Expose GitHub summary unconditionally #821
Conversation
| # Copy receipt to a predictable location | ||
| RECEIPT_FILE=".data/01-validate-incremental-building/latest/exp1-*.receipt" | ||
| if [ -f ${RECEIPT_FILE} ]; then | ||
| cp ${RECEIPT_FILE} ../receipt.txt | ||
| fi |
There was a problem hiding this comment.
What do you think about something like this?
| # Copy receipt to a predictable location | |
| RECEIPT_FILE=".data/01-validate-incremental-building/latest/exp1-*.receipt" | |
| if [ -f ${RECEIPT_FILE} ]; then | |
| cp ${RECEIPT_FILE} ../receipt.txt | |
| fi | |
| echo "receiptFile=$(readlink -f .data/01-validate-incremental-building/latest/exp1-*.receipt)" >> $GITHUB_OUTPUT |
That way we don't have to copy files around to be used in a later step. I think that would also allow users to consume it and could write the file contents to Slack or an email or something without having to worry about where the file is located. I think that's true anyway.
Then later we can do:
if [ -f "${{ steps.run.outputs.receiptFile }}" ]; then
...
fiThere was a problem hiding this comment.
To expose the file outside of the composite action, we would also need to declare it as an extra output there.
We could do that but my intention is exactly opposite as described there
The receipt file is renamed to a predictable receipt.txt file to avoid passing the filename across steps and adding an attack surface as the file content is archived and inlined in the GitHub summary
We also could keep the reference .data/01-validate-incremental-building/latest/exp1-*.receipt in the 3 different steps to avoid the copy
The copy is just there to avoid repeating the uneasy reference.
Do you think it would be better?
There was a problem hiding this comment.
To expose the file outside of the composite action, we would also need to declare it as an extra output there.
Right, I knew there was something I was missing. I would do that.
adding an attack surface as the file content is archived and inlined in the GitHub summary
I don't get this part.
There was a problem hiding this comment.
Having as a step input a file path which you then display in the summary and upload as an artifact is something I am a bit reluctant to do
I see this as a way to display content of a file which was not meant to be displayed in the first place
There was a problem hiding this comment.
Sorry, but I still don't understand. We already displayed the content in the summary before here.
And the file was an input to the upload action here.
There was a problem hiding this comment.
The artifact is uploaded immediately after the experiment completes in the following step and the summary is written immediately after that. All of this happens within the composite action so the user can overwrite the file, but neither the uploaded artifact or experiment summary should be affected.
In any case, they could have overwritten the file before these changes too.
There was a problem hiding this comment.
I agree that the risk is limited or not worsened but I still feel it is bad practice to display a file content without controlling how the file path is obtained
There was a problem hiding this comment.
Is your concern only about exposing the file path to the user, i.e., adding it as an output of the composite action?
There was a problem hiding this comment.
My concern is that the composite step is displaying a file which could potentially be something else than the report.
You could think of a scenario with a complex consuming workflow, calling this composite, with maintainers thoroughly checking that files with secrets are not undisclosed by a PR, but omitting to control the behavior of steps brought by composite actions.
This is unlikely to happen but not impossible if we make the receipt file a step input/output
There was a problem hiding this comment.
We agreed on a call to inline the full receipt path when used
jprinet
force-pushed
the
jprinet/publish-github-action-summary-unconditionnally
branch
from
f1665e1 to
1674631
Compare
jprinet
deleted the
jprinet/publish-github-action-summary-unconditionnally
branch
|
|
||
| # Set the Build Scan urls as outputs | ||
| RECEIPT_FILE=".data/01-validate-incremental-building/latest/exp1-*.receipt" | ||
| BUILD_SCAN_1=$(grep -m 1 "first build" ${RECEIPT_FILE} | sed 's/.* //') |
There was a problem hiding this comment.
Isn't RECEIPT_FILE undefined now?
There was a problem hiding this comment.
damned, I missed this one, good catch. I'll fix it in another PR
There was a problem hiding this comment.
You could just move the capturing of build scan links to the Fill GitHub summary step inside of the if condition such that the final thing done in this step is the script invocation. That would also allow you to remove the set +e and capturing of the exit code.
There was a problem hiding this comment.
That makes sense and will put altogether the GitHub I/O in the same step 👍
Issue
The GitHub summary is not published when the validation scripts run as part of the GiHub composite actions fail.
Fix
The validation scripts are run within a bash step which is by default configured to exit immediately upon command failure
The fix is to revert this configuration and capture the validation script exit code to allow post actions within the step (build scan links capture and receipt file renaming)
Subsequent steps to archive the receipt and inline it in the summary are configured to run unconditionnally
Implementation details
upload-artifactstep is using the default configuration which triggers a warning message when the receipt file is not present. This is an interesting information for the action consumer.