Skip to content

chore(ci): setup automated stainless builds #3557

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

chore(ci): setup automated stainless builds #3557

wants to merge 1 commit into from

Conversation

@dgellow
Copy link

@dgellow dgellow commented Sep 26, 2025
edited
Loading

What does this PR do?

This pull request adds a new workflow that does 2 things:

  1. generate SDK preview builds whenever the OpenAPI spec file is modified in a PR
  2. on PR merge, generate SDK builds that will be pushed to the different SDK repos (i.e start the release process)

Note

No repo secret STAINLESS_API_KEY is needed, the authentication is done automatically via GitHub OIDC.

Test Plan

I tested in my fork: stainless-api#3

@meta-cla meta-cla bot added the CLA Signed This label is managed by the Meta Open Source bot. label Sep 26, 2025
slekkala1
slekkala1 reviewed Sep 29, 2025
View reviewed changes
@leseb
Copy link
Collaborator

leseb commented Oct 3, 2025

Just added the STAINLESS_API_KEY key to the repo :)

leseb
leseb requested changes Oct 3, 2025
View reviewed changes
Copy link
Collaborator

@leseb leseb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just realized that this can only work when NOT submitting a PR from fork given Github security model on passing secrets to workflow.

@dgellow I'm wondering how this is used elsewhere in practice and how other projects overcome that? Thanks!

@dgellow
Copy link
Author

dgellow commented Oct 23, 2025
edited
Loading

I'm moving this one back to draft until I have a great documented solution to share

@dgellow dgellow marked this pull request as draft October 23, 2025 13:15
@bbrowning
Copy link
Collaborator

Parts 1, 2, 3, and 4 of https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ are important reading if we need to find a way to pass a secret into something triggered on every pull request.

@dgellow
Copy link
Author

dgellow commented Oct 24, 2025
edited
Loading

Thanks @bbrowning. I actually already read those articles, unfortunately there are a few details that are making the mentioned solutions a no-go for this repo.
However I have a great solution that won't require any CI secret. I expect to have it ready later today and will move the PR out of draft asap :)

edit: well, not exactly today, my plane internet is spotty

@dgellow dgellow force-pushed the dgellow/add-stainless-workflows branch from 0dc7d00 to a0eb949 Compare October 25, 2025 03:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@slekkala1 slekkala1 slekkala1 left review comments

@leseb leseb leseb requested changes

@ashwinb ashwinb Awaiting requested review from ashwinb ashwinb is a code owner

@yanxi0830 yanxi0830 Awaiting requested review from yanxi0830 yanxi0830 is a code owner

@hardikjshah hardikjshah Awaiting requested review from hardikjshah hardikjshah is a code owner

@raghotham raghotham Awaiting requested review from raghotham raghotham is a code owner

@ehhuang ehhuang Awaiting requested review from ehhuang ehhuang is a code owner

@terrytangyuan terrytangyuan Awaiting requested review from terrytangyuan terrytangyuan is a code owner

@bbrowning bbrowning Awaiting requested review from bbrowning bbrowning is a code owner

@reluctantfuturist reluctantfuturist Awaiting requested review from reluctantfuturist reluctantfuturist is a code owner

@mattf mattf Awaiting requested review from mattf mattf is a code owner

@franciscojavierarceo franciscojavierarceo Awaiting requested review from franciscojavierarceo franciscojavierarceo will be requested when the pull request is marked ready for review franciscojavierarceo is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Meta Open Source bot.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dgellow @leseb @bbrowning @slekkala1