CC Open Source Blog

Automate GitHub for more than CI/CD

gravatar

by Zack Krida on 2020-08-26

Get started using GitHub bots and actions for community management and repository health.

In late 2018, in the midst of being acquired by Microsoft, GitHub launched Github Actions into public beta, allowing users to run code on the popular development platform for the first time. With a straightforward YAML configuration syntax and the power of Microsoft's Azure cloud, GitHub Actions quickly rose to compete with existing Continuous Integration (CI) and Continuous Deployment (CD) platforms like Circle CI and Travis CI. GitHub Actions made it easier than ever for developers to test and deploy software in the cloud, but from the beginning GitHub had bigger plans for the service.

In a 2018 TechCrunch interview, GitHub's then head of platform acknowledged the usefulness of actions for more than CI/CD. "I see CI/CD as one narrow use case of actions. It’s so, so much more,” Lambert stressed. “And I think it’s going to revolutionize DevOps because people are now going to build best in breed deployment workflows for specific applications and frameworks, and those become the de facto standard shared on GitHub. […] It’s going to do everything we did for open source again for the DevOps space and for all those different parts of that workflow ecosystem."

At Creative Commons, we use Github Actions and Bots on many of our open-source projects for more than CI/CD—to manage our community team; to automate repository health; and to automate tedious but frequent tasks. The following examples are just a small snapshot of our existing and in-progress automations.

Example automations

Release note generation

Our frontend Vue.js application for CC Search gets released weekly, and is subject to constant pull requests from myself, one-time volunteers making their first open source contribution, and long-term, dedicated community members who frequently contribute. It's important for us to highlight all of these contributions in our release notes, regardless of size or scope. Additionally, we find it useful to group changes into categories, so our users have a clear sense of what kinds of updates we've made.

GitHub screenshot of release notes for CC Search
An example of CC Search release notes generated by the Release Drafter GitHub Action.

The quality of these release notes made them quite tedious to generate manually. With the release drafter action, we're able to automatically update a draft release note on every pull request to CC Search. The action lets us configure the line added for each pull request with some basic templating which includes variables for the pr number, title, and author (among others):

change-template: '- $TITLE: #$NUMBER by @$AUTHOR'


This means each pull request gets a line like this in our release notes:

Enable web monetization on single result pages: #1191 by @zackkrida

Perfect! We can also map GitHub labels on our pull requests to the sections of our generated release notes, like so:

categories:
  - title: 'New Features'
    label: 'feature'
  - title: 'Bug Fixes'
    label:
      - 'bug'
      - 'critical'

The resulting release notes require no manual editing at release time, and has saved us hours over time and allows our developers to focus on DevOps work instead of copywriting on release days. We also never miss a contribution or expression of gratitude to one of our contributors. You can read the latest CC Search release notes or see our full release-drafter.yml file here.

Repository Normalization

Within a private repository of internal helper scripts, the CC technical team has a number of Github Actions which trigger Python scripts to keep configuration standardized across our repositories. We casually call this process "repository normalization". One such script ensures that we use a standard set of GitHub labels across all of our projects. This consistency helps us do things like direct users to open issues in need of assistance across the organization, or issues good for first-time open source contributors. With GitHub Actions, its easy to set up scheduled tasks with only a few lines of human-readable configuration. Here's the gist of running a Python script daily, for example:

name: Example scheduled python action
on:
  schedule:
  - cron: '0 0 * * *'
  push:
    branches:
      - master
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Set up Python 3.7
      uses: actions/setup-python@v1
      with:
        python-version: 3.7
    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        python -m pip install pipenv
        pipenv install
    - name: Export token to env and run our script
      run: |
        pipenv run python our-script.py
      env:
        ADMIN_GITHUB_TOKEN: ${{ secrets.ADMIN_GITHUB_TOKEN }}

Internally and publicly, we use GitHub Projects to manage our bi-weekly sprints and backlogs. The GitHub Project Bot action was built by one of our community contributors and allows us to add pull requests to our project columns. Here's an example step in such a job:

- name: Handle cccatalog-frontend Repo
  uses: subhamX/github-project-bot@v1.0.0
  with:
    ACCESS_TOKEN: ${{ secrets.ADMIN_GITHUB_TOKEN }}
    COLUMN_NAME: "In Progress (Community)"
    PROJECT_URL: https://github.com/orgs/creativecommons/projects/7
    REPO_URL: https://github.com/cc-archive/cccatalog-frontend

We have additional scripts that sync our community team members across our open source website and GitHub, and several others that do even more of this cross-platform synchronization work. All of these scripts relive significant burden off of our engineering manager and open source community coordinator.

Dependency Updates

Modern JavaScript projects are built atop piles of 3rd party dependencies. This frees developers to focus on product code instead of writing the same utility code over and over again, but exposes projects to issues of security and dependency management. To help alleviate these issues, GitHub acquired a startup called Dependabot which initially focused on automatic security updates for repositories. Dependabot creates pull requests that update third-party code with known security vulnerabilities to the latest safe and stable versions.

This summer (June 2020), GitHub expanded dependabot's scope to keep all third-party code up to date, regardless of security. By adding a dependabot-config.yml file to any repo, developers no longer need to keep track of dependency updates on their own.

GitHub screenshot of a Dependabot PR message
Dependabot writes pull requests to bump JavaScript dependencies and will automatically resolve merge conflicts and keep the PR up to date.

If your project has strong test coverage and a solid quality control process for release management, Dependabot pull requests can be made even more powerful with the Merge Me Action. Merge Me can be added to the end of any series of Github Actions to automatically merge pull requests that pass all CI tests which were authored by a particular user (the action assumes dependabot by default). This means your repository can have highly-configurable, fully-automated dependency updates in just a few lines of YAML.

Here's a few more

Here's some smaller and simpler automations that can make a huge difference in your workflows.

These examples are a small sample of the non-CI/CD capabilities of GitHub Actions. You can peek in the .github/ directory of any of our open source repositories to see the actions we're using, and feel free to make an issue on any project if you have an idea for an automation of your own. As we increase the number and quality of integrations in our open source repositories, we may update this article or create follow-up posts with more examples.

If you're interested in learning more about GitHub Actions, GitHub has a wonderful marketplace of avaliable actions you can explore, and the documentation for actions is avaliable in several languages.