Page MenuHomePhabricator
Create Task
Maniphest T366341

[REPO][CLIENT] Find an alternative way to send secondary CI e-mails from Github
Closed, ResolvedPublic
Actions

Description

We have a slightly troubled solution for sending e-mails from Github workflow actions for some Wikibase projects.

The current implementation uses username/password authentication to a shared Google account. This is already not very secure, and according to Google's documentation about less secure apps, will no longer be possible after September 2024.

Implement a more sustainable solution for sending these mails, ideally before the support for the current workflow is sunset.

Accepatnace Criteria

  • A proper solution is researched and agreed upon by team
  • If feasible solution is implemented

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
secondary CI: Renamed github action secrets used for CI mailsmediawiki/extensions/Wikibasemaster+2 -2
secondary CI: Renamed github action secrets used for CI mailsmediawiki/extensions/EntitySchemamaster+4 -4
Customize query in gerrit

Related Objects

Event Timeline

ArthurTaylor created this task.May 31 2024, 8:52 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 31 2024, 8:52 AM
Maintenance_bot added a project: Wikidata.May 31 2024, 9:30 AM
OKJ04 added a subtask: T366433: CentralAuth tests broken unless you run them inside Quibble.Jun 3 2024, 1:39 AM
JJMC89 removed a subtask: T366433: CentralAuth tests broken unless you run them inside Quibble.Jun 3 2024, 1:44 AM
WMDE-leszek subscribed.Jun 3 2024, 9:40 AM
Ollie.Shotton_WMDE subscribed.Jun 3 2024, 9:40 AM
Muhammad_Yasser_Jazirahly_WMDE subscribed.Jun 5 2024, 9:29 AM
ItamarWMDE renamed this task from Find an alternative way to send secondary CI e-mails from Github to [REPO+CLIENT] Find an alternative way to send secondary CI e-mails from Github.Jun 6 2024, 12:53 PM
ItamarWMDE renamed this task from [REPO+CLIENT] Find an alternative way to send secondary CI e-mails from Github to [REPO][CLIENT] Find an alternative way to send secondary CI e-mails from Github.
ItamarWMDE moved this task from Incoming to [DOT] By Project on the wmde-wikidata-tech board.
ItamarWMDE added a project: [Archived]Wikidata Dev Team.
Arian_Bozorg moved this task from Incoming to [DOT] Tech Backlog on the [Archived]Wikidata Dev Team board.Jun 18 2024, 8:37 AM
ItamarWMDE subscribed.Aug 1 2024, 12:58 PM

Prio Notes:

Impact AreaAffected
production / end usersno
monitoringyes
development effortsno
onboarding effortsno
additional stakeholdersyes (can effect PRPL too)
ItamarWMDE updated the task description. (Show Details)Aug 1 2024, 1:00 PM
ItamarWMDE updated the task description. (Show Details)
ItamarWMDE moved this task from [DOT] By Project to [DOT] Prioritized on the wmde-wikidata-tech board.
karapayneWMDE moved this task from [DOT] Tech Backlog to SEND TO OMEGA BOARD. Will land in the 'incoming' column and need to be moved to the correct location (former Unified DOT Backlog) on the [Archived]Wikidata Dev Team board.Aug 28 2024, 9:44 AM
Lucas_Werkmeister_WMDE mentioned this in T353957: [SW] Wikibase secondary CI is broken and email sending is broken again (Dec 2023).Sep 4 2024, 9:03 AM
ArthurTaylor claimed this task.Sep 5 2024, 9:13 AM
ArthurTaylor edited projects, added [Archived]Wikidata Dev Team (Wikidata.org Slice); removed [Archived]Wikidata Dev Team.
ArthurTaylor moved this task from In Task Breakdown to In Development on the [Archived]Wikidata Dev Team (Wikidata.org Slice) board.
Maintenance_bot moved this task from [DOT] Prioritized to Ongoing on the wmde-wikidata-tech board.Sep 5 2024, 9:29 AM
ArthurTaylor reassigned this task from ArthurTaylor to WMDE-leszek.Sep 5 2024, 9:44 AM
WMDE-leszek added a comment.Sep 5 2024, 10:04 AM

I've changed the authentication method used by the Google account mid June. The account is now using two-factor authentication, and the CI jobs are authenticating using an "application password". This change might have been invisible to the CI job as it only involved changing the value of the "github action secret" which I have done as part of this authentication method change.
If I understand it correctly, using application password makes the CI no longer a "less secure app", so it should allow CI send emails also after Google switches off less-secured-app access.

ArthurTaylor added a comment.Sep 5 2024, 10:12 AM

Okay. I'm going to suggest that this is a "proper solution" for now - it works, and it's not about to be sunset. I heard from @WMDE-leszek that we use Mailgun to send mails from WikibaseCloud. That might be something to consider if we run into reliability / sustainability issues with Google again. But for now, if it ain't broke, let's not fix it any further.

ArthurTaylor removed WMDE-leszek as the assignee of this task.Sep 5 2024, 10:12 AM
ArthurTaylor moved this task from In Development to Ready for Tech Verification on the [Archived]Wikidata Dev Team (Wikidata.org Slice) board.
gerritbot added a comment.Sep 5 2024, 10:47 AM

Change #1070905 had a related patch set uploaded (by WMDE-leszek; author: WMDE-leszek):

[mediawiki/extensions/Wikibase@master] secondary CI: Renamed github action secrets used for CI mails

https://gerrit.wikimedia.org/r/1070905

gerritbot added a project: Patch-For-Review.Sep 5 2024, 10:47 AM

Change #1070906 had a related patch set uploaded (by WMDE-leszek; author: WMDE-leszek):

[mediawiki/extensions/EntitySchema@master] secondary CI: Renamed github action secrets used for CI mails

https://gerrit.wikimedia.org/r/1070906

gerritbot added a comment.Sep 5 2024, 1:24 PM

Change #1070906 merged by jenkins-bot:

[mediawiki/extensions/EntitySchema@master] secondary CI: Renamed github action secrets used for CI mails

https://gerrit.wikimedia.org/r/1070906

gerritbot added a comment.Sep 5 2024, 1:41 PM

Change #1070905 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@master] secondary CI: Renamed github action secrets used for CI mails

https://gerrit.wikimedia.org/r/1070905

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.22; 2024-09-10).Sep 5 2024, 2:00 PM
Maintenance_bot removed a project: Patch-For-Review.Sep 5 2024, 2:30 PM
Lucas_Werkmeister_WMDE subscribed.Sep 6 2024, 2:15 PM

I guess for the purposes of tech verification we can just wait until October and then see if email sending still works? (Push a branch to GitHub where .github/workflows/secondaryCI.yml was updated to change the recipient email address and send the email unconditionally, for instance.)

WMDE-leszek added a comment.Oct 14 2024, 8:10 AM

I've confirmed that Entity Schema's weekly "keepalive" emails are being sent. As the mechanism used for "secondary CI" uses the same authentication I claim it is sufficient to call this task completed.

WMDE-leszek closed this task as Resolved.Oct 14 2024, 8:10 AM
WMDE-leszek moved this task from Ready for Tech Verification to In Tech Verification on the [Archived]Wikidata Dev Team (Wikidata.org Slice) board.
WMDE-leszek moved this task from In Tech Verification to Done on the [Archived]Wikidata Dev Team (Wikidata.org Slice) board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits