New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problems in CI when uploading data to coveralls #449
Comments
We can see that a new version of the Python package for coveralls was published a few days ago: Things that might helpCoveralls mention a list of extra env variables that we can try to set in the cirrus-ci:
Coveralls Python CLI mentions:
|
Thanks @FlorianWilhelm for pointing out what seems to be the problem in #448. Regular contributors cannot access Cirrus CI secrets. This behaviour seems to make sense, since PRs could expose secrets, but it is not very handy is it? :P I suppose the alternative would be exposing a plain text, but coveralls docs seem to recommend keeping the token secret:
Not very sure if we should just ignore these errors when they happen. But it would be nice to know how much a PR changes in terms of coverage. The text implies the token is only needed for private repos, however, if I remember it correctly, we need it to make Cirrus CI work. |
This is an attempt to fix #449 According to https://docs.coveralls.io/supported-ci-services There is a list of env variables that, when set, are supposed to add support to any arbitrary CI.
I opened issues in coveralls-python and in the support repository of coveralls itself + a discussion in cirrus-ci docs asking for some guidance about this problem. |
According to the discussion with the Cirrus-CI maintainer, using shared secrets in PRs is a bit tricky. Currently, we use the We could in addition to that change the config resolution strategy to For the time being I am still waiting for the feedback from the coveralls/coveralls-python team. |
I am also investigating some alternatives to https://community.codecov.io/t/add-support-of-uploading-from-cirrus-ci-without-token/1028/32 |
This is an attempt to fix #449 According to https://docs.coveralls.io/supported-ci-services There is a list of env variables that, when set, are supposed to add support to any arbitrary CI.
This is an attempt to fix #449 According to https://docs.coveralls.io/supported-ci-services There is a list of env variables that, when set, are supposed to add support to any arbitrary CI.
So: There are 2 discussions (a bit huge) that I had with coveralls/cirrus maintainers to try to understand what are the best approaches:
I think the easiest way forward would be allowing encrypted vars to be decoded by everyone in the Cirrus interface, or create a plain env var in the Cirrus UI (as per the second link). We still would not have the token in the clear, but a person submitting a PR to PyScaffold would be able to retrieve/print it. If we want to make things a bit more secure we could also program Cirrus to always use the @FlorianWilhelm, what are your thoughts about the matter? |
Update: I double checked my understanding with the Cirrus maintainers. We can simply have a "environment variable overwritten" from the GUI (without using encryption or having to allow encrypted variables from being decoded by everyone). The security concerns are basically the same |
So the worst case would be that someone gets our coverall credentials? In this case, I would rather go for a simple solution and do as you have suggested accepting the risk of a PR maintainer stealing the coveralls credentials. |
Thank you very much @FlorianWilhelm . Let's try it out, according to the coveralls maintainer the attach surface should be small enough, the worst can happen is someone submitting wrong coverage stats for PyScaffold. |
The last commits should have solved this problem... But we are only going to know once we have a new contribution... |
Recently we started noticing errors in the CI tasks during the upload to coveralls.
This can be seen in #448 and pyscaffold/configupdater#24.
The weird part is that both repositories have
COVERALLS_REPO_TOKEN
configured in.cirrus.yml
.The text was updated successfully, but these errors were encountered: