Stroybook auto deployment on UI Pull requests

amirfefer · June 12, 2019, 8:18am

Hi all,

As you all know (hopefully ) we have a playground & documentation tool - our storybook
we observed that over time our storybook breaks over and over, therefore it would be great to have auto deployment on each UI pull request.

I’ve created a PR for this, and I took inspiration from patternfly-react
This PR works with commenting API via personal token, which IMHO works well - we can use our bot user or a other user for it (in order to overcome the rate limit issue).
The other option is to use github statuses API

Storybook meant to serve developers and designers, therefore I think a commenting mechanism would be better - it is more visible on a PR page, and basically it is a part of the review stage and not part of our CI.

any thoughts or alternative option ?

Marek_Hulan · June 12, 2019, 9:36am

Thanks for bringing this up. If we use commenting API, under what conditions the bot will add new comment? The status seems as a good fit from the first glance, is there some downside to this approach?

amirfefer · June 12, 2019, 10:28am

I was thinking that the bot user will add a comment only once - when the pr is published
but the surge deployment will continue on each push (the link still be the same - based on the pr number)

Marek_Hulan · June 12, 2019, 1:36pm

Thanks, I was happy to see moving the bot commenting on misaligned commit message to check API as it’s annoying to get 2 emails for just opening 1 PR, but I can live with this If that’s one extra email per PR, that’s fine by me. Is there a downside of the other option you mentioned - statuses API? The upside is, it would eliminate this email/notification right?

ohadlevy · June 12, 2019, 1:50pm

the bot will only comment on UI PR’s right? I think its fine to get it via a comment/email.

What else do you need to get going?

Walden · June 13, 2019, 2:58pm

Yeah, it only adds the comment if webpack/ or package.json was modified.

I think this will be a great addition for new features and components as well because it would give UX an easy way to test things out.

Marek_Hulan · June 14, 2019, 10:45am

As I said, I don’t mind 1 email that much, I’m just curious what’s the downside of using status API that was suggested in the first post as an alternative. If that’s way more work, that’s acceptable argument, I just didn’t get any answer so far. @amirfefer did you investigate this path?

ekohl · June 14, 2019, 11:37am

Currently this isn’t implemented in the PR. The current code comments on every push. This is why I suggested the status API.

ohadlevy · June 14, 2019, 6:00pm

I believe @amirfefer mentioned that it wont add a comment if its already there? so its still one commit per PR.

ekohl · June 14, 2019, 7:48pm

Travis runs on every push (and manual restarts). I don’t see any code in that PR which checks if there’s already a comment.

Another aspect that @TimoGoebel kindly pointed out is that on every PR it makes the credentials available. That means we can consider those credentials compromised by default. This doesn’t have to be a problem, but it does mean we can’t reuse any existing accounts that we care about.

TimoGoebel · June 16, 2019, 10:13am

The important thing to note is that there has been malicious code on e.g. npmjs.org that scans for environment variables with credentials and uploads these credentials to some dark parts of the internet. This is why I believe it’s important to separate the CI steps as much as possible (always using a clean environment, we actually do bad job on our jenkins instances there) and removing any credentials for ci steps that don’t need them.

branches:
  only:
    - master
env:
  global:
  - secure: 123
  - secure: 123

stages:
  - test
  - name: deploy
    if: branch = master && type = push
jobs:
  include:
    - stage: test
      env:
        - AWS_ACCESS_KEY_ID= AWS_SECRET_ACCESS_KEY=
      script:
        - npm run lint
        - npm test
        - npm run build
    - stage: deploy
      script:
        - npm run build
        - npm run upload

amirfefer · June 16, 2019, 4:47pm

The PR uses a surge token and a limited access token with only commenting, doesn’t seem as an extreme risk IMO

sharvit · June 17, 2019, 6:58am

And those tokens are manageable from Github UI so you can list them and remove some if needed.

Walden · June 19, 2019, 2:11pm

@Marek_Hulan @TimoGoebel @ekohl are there any other concerns here or can we move forward? To me the security issue is a non-issue considering anyone can comment on foreman PRs.

ohadlevy · June 19, 2019, 6:34pm

I would love seeing this go forward rather then get stuck mid air… can we reach a resolution?

TimoGoebel · June 21, 2019, 7:11am

@Walden: I’m good. If the token has limited permissions, I wouldn’t worry too much about this.

ekohl · June 21, 2019, 1:25pm

As long as we’re not reusing any accounts that we actually rely on, I’m fine with proceeding.

I left inline comments on the implementation details where https://github.com/theforeman/foreman/pull/6828/files#r293768313 is the one that deserves at least a response.

Marek_Hulan · June 24, 2019, 8:27am

I didn’t get answer to my question. But I won’t block anything. Next steps are addressing comments in the PR that have been raised 10 days ago.