infinitely recursive loops:
https://github.com/peter-evans/create-pull-request#action-inputs
i18n-weekly-pull
An example of harm done by the lack of an "Arduino IDE" workflow run for the PR generated by the i18n-weekly-pull:
The breakage introduced by the PR generated by the "i18n-weekly-pull" workflow run (#2031) was only noticed after merging. If the "Arduino IDE" workflow had been triggered by the PR, this breakage would have been identified in advance and could have been resolved as part of that PR prior to merging at the convenience of the project maintainers.
themes-weekly-pull
The "themes-weekly-pull" workflow allow to updated the colors variable used by our themes, pulling tokens from a json that is generated in figma by designers and then converting in css variables.
In addition to the usual validation utility of the "Arduino IDE" workflow run, the resulting tester build is especially needed for the PRs generated by this workflow in order to allow the designers to review the changes before merging.
To reproduce
-
Open the page of any of the PRs with one of the following titles:
- "Update translation files"
- "Update themes"
https://github.com/arduino/arduino-ide/pulls?q=author%3Aapp%2Fgithub-actions
-
Select the "Checks" tab of the PR page.
🐛 There is no run for the "Arduino IDE" workflow.
Expected behavior
The "Arduino IDE" workflow is triggered for all PRs that modify relevant files, including the PRs generated by the "i18n-weekly-pull" and "themes-weekly-pull" workflows.
Arduino IDE version
Operating system
N/A
Operating system version
N/A
Additional context
This can be done by providing a personal access token via the token input of the peter-evans/create-pull-request action step of the workflow:
https://github.com/peter-evans/create-pull-request#action-inputs
This personal access token must be stored in an encrypted secret in the repository. Since the workflows that generate the PR are submitted from a branch of the repository, the lack of access to encrypted secrets for workflow runs triggered by a PR from a fork is not a factor in this application.
Since the personal access token is bind to a specific user, and grants permission to all the repo this user has access, the usual workaround is to use a bot account with restricted permissions in order to have control on the access that token provides:
https://docs.github.com/en/developers/overview/managing-deploy-keys#machine-users
In our case we already have a machine account that might be used for this purpose: https://github.com/ArduinoBot.
It looks like there is now an alternative to the ArduinoBot token repository secret approach described above. It is due to this change to GitHub Actions:
It should now be possible to add a step to the "themes-weekly-pull" workflow that generates a workflow_dispatch or repository_dispatch event to trigger the "Arduino IDE" workflow to run on the themes/themes-update branch that contains the pulled theme changes.
There is an example of doing that in the GitHub Changelog blog post linked above.
Issue checklist
- I searched for previous reports in the issue tracker
- I verified the problem still occurs when using the latest nightly build
- My report contains all necessary details