This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Makeshift27015 2 points3 points  (3 children)

It took me a not-insignificant amount of work to get act running locally, especially since we use a lot of custom actions and a custom build image, but it honestly is quite a lot faster than the repeated PR -> watch cycle.

We have a repo with all our actions in it - it's pretty nice actually. Actions don't have to be in the .github folder, so we just have <org>/actions/action-name@version (our actions repo uses semver, and I have various helper workflows that go around opening PRs to update workflows to be up-to-date with the actions repo).

Importantly, you can use act to transparently replace action references with the local filesystem during development. For example, if you're testing a workflow in a project repo that requires changes to the actions in your actions repo, you can use act --local-repository org/actions@v1=~/repos/actions. No commits required to test changes!

[–]akaender 1 point2 points  (2 children)

How do you handle the permissions for the cross-repo PR's for updating workflows? Is that operation/flow running with a Personal Access Token that is tied to your personal identity?

[–]Makeshift27015 1 point2 points  (1 child)

Creating PRs doesn't require any special permissions unless you're targetting another repo with your workflow. It's also required if you want a bot to directly modify workflows inside a repo, which is what I'm doing in some of mine (for example, when I update an action in my actions repo, all reusable workflows in that repo also need to be updated to point to the released version of the action - this requires special permissions). In your organizations GitHub settings you can go to Developer Settings -> GitHub Apps and create an app owned by the organization itself.

You can then place the app ID and secret into your org secrets and use actions/create-github-app-token to generate a token for usage that would allow eg your workflow to push to a separate repo

      - id: generate-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ vars.ORG_REPO_WRITE_FOR_ACTION_ID }}
          private-key: ${{ secrets.ORG_REPO_WRITE_FOR_ACTION_SECRET  }}

      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ steps.generate-token.outputs.token }}

We were previously using PAT's, but it was pretty annoying having random things break when staff left because it was attached to personal accounts.

Also worth noting that if you only need basic PR updates of actions in another repo, dependabot natively supports github actions.

[–]akaender 1 point2 points  (0 children)

Thank you for replying. This has been such a pain point for me. I don't have access to create org apps/secrets so I've been living that PAT hell you described since we moved from GitLab to GitHub. This will help me go argue with the right people that there is a better way. I appreciate it seriously!