Simplify security handling (#434)

Author: blink1073

.github/actions/finalize-release/action.yml

@@ -40,6 +40,7 @@ runs:
         then
             pip install -q git+https://github.com/jupyter-server/jupyter_releaser.git@v1
         fi
+
     - id: finalize-release
       shell: bash -eux {0}
       run: |
@@ -51,3 +52,23 @@ runs:
         export RH_STEPS_TO_SKIP=${{ inputs.steps_to_skip }}
         export RH_BRANCH=${{ inputs.branch }}
         python -m jupyter_releaser.actions.finalize_release
+
+    - if: ${{ success() }}
+      shell: bash -eux {0}
+      run: |
+        echo "## Next Step" >> $GITHUB_STEP_SUMMARY
+        echo "Verify the final release" >> $GITHUB_STEP_SUMMARY
+        echo ${{ steps.finalize-release.outputs.release_url }} >> $GITHUB_STEP_SUMMARY
+        if [ ! -z "${{ steps.finalize-release.outputs.pr_url }}" ]; then
+           echo "Merge the forwardport PR"
+           echo ${{ steps.finalize-release.outputs.pr_url }}
+           echo "Merge the forwardport PR" >> $GITHUB_STEP_SUMMARY
+           echo ${{ steps.finalize-release.outputs.pr_url }} >> $GITHUB_STEP_SUMMARY
+        fi
+
+    - if: ${{ failure() }}
+      shell: bash -eux {0}
+      run: |
+        echo "## Failure Message" >> $GITHUB_STEP_SUMMARY
+        echo ":x: Failed to Publish the Draft Release Url:" >> $GITHUB_STEP_SUMMARY
+        echo ${{ inputs.release_url }} >> $GITHUB_STEP_SUMMARY

.github/actions/populate-release/action.yml

@@ -49,3 +49,10 @@ runs:
         export RH_RELEASE_URL=${{ inputs.release_url }}
         export RH_BRANCH=${{ inputs.branch }}
         python -m jupyter_releaser.actions.populate_release
+
+    - if: ${{ failure() }}
+      shell: bash -eux {0}
+      run: |
+        echo "## Failure Message" >> $GITHUB_STEP_SUMMARY
+        echo ":x: Failed to Publish the Draft Release Url:" >> $GITHUB_STEP_SUMMARY
+        echo ${{ steps.populate-release.outputs.release_url }} >> $GITHUB_STEP_SUMMARY

.github/actions/prep-release/action.yml

@@ -59,3 +59,9 @@ runs:
         export RH_SINCE_LAST_STABLE=${{ inputs.since_last_stable }}
 
         python -m jupyter_releaser.actions.prep_release
+
+    - shell: bash -eux {0}
+      run: |
+        echo "## Next Step" >> $GITHUB_STEP_SUMMARY
+        echo "(Optional): Review Draft Release: ${{ steps.prep-release.outputs.release_url }}" >> $GITHUB_STEP_SUMMARY
+        echo "Run Step 2: Publish Release workflow"

.github/workflows/prep-release.yml

@@ -25,17 +25,8 @@ on:
 jobs:
   prep_release:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: true
-      matrix:
-        python-version: ["3.10"]
     steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Setup
-        uses: jupyter-server/jupyter_releaser/.github/actions/common@v2
-
+      - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
       - name: Prep Release
         id: prep-release
         uses: jupyter-server/jupyter_releaser/.github/actions/prep-release@v2
@@ -51,6 +42,3 @@ jobs:
       - name: "** Next Step **"
         run: |
           echo "Optional): Review Draft Release: ${{ steps.prep-release.outputs.release_url }}"
-          echo "## Next Step" >> $GITHUB_STEP_SUMMARY
-          echo "(Optional): Review Draft Release: ${{ steps.prep-release.outputs.release_url }}" >> $GITHUB_STEP_SUMMARY
-          echo "Run Step 2: Publish Release workflow"

.github/workflows/publish-release.yml

@@ -18,17 +18,8 @@ on:
 jobs:
   publish_release:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: true
-      matrix:
-        python-version: ["3.10"]
     steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Setup
-        uses: jupyter-server/jupyter_releaser/.github/actions/common@v2
-
+      - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
       - name: Populate Release
         id: populate-release
         uses: jupyter-server/jupyter_releaser/.github/actions/populate-release@v2
@@ -57,21 +48,9 @@ jobs:
         run: |
           echo "Verify the final release"
           echo ${{ steps.finalize-release.outputs.release_url }}
-          echo "## Next Step" >> $GITHUB_STEP_SUMMARY
-          echo "Verify the final release" >> $GITHUB_STEP_SUMMARY
-          echo ${{ steps.finalize-release.outputs.release_url }} >> $GITHUB_STEP_SUMMARY
-          if [ ! -z "${{ steps.finalize-release.outputs.pr_url }}" ]; then
-             echo "Merge the forwardport PR"
-             echo ${{ steps.finalize-release.outputs.pr_url }}
-             echo "Merge the forwardport PR" >> $GITHUB_STEP_SUMMARY
-             echo ${{ steps.finalize-release.outputs.pr_url }} >> $GITHUB_STEP_SUMMARY
-          fi
 
       - name: "** Failure Message **"
         if: ${{ failure() }}
         run: |
           echo "Failed to Publish the Draft Release Url:"
           echo ${{ steps.populate-release.outputs.release_url }}
-          echo "## Failure Message" >> $GITHUB_STEP_SUMMARY
-          echo ":x: Failed to Publish the Draft Release Url:" >> $GITHUB_STEP_SUMMARY
-          echo ${{ steps.populate-release.outputs.release_url }} >> $GITHUB_STEP_SUMMARY

.pre-commit-config.yaml

@@ -72,3 +72,13 @@ repos:
         types: [yaml]
         args: ["--schemafile", "https://json.schemastore.org/github-workflow"]
         stages: [manual]
+
+  - repo: https://github.com/sirosen/check-jsonschema
+    rev: 0.18.3
+    hooks:
+      - id: check-jsonschema
+        name: "Check Example Workflows"
+        files: ^example-workflows/
+        types: [yaml]
+        args: ["--schemafile", "https://json.schemastore.org/github-workflow"]
+        stages: [manual]

docs/source/get_started/making_release_from_repo.md

@@ -6,7 +6,7 @@ already uses Jupyter Releaser using workflows on its own repository.
 ## Prerequisites
 
 - Admin write access to the target repository
-- Previously set up GitHub Actions secrets and tag protection.
+- Previously set up GitHub Actions secrets for PyPI and/or NPM
 
 ## Prep Release
 

docs/source/how_to_guides/convert_repo_from_repo.md

@@ -14,12 +14,10 @@ See [checklist](#Checklist-for-Adoption) below for details:
 
 ## Checklist for Adoption
 
-- [ ] Add a [GitHub Access token](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) with access to target GitHub repo to run GitHub Actions, saved as
-      `ADMIN_GITHUB_TOKEN` in the [repository secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository).
-      The token needs to have `public_repo` and `repo:status` permissions.
 - [ ] Add access token for the [PyPI registry](https://packaging.python.org/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#saving-credentials-on-github) stored as `PYPI_TOKEN`.
       _Note_ For security reasons, it is recommended that you scope the access
-      to a single repository.
+      to a single repository. Additionally, this token should belong to a
+      bot account and not a single user.
 - [ ] If needed, add access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN`.
 - [ ] Ensure that only trusted users with 2FA have admin access to the
       repository, since they will be able to trigger releases.
@@ -76,8 +74,7 @@ _Note_ The check release action needs `contents: write` [permission](https://doc
 
 - [ ] Update or add `RELEASE.md` that describes the onboarding and release process, e.g.
 
-- [ ] Copy `prep-release.yml` and `publish-release.yml` from this repository
-      and remove the "target" input, since the target will be your own repo.
+- [ ] Copy `prep-release.yml` and `publish-release.yml` from the `example-workflows` folder in this repository.
 
 - [ ] Optionally add [configuration](#Configuration) to the repository if non-standard options or hooks are needed.
 

example-workflows/prep-release.yml

@@ -0,0 +1,44 @@
+name: "Step 1: Prep Release"
+on:
+  workflow_dispatch:
+    inputs:
+      version_spec:
+        description: "New Version Specifier"
+        default: "next"
+        required: false
+      branch:
+        description: "The branch to target"
+        required: false
+      post_version_spec:
+        description: "Post Version Specifier"
+        required: false
+      since:
+        description: "Use PRs with activity since this date or git reference"
+        required: false
+      since_last_stable:
+        description: "Use PRs with activity since the last stable git tag"
+        required: false
+        type: boolean
+jobs:
+  prep_release:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+
+      - name: Prep Release
+        id: prep-release
+        uses: jupyter-server/jupyter_releaser/.github/actions/prep-release@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          version_spec: ${{ github.event.inputs.version_spec }}
+          post_version_spec: ${{ github.event.inputs.post_version_spec }}
+          target: ${{ github.event.inputs.target }}
+          branch: ${{ github.event.inputs.branch }}
+          since: ${{ github.event.inputs.since }}
+          since_last_stable: ${{ github.event.inputs.since_last_stable }}
+
+      - name: "** Next Step **"
+        run: |
+          echo "Optional): Review Draft Release: ${{ steps.prep-release.outputs.release_url }}"

example-workflows/publish-release.yml

@@ -0,0 +1,56 @@
+name: "Step 2: Publish Release"
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: "The target branch"
+        required: false
+      release_url:
+        description: "The URL of the draft GitHub release"
+        required: false
+      steps_to_skip:
+        description: "Comma separated list of steps to skip"
+        required: false
+
+jobs:
+  publish_release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+
+      - name: Populate Release
+        id: populate-release
+        uses: jupyter-server/jupyter_releaser/.github/actions/populate-release@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          target: ${{ github.event.inputs.target }}
+          branch: ${{ github.event.inputs.branch }}
+          release_url: ${{ github.event.inputs.release_url }}
+          steps_to_skip: ${{ github.event.inputs.steps_to_skip }}
+
+      - name: Finalize Release
+        id: finalize-release
+        env:
+          PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
+          PYPI_TOKEN_MAP: ${{ secrets.PYPI_TOKEN_MAP }}
+          TWINE_USERNAME: __token__
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+        uses: jupyter-server/jupyter-releaser/.github/actions/finalize-release@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          target: ${{ github.event.inputs.target }}
+          release_url: ${{ steps.populate-release.outputs.release_url }}
+
+      - name: "** Next Step **"
+        if: ${{ success() }}
+        run: |
+          echo "Verify the final release"
+          echo ${{ steps.finalize-release.outputs.release_url }}
+
+      - name: "** Failure Message **"
+        if: ${{ failure() }}
+        run: |
+          echo "Failed to Publish the Draft Release Url:"
+          echo ${{ steps.populate-release.outputs.release_url }}