Maintenance#

This document describes maintenance tasks that need to be performed from time to time. Its purpose is to avoid relying on personal memory alone, and it should be updated regularly.

Refreshing tokens for the auto upgrade of test constraints and vendored packages.#

Because of the security GitHub policy, the commits and pull requests created by an action that uses default GITHUB_TOKEN will not trigger another action’s runs. The possible workaround for this is to close and then reopen the pull request. But this requires additional actions by core devs.

To get automatically running workflows, we need to create a personal access token (PAT) and add it to the repository secrets. For security reasons, it is recommended to create a fine-grained token. It allows us to provide only the required permissions.

The token should have a one-year expiration date. After that, it needs to be refreshed.

The token should be named GHA_TOKEN and the required permissions are:

  • read to repository metadata

  • read and write to pull requests

  • read and write to code

screenshot of token permissions in GitHub UI

At the moment of writing this document, there is a difference in names between the summary of the token and the list of permissions. The code permission is called Contents in the Edit view of the token.

screenshot of token permissions

Refreshing the token#

To create a new token, go to the personal settings page and select Developer settings at the bottom of the left menu. On the visible screen, expand the Personal access tokens section and click the Fine-grained token link.

View on list of fine-grained tokens

Then click the Generate new token button in the upper right corner.

Fill the form:

  1. Choose a name for the token. This is only for you to better remember what the token is. The name will not be used by any workflows or in any other step.

  2. Set expiration to custom and then select one year after the current date.

  3. Optionally set a description. Again this is only for your own memory. A link to this page might be appropriate.

  4. Select napari to be the resource owner

  5. Select Only selected repositories and then select napari/napari repository

screenshot of the token creation form

  1. Select the required permissions for repository metadata, pull requests, and code (contents)

screenshot of the token creation form

  1. Click the Generate token button

  2. Copy token

  3. Go to the napari repository settings

  4. Expand the Secrets and variables section and select Actions

  5. Click the edit button for the GHA_TOKEN secret

screenshot of the token creation form

  1. Paste a new token to the value field

To validate if the token is working, you can run the “Upgrade test constraints” workflow manually. Ensure that there will be some packages to update.