Retry converting GitHubAction `coveralls` to NUKE with `coveralls.net` by IT-VBFK · Pull Request #2095 · fluentassertions/fluentassertions · GitHub
Skip to content

Retry converting GitHubAction coveralls to NUKE with coveralls.net#2095

Closed
IT-VBFK wants to merge 6 commits into
fluentassertions:developfrom
IT-VBFK:build/convert-coveralls
Closed

Retry converting GitHubAction coveralls to NUKE with coveralls.net#2095
IT-VBFK wants to merge 6 commits into
fluentassertions:developfrom
IT-VBFK:build/convert-coveralls

Conversation

@IT-VBFK

@IT-VBFK IT-VBFK commented Jan 12, 2023

Copy link
Copy Markdown
Contributor

IMPORTANT

  • If the PR touches the public API, the changes have been approved in a separate issue with the "api-approved" label.
  • The code complies with the Coding Guidelines for C#.
  • The changes are covered by unit tests which follow the Arrange-Act-Assert syntax and the naming conventions such as is used in these tests.
  • If the PR adds a feature or fixes a bug, please update the release notes with a functional description that explains what the change means to consumers of this library, which are published on the website.
  • If the PR changes the public API the changes needs to be included by running AcceptApiChanges.ps1 or AcceptApiChanges.sh.
  • If the PR affects the documentation, please include your changes in this pull request so the documentation will appear on the website.
    • Please also run ./build.sh --target spellcheck or .\build.ps1 --target spellcheck before pushing and check the good outcome

@IT-VBFK IT-VBFK marked this pull request as draft January 12, 2023 17:53
@IT-VBFK IT-VBFK force-pushed the build/convert-coveralls branch 12 times, most recently from abc7ebb to ed8a261 Compare January 12, 2023 19:37
@ITaluone

Copy link
Copy Markdown
Contributor

Comment thread Build/Build.cs Outdated
Comment thread Build/Build.cs
Comment thread .github/workflows/build.yml Outdated
Comment thread Build/Build.cs Outdated
Comment thread Build/Build.cs Outdated
@ITaluone ITaluone mentioned this pull request Jan 13, 2023
7 tasks
@IT-VBFK

IT-VBFK commented Jan 13, 2023

Copy link
Copy Markdown
Contributor Author

@jnyrup or @dennisdoomen
Can you please recheck the correct integration of coveralls with the github token (or a different one)?
I can't figure out why else this pipeline is failing at coveralls..

@IT-VBFK IT-VBFK force-pushed the build/convert-coveralls branch 3 times, most recently from c583cbd to 7576b8e Compare January 13, 2023 10:13
@dennisdoomen

Copy link
Copy Markdown
Member

The token is correct and properly passed to the script. So something else is not right.

@IT-VBFK

IT-VBFK commented Jan 13, 2023

Copy link
Copy Markdown
Contributor Author

Hmm.. that odd.. I can't figure out what the problem is..

@jnyrup

jnyrup commented Jan 14, 2023

Copy link
Copy Markdown
Member

csMACnz/coveralls.net#108 indicates that we're passing the wrong kind of token.

--repoToken <repoToken> The coveralls.io repository token.

https://github.com/csMACnz/coveralls.net/blob/main/src/csmacnz.Coveralls/MainArgs.cs

@IT-VBFK

IT-VBFK commented Jan 14, 2023

Copy link
Copy Markdown
Contributor Author

Thank you for digging into this

I fear I cannot help with the token ;)

@IT-VBFK

IT-VBFK commented Jan 14, 2023

Copy link
Copy Markdown
Contributor Author

image

Just to make sure to not forget this check in NUKE build

@dennisdoomen

Copy link
Copy Markdown
Member

I've just added a new Coveralls-specific token under the name COVERALLS_TOKEN. Try that one instead.

@IT-VBFK IT-VBFK force-pushed the build/convert-coveralls branch from 7576b8e to ccf0d9c Compare January 14, 2023 12:23
@IT-VBFK

IT-VBFK commented Jan 14, 2023

Copy link
Copy Markdown
Contributor Author

There must be an issue with permissions or something, because if I add a repo secret in my fork and use that instead.. it works

see this latest workflow run: https://github.com/IT-VBFK/fluentassertions/actions/runs/3919802757/jobs/6701153117
and the coveralls-page: https://coveralls.io/github/IT-VBFK/fluentassertions

@jnyrup

jnyrup commented Jan 14, 2023

Copy link
Copy Markdown
Member

New best guess about what's confusing us

With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository.

https://docs.github.com/en/actions/security-guides/encrypted-secrets#using-encrypted-secrets-in-a-workflow

@IT-VBFK

IT-VBFK commented Jan 14, 2023

Copy link
Copy Markdown
Contributor Author

uhh.. that's stupid.. that means we can't use that?

What a pity

@jnyrup

jnyrup commented Jan 14, 2023

Copy link
Copy Markdown
Member

uhh.. that's stupid..

It's for security.
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

Giving this a second thought, we didn't provide the Coveralls token before, so we shouldn't need it now.
Looking at the source for the currently used github actions task, it does use secrets.GITHUB_TOKEN.

@IT-VBFK

IT-VBFK commented Jan 14, 2023

Copy link
Copy Markdown
Contributor Author

Giving this a second thought, we didn't provide the Coveralls token before, so we shouldn't need it now.
Looking at the source for the currently used github actions task, it does use secrets.GITHUB_TOKEN.

But this didn't work either.. See the very first commits/workflow runs of this PR

@IT-VBFK IT-VBFK force-pushed the build/convert-coveralls branch from 8c4e088 to 7f5d376 Compare January 14, 2023 20:32
@IT-VBFK

IT-VBFK commented Jan 14, 2023

Copy link
Copy Markdown
Contributor Author

What about using NUKE's secret parameter feature by storing the encrypted value in Build/parameters.json?

https://nuke.build/docs/fundamentals/parameters/#secret-parameters

@IT-VBFK

IT-VBFK commented Jan 14, 2023

Copy link
Copy Markdown
Contributor Author

Locally this works for me:

  • Add [Secret] attribute to the coveralls variable in Build.cs and run ./build.sh once to generate the build.schema.json
  • adding my coveralls token as a NUKE secret (in root dir run following):
    • nuke :secrets
    • choose the variable name
    • enter the secret
    • save & exit
  • run ./build.sh again
  • it should be working now (at least on my machine)

the only draw-back is, that you have to provide (or commit directly to this PR) the changed parameters.json, which holds the encrypted token

@dennisdoomen

Copy link
Copy Markdown
Member

With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository.

This means that the secret is not available from a build that is part of the fork. And that makes total sense. We're running builds from the main repo. And we're also passing the Nuget push key in the exact same way. And that works.

Giving this a second thought, we didn't provide the Coveralls token before, so we shouldn't need it now.
Looking at the source for the currently used github actions task, it does use secrets.GITHUB_TOKEN.

That was my thought as well. I suspect that the GHA action for Coverall works in a different way than the .NET library

@dennisdoomen

Copy link
Copy Markdown
Member

the only draw-back is, that you have to provide (or commit directly to this PR) the changed parameters.json, which holds the encrypted token

That is not an option.

@IT-VBFK IT-VBFK force-pushed the build/convert-coveralls branch from 7f5d376 to 0318ad0 Compare January 15, 2023 12:01
@IT-VBFK

IT-VBFK commented Jan 15, 2023

Copy link
Copy Markdown
Contributor Author

That is not an option.

I have already guessed something like this :)

@IT-VBFK IT-VBFK force-pushed the build/convert-coveralls branch 2 times, most recently from fa682ad to 5cc6d0b Compare January 15, 2023 12:17
@IT-VBFK

IT-VBFK commented Jan 15, 2023

Copy link
Copy Markdown
Contributor Author

This means that the secret is not available from a build that is part of the fork. And that makes total sense. We're running builds from the main repo. And we're also passing the Nuget push key in the exact same way. And that works.

But this does not work either (see latest workflow runs). Both nuget api key and coveralls token are empty..

Have introduced the Info target again and check if NuGetApiKey and CoverallsToken are !string.IsNullOrWhitespace.

@IT-VBFK

IT-VBFK commented Jan 15, 2023

Copy link
Copy Markdown
Contributor Author

I think I will close this PR soon, because I think we're stuck here..

Sorry

@IT-VBFK

IT-VBFK commented Jan 15, 2023

Copy link
Copy Markdown
Contributor Author

Just to recap:

  • Using GITHUB_TOKEN like in the coveralls action --> does not work
  • Using a specific coveralls token works in the fork, but not in the main repo (when PR)
  • Passing secrets.Token to NUKE --> does not work (Null or whitespace)
  • Passing token via NUKE secret parameters --> declined
  • Storing the token as repo variable (not as secret) --> definitely not an option

I just realized that since the variable name changed from ApiKey to NuGetApiKey no key is passed to NUKE anymore

Apparently, if merged into develop or master the key is passed.. but not in PRs.. but we want to get response about coverage especially in the PRs..

@IT-VBFK IT-VBFK force-pushed the build/convert-coveralls branch from 5cc6d0b to f234295 Compare January 15, 2023 12:36
@IT-VBFK IT-VBFK force-pushed the build/convert-coveralls branch from f234295 to f6b706f Compare January 15, 2023 12:42
@IT-VBFK

IT-VBFK commented Jan 15, 2023

Copy link
Copy Markdown
Contributor Author

An other possibility could be to use an external key vault or AzureKeyVault (which is also supported by NUKE)

like proposed here: https://stackoverflow.com/a/67543604

@jnyrup

jnyrup commented Jan 15, 2023

Copy link
Copy Markdown
Member

An other possibility could be to use an external key vault or AzureKeyVault (which is also supported by NUKE)

like proposed here: https://stackoverflow.com/a/67543604

Not an option.
While we like to reduce the amount of yaml, introducing completely external systems introduces more complexity and fragility.

If we cannot find a way to inject some secret (github-token or coveralls token) into NUKE, then I say we keep it as it is right now.

@dennisdoomen

Copy link
Copy Markdown
Member

image

Maybe this only works if me or @jnyrup trigger the build....

@IT-VBFK

IT-VBFK commented Jan 15, 2023

Copy link
Copy Markdown
Contributor Author

image

Maybe this only works if me or @jnyrup trigger the build....

Is this what we really want? Seems like a bad "hack"

@IT-VBFK

IT-VBFK commented Jan 15, 2023

Copy link
Copy Markdown
Contributor Author

As I don't have no ideas left.. I would close this..

Or do you have any ideas @jnyrup @dennisdoomen ?

@jnyrup

jnyrup commented Jan 15, 2023

Copy link
Copy Markdown
Member

I also out of ideas.

@IT-VBFK

IT-VBFK commented Jan 15, 2023

Copy link
Copy Markdown
Contributor Author

Ok.. seems we stick with yaml 🤔

@IT-VBFK IT-VBFK closed this Jan 15, 2023
@dennisdoomen

Copy link
Copy Markdown
Member

Something is off. I've used repository secrets many times before. But looking at the flaky behavior we see with Coveralls right now, I'm starting to think we're facing the same problem there. When a contributor creates a PR, that PR won't get the right token and doesn't produce a Coveralls report. It always requires us to manually rebuild it.

But maybe I'm imagining things.

@IT-VBFK

IT-VBFK commented Jan 15, 2023

Copy link
Copy Markdown
Contributor Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants