0
0
Fork 0
mirror of https://codeberg.org/forgejo/docs.git synced 2024-11-21 17:36:59 -05:00
forgejo-docs/docs/developer/repositories-dependencies.md
Earl Warren 533f575dde
developer/repositories-dependencies: no need to add collaborators
adding collaborators with write access to the destination repository
is a way for the author of a pull request to gain elevated privileges
2023-11-01 20:45:42 +01:00

3.7 KiB

title license
Managing dependencies between repositories CC-BY-SA-4.0

Some Forgejo repositories that depend on each other have workflows that will trigger workflows on other repositories using the cascading-pr action.

Use cases and examples

Files copied from other repositories

setup-forgejo contains a copy of the forgejo-curl script. This script does not have numbered releases and the latest version is the one in the main branch.

forgejo-curl has a workflow that will open a pull request to setup-forgejo to update the forgejo-curl.sh script it contains. The forgejo-curl workflow will wait on the setup-forgejo workflow and fail if it does not pass, thus providing additional confirmation that the change under test won't break setup-forgejo once merged.

When the PR is merged in forgejo-curl, the corresponding PR in setup-forgejo is left open and ready to be merged with the latest version of the forgejo-curl.sh script.

Verifying an upgrade would work

setup-forgejo installs a runner by default, as specified in the action.yml file.

The runner has a workflow that will open a pull request to setup-forgejo to update the default version in the action.yml file. The runner workflow will wait on the setup-forgejo workflow and fail if it does not pass, thus providing additional confirmation that the change under test won't break setup-forgejo when it upgrades to using a release that contains the change.

When the PR is merged in forgejo-curl, the corresponding PR in setup-forgejo is closed. It is not meant to upgrade setup-forgejo because there is not yet a tag release published with this change.

Permissions

The cascading-pr action needs a token with write permissions on issues and repositories that will allow it to fork the destination repository and create a pull request from this fork. It also needs read permission on issues and pull requests for the origin repository.

The cascading-pr user is dedicated to providing such tokens.

For instance, a personal token named https://code.forgejo.org/forgejo/forgejo-curl/ was created by the cascading-pr user. This token was added as two secrets named CASCADING_PR_ORIGIN and CASCADING_PR_DESTINATION in the https://code.forgejo.org/forgejo/forgejo-curl/ repository.

Access to secrets

The workflow that contains the cascading-pr action needs access to the secrets of the repository and must run on.pull_request_target. For instance:

on:
  pull_request_target:
    types:
      - opened
      - synchronize
      - closed

Updating the workflow

When the cascading-pr workflow is added or updated in a repository, it must be done in a PR from a branch of the repository and not than from a forked repository. It runs on.pull_request_target and if run from a fork it will use the content of the default branch instead of the proposed change.