bufbuild / buf-push-action Goto Github PK

The "iterate on modules" doc shows the --tag option.

I'd like that as an option for this action.

Thanks!

The buf docs indicate that branches have replaced drafts. They show an example of using branches with this action:

https://buf.build/docs/bsr/module/configure#publishing-branches

Yet AFAICT action doesn't have a with.branch option. It only has with.draft.

At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of GITHUB_TOKEN permissions needed by different GitHub Actions. When developers try to set minimum token permissions for their workflows, they can use this knowledge-base instead of trying to research permissions needed by each GitHub Action they use.

Below you can see the KB of your GITHUB Action.

name: 'buf-push'
#No reference to GitHub token

If you think this information is not accurate, or if in the future your GitHub Action starts using a different set of permissions, please create an issue at https://github.com/step-security/secure-workflows/issues to let us know.

This issue is automatically created by our analysis bot, feel free to close after reading :)

References:

GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.

Setting minimum token permissions is also checked for by Open Source Security Foundation (OpenSSF) Scorecards. Scorecards recommend using https://github.com/step-security/secure-workflows so developers can fix this issue in an easier manner.

Y'all are probably already aware of this:

Run bufbuild/[email protected]
Command "push" is deprecated, "buf beta push" has been moved to "buf push".
We recommend migrating, however this command continues to work.

It's not a big deal. Just thought I'd point it out. Happy to create a PR myself to change the command to buf push if it helps.

As Buf supports multi-module proto workspaces as documented here https://docs.buf.build/tour/push-workspace-modules ,
please document how to push multiple modules via this GitHub action for a monorepo.

If possible, please improve this action to support pushing multi-module repo with coordinated buf mod update and buf push

We need to make the remote configurable so that users can choose to authenticate with a remote other than buf.build (here).

We could add a remote input to action.yml and use buf registry login <$remote> --username <$placeholder> --token-stdin command, so that we don't need to manually write the .netrc file, too. The username would be unused for this action since it's not actually required for BSR authentication (just the Go Module Proxy for now).

Alternatively (and preferably), we could refactor all of the actions that and simply provide the BUF_TOKEN environment variable to each buf command so that it remains agnostic to the remote (re: bufbuild/buf-setup-action#4 (comment)).

The buf_token input is already configured here, so we should be able to update this behavior and extend what remotes we support while maintaining compatibility. For reference, this solution applies to both buf-lint-action and buf-breaking-action, too.

Hi buf team, with last week's release of v1.1.0 I believe a breaking change was introduced that has made our CI stop pushing to BSR. In particular:

if [ "${GITHUB_REF_TYPE}" != "branch" ]; then
  echo "reference type is not branch, skipping" >&2
  exit 0
fi

This is skipping for us, since in our workflow we don't push on branch, but for particularly formatted tags on master 🤔

In the interim, I've reverted our GHA workflow to specifically use v1.0.1 instead of v1 but of course we'd love to keep up with the latest changes.

My questions are:

• Was this an intended breaking change?
• Can we get a fix or an option to bypass the check?

Thanks!

When buf-push-action is called from a "delete" action where the ref_type is "branch", it should delete the corresponding track on BSR.

Allow users to use --draft option in the action as it is offered in the CLI:

buf push --draft $DRAFT_NAME

This was reported in the Slack channel.

1. The documentation claims the default value for buf_token is ${{github.token}}. This seems incorrect.
2. It seems that there is some inconsistency between some of the GitHub Actions. buf-setup-action uses the name buf_api_token whereas this and some other actions use buf_token. We should probably unify these at some point?

Since latest release was quite some time ago, and lacking create_visibility for example - could you please tag new version?