Add ability to send metadata from issues

[nvdaes]

The current planned procedure, consisting in sending json files via pull requests, has security issues as shown in PR #35
This adds an issue template and GitHub workflows to create pull requests and enable automerge from issues, checking that publisher is not modified and it's created based on the GitHub account of the issue creator. This publisher can edit metadata send by the corresponding person, for example to change the add-on channel from beta to stable once the add-on has been tested.

[nvdaes]

I've added the extra check mentioned by @feerrenrut in nvaccess/addon-datastore-validation#8
Note that, for any reason, issues aren't closed even when the body of the created pull request contains PR number preceded by # symbol

[nvdaes]

I'm not sure if dropdowns in form issues are very accessible. Not the last time I tested. I point out this in case more than stable and beta channels are accepted.

[feerrenrut]

I tested these with NVDA, they seemed to work ok for me. They are announced as a clickable menu. The respond to alt+down arrow and down arrow. Though I did notice that the placeholder value "selection:" seems to get the next header appended for some reason, so NVDA reports "selection: License Name".
You can test further here: https://github.com/nvaccess/test-addon-datastore/issues/new?assignees=nvaccess&labels=enhancement&template=registerAddon.yml&title=%5BSubmit+add-on%5D%3A+

[feerrenrut]

There are several blockers with this:

1. This approach will not allow further workflows to run on the PR (when using the GITHUB_TOKEN), and the workarounds do not seem appropriate for us. We could look at running all the steps in the issue action, we'd need to look at this more carefully to consider the implications. Additionally, any logic in the other workflow yaml files would have to be either copied, or moved into the python scripts (I.E. checking which files changed).
   • create the json
   • validate the json
   • commit to master
     • Security concerns need consideration
     • Additionally, these commits won't trigger actions
   • run the views transformation action (committing to the views branch)
     • Required because the bot commits don't trigger actions.
2. An error is occurring during the create-pull-request action. This is a git error about a non-interactive shell. Git is probably trying to ask some question like "committer name?", "committer email?". This information can be provided. I haven't tested this due to the other issues.

For now, I'll continue to recommend that submitters create the JSON file locally, push to their fork, then open a PR against the addon-datastore repository. Using runcreatejson.bat script in the nvaccess/addon-datastore-validation repository to create the file, and the GitHub Command Line interface tool to create the PR, can help to speed this up.

[nvdaes]

It works here too with NVDA. It's similar to the Reviewers menu to request a review for a pull request and chosing one of the available reviewers.
For me the template used for testing is comfortable.

[nvdaes]

Anyway, when I request a review, NVDA doesn't reports the word selection and I think it's better. Maybe better to remove the placeholder.

[nvdaes]

OK.

[feerrenrut]

Anyway, when I request a review, NVDA doesn't reports the word selection and I think it's better. Maybe better to remove the placeholder.

I don't think we have any control over this, I think this is built-in (by GitHub) behavior.

[nvdaes]

I understand.

[nvdaes]

Hi @seanbudd I investigated this again trying to make easy for people to send add-ons. After some modifications in my fork of this repo, results are the following:

• @ruifontes kindly tested a prototype and, without been invited as a collaborator to my fork, created an issue to send an add-on, and a pull request with JSON metadata was successfully created.
• After some refinements and enabling automerging when the checkMetadata workflow pass, I've sent an add-on completing an issue form, specifying the download URL, source URL, channel, license etc., and the pull request with metadata json file has been created, and after the checkMetadata GitHub workflow has pass, the pull request has been automatically merged into master.
• After this automatic merge, the transform to views check has been performed, and it is failing since it is not modified, uses nvaccess/datastore repo and permission has been denied. But checks are been performed and automerge has worked after some minutes when I have created a new issue.

Notes:

• I've created a classic access token in my account with access to repos. This is one of the methods recommended in peterevans pull request action. I've used this for the createPullRequest and for the enableAutomerge actions.
  Other methos maybe more suitable according to Peter Evans Pull request documentation. Grain access token, a beta feature on GitHub, is not mentioned in the documentation of that GitHub Actions and, when I tested it time ago to create pull request, it didn't work.
  But the documentation recommends other methods like creating a small application that can be installed per repo, using an action to create access tokens with appropriate permissions to create pull requests. A personal access token or an application is needed so that after creating a pull request automatic checks and automerge can be enabled.

Thanks @CyrilleB79 . You can create an issue at nvdaes store repo if you have some add-ons for further confirmation.
Thanks also @josephsl , for informing that sysTrayList add-on is in the official repo.

[nvdaes]

I've marked this as ready for review. Time permitting, let me know if I should make more tests on my fork, for example, to use an application instead of a personal access token.

[nvdaes]

For an example of this working, after removing the eMule add-on from my fork to allow automerge, see:

nvdaes#64

[nvdaes]

@seanbudd Regarding labels, now it will be applied the addonSubmission label. You need to add it to this repo since it's not available by default, and if it's not available it won't be applied.
Now we use a separate JavaScript file, placed in the root folder, instead of using an inline script.
Regarding issues not formatted according to this template, in this case the GitHub Actions workflow will fail. I don't know how to make it to run just for issues opened with this template.
For pull requests, NV Access will appear as the author. Should Ichange it to GitHub Actions?

[seanbudd]

For pull requests, NV Access will appear as the author. Should I change it to GitHub Actions?

Yes can you make it GitHub actions or the submitter of the issue?

[nvdaes]

Hi Sean: the GitHub script action, used here, is intended to use JavaScript according to its documentation. In the checkMetadata workflow we use Javascript too, to check the files changed, though the script is inline and not in a separate file. So I think that it"s better to follow documentation of the GitHub script function. There are other methods to validate issue forms but not tested by me. I"ll make all suggested changes in a few hours.

[nvdaes]

@seanbudd I have addressed your review as follows:

• Pull request author is set to GitHub Actions. Peterevans documentations says that author is in the form name and we can set the noreply email of GitHub Actions, since real users can have a real email and it's a valid option to use GitHub Actions too.
• The event will be triggered on labeled issues, when the label is set to the name requested by you for autoSubmissionFromIssue.

I've tried other options following recommendations from internet, but finally this worked:

https://github.com/orgs/community/discussions/26261

Please let me know if I should do anything else.

[nvdaes]

Hi again, setting the author to github-actions doesn't work. I've tried another approach: using the event.sender.login and the noreply email address.
If this can be tested I'll commit this change here and I'll inform before you can proceed with more comments.

[nvdaes]

Unfortunately seems that the author field has no effect on the sendJsonFile workflow. I don't know what to do with this.
@seanbudd If you have an idea please let me know, or you may accept this if you don't think that this is too important. Here's an example of a PR attributed to me, though the issue was sent by @ruifontes

nvdaes#85

[seanbudd]

Hi @nvdaes, this looks good to me.

I am going to make the minor changes and merge

[nvdaes]

Thanks Sean. I've read that GitHub doesn't allow to change PR authors to avoid making inappropriate things which maybe attributed to a different person. I don't know. 2023-03-07 21:24 GMT+01:00, Sean Budd ***@***.***>:

…

Merged #37 into master. -- Reply to this email directly or view it on GitHub: #37 (comment) You are receiving this because you were mentioned. Message ID: ***@***.***>

[nvdaes]

Thanks, you will inform when this can be used. 2023-03-07 21:20 GMT+01:00, Sean Budd ***@***.***>:

…

@seanbudd approved this pull request. Hi @nvdaes, this looks good to me. I am going to make the minor changes and merge > +title: "[Submit add-on]: " +labels: [autoSubmissionFromIssue] +assignees: +- nvaccess +body: +# Docs on using issue forms: +# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-githubs-form-schema +- type: markdown + attributes: + value: | + Submit an NVDA add-on to datastore. Provide download and source URL, and indicate if it's a stable add-on or not. +- type: input + id: download-url + attributes: + label: Download URL + description: The URL to download the add-on. It must start with 'https' and end with 'nvda-addon'. ```suggestion description: The URL to download the add-on. It must start with 'https' and end with 'nvda-addon'. This URL should always download the same file of the same add-on version. ``` > + const licenseUrlMd = "### License URL" + // + // collect variables from issue form + // + const body = context.payload.issue.body + const downloadUrl = body.split(dlTitleMd)[1].split(header3Prefix)[0].trim() + core.setOutput('downloadUrl', downloadUrl) + const sourceUrl = body.split(sourceUrlMd)[1].split(header3Prefix)[0].trim() + core.setOutput('sourceUrl', sourceUrl) + const releaseChannel = body.split(channelMd)[1].split(header3Prefix)[0].trim() + core.setOutput('releaseChannel', releaseChannel) + const licenseName = body.split(licenseMd)[1].split(header3Prefix)[0].trim() + core.setOutput('licenseName', licenseName) + const licenseUrl = body.split(licenseUrlMd)[1].split(header3Prefix)[0].trim() + core.setOutput('licenseUrl', licenseUrl) +} can this get a new line at EOF > + const licenseUrlMd = "### License URL" + // + // collect variables from issue form + // + const body = context.payload.issue.body + const downloadUrl = body.split(dlTitleMd)[1].split(header3Prefix)[0].trim() + core.setOutput('downloadUrl', downloadUrl) + const sourceUrl = body.split(sourceUrlMd)[1].split(header3Prefix)[0].trim() + core.setOutput('sourceUrl', sourceUrl) + const releaseChannel = body.split(channelMd)[1].split(header3Prefix)[0].trim() + core.setOutput('releaseChannel', releaseChannel) + const licenseName = body.split(licenseMd)[1].split(header3Prefix)[0].trim() + core.setOutput('licenseName', licenseName) + const licenseUrl = body.split(licenseUrlMd)[1].split(header3Prefix)[0].trim() + core.setOutput('licenseUrl', licenseUrl) +} ```suggestion } ``` -- Reply to this email directly or view it on GitHub: #37 (review) You are receiving this because you were mentioned. Message ID: ***@***.***>