This repository contains infrastructure for automatically building and testing OpenSlide.
autobuild: automatic nightly build from Git mainbuildbot: fragments of obsolete Buildbot configuration
There are two shortcomings of using GITHUB_TOKEN in an
Actions workflow to create issues or PRs, comment on issues, etc.
One is that it requires giving too many privileges to the workflow, e.g.
if a workflow needs to create a new issue, it must be given write access to
all issues in the repo.
The other is that events caused by GITHUB_TOKEN do not initiate workflows,
so a PR created with the token won't automatically run CI.
To address both problems, all OpenSlide repos have access to a GitHub Actions secret with a Personal Access Token for the @openslide-bot account. The bot account is a member of the OpenSlide organization, solely so its profile page shows the affiliation, but doesn't have any special permissions to OpenSlide repos. Workflows can thus opt to interact with OpenSlide repos as a normal user.
Since @openslide-bot doesn't have permission to push
branches directly to OpenSlide repos, it has its own forks for storing PR
branches.
Those forks typically have a stale main branch, so PR branches will often
incidentally include workflow files newer than the ones in main.
As a result, the bot's PAT needs workflow scope so the
PR branches won't be rejected on push.
To avoid thus allowing arbitrary code execution as the bot user, the bot's
forks must all have GitHub Actions disabled.