From 1c4802ae43dae6700a0fb3ad3b384a3714847df5 Mon Sep 17 00:00:00 2001 From: Noam Ross Date: Tue, 28 Nov 2023 06:58:44 -0500 Subject: [PATCH 1/6] Add 1 git-crypt collaborator New collaborators: 3B19DAA4 Noam Ross --- .git-crypt/.gitattributes | 4 ++++ .../4A1653E6FDB48C85EC4702B9E7B170AD3B19DAA4.gpg | Bin 0 -> 727 bytes 2 files changed, 4 insertions(+) create mode 100644 .git-crypt/.gitattributes create mode 100644 .git-crypt/keys/default/0/4A1653E6FDB48C85EC4702B9E7B170AD3B19DAA4.gpg diff --git a/.git-crypt/.gitattributes b/.git-crypt/.gitattributes new file mode 100644 index 0000000..665b10e --- /dev/null +++ b/.git-crypt/.gitattributes @@ -0,0 +1,4 @@ +# Do not edit this file. To specify the files to encrypt, create your own +# .gitattributes file in the directory where your files are. +* !filter !diff +*.gpg binary diff --git a/.git-crypt/keys/default/0/4A1653E6FDB48C85EC4702B9E7B170AD3B19DAA4.gpg b/.git-crypt/keys/default/0/4A1653E6FDB48C85EC4702B9E7B170AD3B19DAA4.gpg new file mode 100644 index 0000000000000000000000000000000000000000..ad8196303a18b92b21d8d0d9de33e53fdde03457 GIT binary patch literal 727 zcmV;|0x1230t^Fo>BH=3K=};;5CDf2JZ0OJO7YpX+BG9LOI@RXgxH5B7r1MZsw-}0 zMrAJ-2&xaOmN|(N(n-h?T#h*z$Br7XH{o=$eM5bUWaH>jZmC1>-)uqMBp#yA^WZlH zxWncM#joM-E$P0Jwu`uD36RR84)H77JAd4GlLP$l|K=LB(W-<4k^M$YLHxm)a~rkd z^A1QSv`$K~itY~23i7SA7Y*gA-1n-!#a=bW;A*4iY->p$4953W5T4OEMd%56MPg?v z!#xYHJ8wq?7L}0Osb^tmJYghvKXqCzrQJPuc;O$KlXNG35Oe&;^wp9XAu%Tk5l-WC z1Q-**Cnd?Zqar|tG`anurFs-{3X&XAdA8|FH&r}q)LSiPayCR}^5K-Ae>^?GS5E)V zpKlZU8^y>mm?Pkeh#6#(pP!v+*eoV< zu>G|_WZF{h_w;<5gjJ`FU}I~cB$)FJfkHllg(lCml@wM(lSZ`Hv1Yir4-RM1T|;d> zn2}Sw#p%}no$Xp%f=vn*89T{ch!OL@n^QvjRbZ7E5ehZ%cDGz2k#Pn`obnyEh~Eu? zsac{^m@Uur5TqE2OVbPZk)u(u)hO2lBNcK9qOs2j##-}JrM&MG0l?OyZ5fCLpY!!b zmY#0QHGB#yb5AK^y!_I@1p(>H^ZHkizn3)9736j1>Ew%wp6L{5(Qz$wQ`fOF)+~p^ z9QkmJcwK;jdhzwOrag;iRPpaRyLn8dZ=O&vfRi|V9?lnQ7j~Fo>ic=$t)6!-$~9wT zKvoD10F*kLTtb5J^4^zbO0g5BoCxYZN8L>1JFC7V2NYB;iRTJ!Q1i^^X z-f_+=CDs)YDmcMayaPhMJH3K^VFZ-&J1o27e;U-rgf2d4OG1yS|5@scWSRO4S)xXI J2m!ZicCN23V5k59 literal 0 HcmV?d00001 From d6c93105c295fca3e4d2b871b8632a3febc347bf Mon Sep 17 00:00:00 2001 From: Noam Ross Date: Tue, 28 Nov 2023 08:04:38 -0500 Subject: [PATCH 2/6] Set up GitHub testing infrastructure --- .env | Bin 0 -> 288 bytes .gitattributes | 2 ++ .github/CONTRIBUTING.md | 7 +++++++ tests/testthat/helper-github.R | 8 ++++++++ tests/testthat/setup.R | 16 ++++++++++++++-- tests/testthat/test-github.R | 10 ++++++++++ 6 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 .env create mode 100644 .gitattributes create mode 100644 tests/testthat/helper-github.R create mode 100644 tests/testthat/test-github.R diff --git a/.env b/.env new file mode 100644 index 0000000000000000000000000000000000000000..1915a5b0b5ecd241c56ecdf1888658862e0fc36b GIT binary patch literal 288 zcmV+*0pI=rM@dveQdv+`00bt9J~0l7gE58mYf9OKYcwjXKQ5Xv_>Eae};2DXfGov(3#f z&xr*6?FhDK0KVcO@(wq8?9|Eh#F$Tt@b>kqW+R@WZM$_k^piM=hs&d6F^GOhkExZj zOuxBWUy_UbW;#Yo)-@03>GbwLKY8tjV<~FK^mw3b7oy(i4;X2KIwK5aDp+C=#G+bS zDc{&tbMai+;1xv6*w?! literal 0 HcmV?d00001 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..a55d3b2 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,2 @@ +## Encrypted Files +.env filter=git-crypt diff=git-crypt diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index b455e94..8652933 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -32,6 +32,13 @@ with S3 cloud storage, a MinIO server is run in the background to serve as an S3 API endpoint. You will need the `minio` command line tool installed as well as the `mc` MinIO client. +For testing against the GitHub API, repositories are generated and deleted. This +requires a fine-grained GitHub personal access token with `administration`, `contents`, and `commit statuses` scopes. +This is set as the environment variable `RELIC_TESTING_GITHUB_PAT`, and the organization +under which to create repositories is set as `RELIC_TESTING_GITHUB_ORG`. In the +absence of these, GitHub API tests will be skipped. These are available in the +encrypted `.env` file, which is secured by [`git-crypt`](https://www.agwa.name/projects/git-crypt/) + ## Lifecycle Statement `relic` is a new package and its API is still under development. diff --git a/tests/testthat/helper-github.R b/tests/testthat/helper-github.R new file mode 100644 index 0000000..6e12dcd --- /dev/null +++ b/tests/testthat/helper-github.R @@ -0,0 +1,8 @@ +skip_if_no_github <- function() { + skip_if_offline("github.com") + skip_on_cran() + + skip_if(!nzchar(Sys.getenv("RELIC_TESTING_GITHUB_PAT")), "No RELIC_TESTING_GITHUB_PAT env var") + skip_if(!nzchar(Sys.getenv("RELIC_TESTING_GITHUB_ORG")), "No RELIC_TESTING_GITHUB_ORG env var") + +} diff --git a/tests/testthat/setup.R b/tests/testthat/setup.R index 0e2fe28..98bbf1e 100644 --- a/tests/testthat/setup.R +++ b/tests/testthat/setup.R @@ -1,5 +1,17 @@ -withr::local_envvar( - "R_USER_CACHE_DIR" = tempdir() +# Read in credentials if the file is unencrypted +env_file <- fs::path(rprojroot::find_root(rprojroot::is_r_package), ".env") +if (file.exists(env_file)) { + x <- try(readRenviron(env_file), silent = TRUE) + if (!inherits(x, "try-error")) { + Sys.setenv("GITHUB_PAT" = Sys.getenv("RELIC_TESTING_GITHUB_PAT")) + } +} + +# Set a temporary location for the cache +withr::local_envvar(list( + "R_USER_CACHE_DIR" = tempdir(), + "RELIC_TESTING_GITHUB_PAT" = Sys.getenv("RELIC_TESTING_GITHUB_PAT"), + "GITHUB_PAT" = Sys.getenv("RELIC_TESTING_GITHUB_PAT")) ) ## Run a MinIO server in the background to test S3 object storage with `targets` diff --git a/tests/testthat/test-github.R b/tests/testthat/test-github.R new file mode 100644 index 0000000..51f8b51 --- /dev/null +++ b/tests/testthat/test-github.R @@ -0,0 +1,10 @@ +test_that("GitHub testing access works", { + skip_if_no_github() + + #Look up the GitHub organization + expect_no_error(gh_response <- gh::gh("/orgs/{org}", org = Sys.getenv("RELIC_TESTING_GITHUB_ORG"))) + token_expiry <- attr(gh_response, "response")$`github-authentication-token-expiration` + if (as.numeric(as.POSIXct(token_expiry) - Sys.time(), "days") < 7) { + warning("GitHub token expires in less than a week. Please update the token.") + } +}) From 23dce8c262dc47063897c02ab58bdba74e28d1bd Mon Sep 17 00:00:00 2001 From: Noam Ross Date: Tue, 28 Nov 2023 08:17:00 -0500 Subject: [PATCH 3/6] Add decryption to GH action --- .github/workflows/R-CMD-check.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/R-CMD-check.yaml b/.github/workflows/R-CMD-check.yaml index 9d150cc..b431b1f 100644 --- a/.github/workflows/R-CMD-check.yaml +++ b/.github/workflows/R-CMD-check.yaml @@ -24,11 +24,18 @@ jobs: env: GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }} R_KEEP_PKG_SOURCE: yes + GIT_CRYPT_KEY64: ${{ secrets.GIT_CRYPT_KEY64 }} steps: - uses: actions/checkout@v3 - name: Do a pre-emptive apt-update run: sudo apt-get update -qq if: ${{ !env.ACT }} + - name: Decrypt repository using symmetric key + if: ${{ env.GIT_CRYPT_KEY64 }} + run: | + apt-get install -y --no-install-recommends git-crypt + echo $GIT_CRYPT_KEY64 > git_crypt_key.key64 && base64 -di git_crypt_key.key64 > git_crypt_key.key && git-crypt unlock git_crypt_key.key + rm git_crypt_key.key git_crypt_key.key64 - uses: r-lib/actions/setup-pandoc@v2 - uses: r-lib/actions/setup-r@v2 with: From bcd38fe7186ad7508485ca459e5625b42ee0068d Mon Sep 17 00:00:00 2001 From: Noam Ross Date: Tue, 28 Nov 2023 08:22:42 -0500 Subject: [PATCH 4/6] Install package on GH actions with sudo --- .github/workflows/R-CMD-check.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/R-CMD-check.yaml b/.github/workflows/R-CMD-check.yaml index b431b1f..39ee0d1 100644 --- a/.github/workflows/R-CMD-check.yaml +++ b/.github/workflows/R-CMD-check.yaml @@ -33,7 +33,7 @@ jobs: - name: Decrypt repository using symmetric key if: ${{ env.GIT_CRYPT_KEY64 }} run: | - apt-get install -y --no-install-recommends git-crypt + sudo apt-get install -y --no-install-recommends git-crypt echo $GIT_CRYPT_KEY64 > git_crypt_key.key64 && base64 -di git_crypt_key.key64 > git_crypt_key.key && git-crypt unlock git_crypt_key.key rm git_crypt_key.key git_crypt_key.key64 - uses: r-lib/actions/setup-pandoc@v2 From e92c3318cd4507028967d67aab032dbb2763625a Mon Sep 17 00:00:00 2001 From: Noam Ross Date: Tue, 28 Nov 2023 09:15:09 -0500 Subject: [PATCH 5/6] Add masking to encrypted environment variables in CI --- .github/workflows/R-CMD-check.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/R-CMD-check.yaml b/.github/workflows/R-CMD-check.yaml index 39ee0d1..da8c5a9 100644 --- a/.github/workflows/R-CMD-check.yaml +++ b/.github/workflows/R-CMD-check.yaml @@ -36,6 +36,8 @@ jobs: sudo apt-get install -y --no-install-recommends git-crypt echo $GIT_CRYPT_KEY64 > git_crypt_key.key64 && base64 -di git_crypt_key.key64 > git_crypt_key.key && git-crypt unlock git_crypt_key.key rm git_crypt_key.key git_crypt_key.key64 + # Select all values in .env and print with "::add-mask::" to obfuscate + grep -v '^#' .env | sed -E 's/(.*)=(.*)/\2/' | xargs -I '{}' echo "::add-mask::{}" - uses: r-lib/actions/setup-pandoc@v2 - uses: r-lib/actions/setup-r@v2 with: From d1278015b14597d0154bf882a31b7e562d3632b5 Mon Sep 17 00:00:00 2001 From: Noam Ross Date: Tue, 28 Nov 2023 09:18:15 -0500 Subject: [PATCH 6/6] Ignore some config files in .Rbuildignore --- .Rbuildignore | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.Rbuildignore b/.Rbuildignore index 2802e30..8c883d6 100644 --- a/.Rbuildignore +++ b/.Rbuildignore @@ -6,7 +6,7 @@ ^LICENSE\.md$ ^CITATION\.cff$ ^codemeta.json$ -^.lintr$ +^\.lintr$ ^_pkgdown\.yml$ ^docs$ ^pkgdown$ @@ -16,3 +16,5 @@ ^check$ ^artifacts$ ^logo.png$ +^\.env$ +^\.git-crypt$