-
Notifications
You must be signed in to change notification settings - Fork 9
FAQ
An FAQ to immortalize some of our technical knowledge.
The cache step could not find the hugo binary because the step that published the generated site deletes the hugo binary.
The publish step deletes the hugo binary because it needs to clear out the repo before adding the generated site on the public branch. This was missed because adding the rm -v hugo was added after the fact.
The hugo binary lives in cwd because the actions/cache@v2 step cannot reference paths outside of the cwd, as a security precaution (eg. it cannot reference ..); rather than having the hugo binary live somewhere else, it is supposed to be in the cwd when the actions/cache@v2 step cleans up and creates the cache for the next.
Why are we doing our own brittle caching of the hugo binary and publishing via a push to a public branch?
We're doing our own brittle caching of the hugo binary and our own publishing to the public branch because I thought it would be insecure to use 3rd party github actions that support old hugo versions and presumably handle caching, and I thought it would be insecure to use 3rd party github actions which support publishing to github pages.
- The entire workflow has push rights to our repository, including the
publicbranch (no principle of least privilege). - There's no official github auditing of 3rd party github actions, and it's a fairly immature opensource ecosystem so there's potentially less community vetting of the code (eg. there's was an issue recently where commands printed to standard out by a 3rd party action were interpreted by github actions and executed against the user account).
The site is generated by an old version of hugo which is compatible with the theme used by the site... we'd need a hugo binary, old or new, to generate the site the way we're currently doing (without using a 3rd party github action; justified a bit above)