multi-gitter unable to run against returned repos when using github app installation token #224
Comments
ghost
added
the
|
As asked in #223: It does seem unlikely that the API returns that the user has no permissions but then allow a creation of a PR. |
|
Hello @lindell I'm absolutely positive I'm using the correct token, I just triple checked 😄 Here's the output you requested: (I've removed the other 99 repos to make scrubbing information easier, but they were a mix of public/private repos, much like the below response) Here's a PR being opened with the same token |
|
This is good information. But the fetch does still say (which I must assume is right), that the token has neither pull nor push permissions to the repos. |
|
Hi @lindell in those examples the token was essentially given If it is a problem, can we test adding support for this kind of authentication? |
|
@lindell I tested the token in a typical workflow, checking out a repo, creating a commit, pushing, opening a PR, etc and it worked successfully. |
|
The authentication right now is done through The example does unfortunately not show us anything. The commit and push is still made with the authentication of the github action an not the authentication of the token. We already confirmed that the creation of the PR is permitted, but that is not why multi-gitter choose to not run on the repo(s). |
|
I generated the token with this action, github support also used this: The output of the action to get the token is The GitHub App was installed on an org with access to all repositories following this guide https://docs.github.com/en/developers/apps/building-github-apps/creating-a-github-app |
|
@lindell I just wanted to check in and see if there's any updates on this issue. I'm going to try switching the url to |
Hi @lindell just following up on the above, this didn't get multi-getter to run on any repos it found. I was however able to use the installation token to do a pull/push from my terminal with the git client. I tried switching the go library option to |
|
|
I tried it out (but outside of github actions) and get the same result as you. I can pull and push by using Does this work for you? https://github.com/lindell/multi-gitter/tree/github-app-token |
|
Hi @lindell this does work for me. |
|
@lindell Any updated on getting this feature merged in? |
|
I still feel a bit uneasy about going against what the API tells us we are allowed to do. It could cause cases where we actually try to pull from repos we are not allowed to? Since we have to ignore the permissions checking altogether if it's used with the app token. |
|
Hmm I agree, is this something that a support ticket should be opened for? I would open one, however I may not be able to speak to multi-gitter's behaviour as well as you can 😄 |
|
Please do open a support ticket with GitHub :) You can both refer to me if there are any questions around multi-gitter is using the API, and link to this issue as reference. |
|
Its seems that the creator of this bug has deleted their account, and since no one else has indicated this is needed, I'm closing this bug for now. |
|
@lindell I have this exact need: I'd like to be able to perform actions as a github app, rather than as my personal user in a private github organization. What is the process for getting this issue re-opened? |
|
@mspiegel31 Please open an issue with GitHub stating the (assumed) bug.
I have not yet reverified that this is still the case as of today, so please do that first. |
|
@lindell I've opened a ticket with github and referenced this issue. Please let me know if you'd like me to keep discussion going on this (closed) issue in multi-gitter, or if you'd like to direct the conversation somewhere else. thanks for the great tool, and thanks for the support! |
|
it's maybe worth mentioning that git-xargs (also written in go) seems to work fine with installation access tokens; I've spent my afternoon testing my usecase with this tool. I'm not familiar with how multi-gitter or git-xargs is implemented, but that would seem to indicate it's not a bug on the github side? |
|
@lindell We've been pursing this through the Github end through Enterprise Support and it sounds like, from Github's perspective, this end point is working as intended.
Please let me know if you need additional information, since we've talking to Github about this for a few weeks now. |
|
When authorizing through oauth now, I get the permissions through the API working as expected. Can you, @mspiegel31, please verify your steps, and what the API gives you back.
|
|
@lindell We are still unable to use multi-gitter using specifically a GitHub App Token and we had contact with the GitHub engineers via our enterprise support stating that the APIs are behaving as expected as @chris-statham-arcticwolf mentioned here: #224 (comment) We asked this question to GitHub Support:
Their response:
|
|
I've just run in to this behaviour as well. I'm trying to use a GitHub app's token to run the tool, and operations are skipped because the API response has the push and pull permissions as false as noted above, so nothing occurs. However, the token works as intended if used directly to clone. It would seem that in the case of GitHub app tokens, the assumptions made on the permissions by the tool are incorrect. Here's some snippets from a GitHub Actions workflow that demonstrates things. Getting a token for the appRun peter-murray/workflow-application-token-action@v2
Found GitHub Application: {APP_NAME}
Obtaining application installation for organization: {ORG_NAME}
Requesting limitation on GitHub Application permissions to only: {"contents":"write","pull_requests":"write"}
{"token":"***","expires_at":"2023-03-24T09:53:[18](https://{GHES_HOST}/{ORG_NAME}/{REPO_NAME}/runs/1432614?check_suite_focus=true#step:5:19)Z","permissions":{"contents":"write","metadata":"read","pull_requests":"write"},"repository_selection":"all"}
Successfully generated an access token for application.Cloning a repo with actions/checkout using that tokenRun actions/checkout@v3
Syncing repository: {ORG_NAME}/{REPO_NAME}
Getting Git version info
Temporarily overriding HOME='/runner/_work/_temp/c8b79aeb-abb5-42af-b7f4-[52](https://{GHES_HOST}/{ORG_NAME}/{REPO_NAME}/runs/1432614?check_suite_focus=true#step:7:58)8428c13f39' before making global git config changes
Adding repository directory to the temporary git global config as a safe directory
/usr/bin/git config --global --add safe.directory /runner/_work/{ORG_NAME}/{REPO_NAME}/_repo
Initializing the repository
Disabling automatic garbage collection
Setting up auth
Determining the default branch
Fetching the repository
Determining the checkout info
Checking out the ref
/usr/bin/git log -1 --format='%H'
'{COMMIT_SHA}'Getting the repo permissions with the token from the GitHub API using
|
|
@joel-mccoy-arcticwolf Thanks for reaching out to GH support. Is still think this part is strange since it's returned for all token types.
But with the confirmation that this "works as intended", a fix in multi-gitter should be implemented. I will take a look when I have the time. |
|
Had some time to fix this now: #334, but I'm out of time for today, so I have not been able to test this yet. If you are able to, please test these changes. |
|
Great, thanks! I'll test this out this afternoon. |
|
I've just installed the tool from your branch and it works as I would expect and the token for my GitHub app is now able to clone the repositories that it has write access to. Thanks for the fast turnaround. For reference, this is how I installed the version from the fix PR: - name: Setup go
uses: actions/setup-go@v3
with:
go-version: '^1.20.2'
- name: Install multi-gitter
shell: bash
run: go install github.com/lindell/multi-gitter@github-app-token-fix |
|
Included in release v0.44.2 🎉 |
Describe the bug
When using a github app installation token with multi-gitter, all repos can be listed, but multi-gitter doesn't run against them. Using the same token, I am able to create pull requests using curl. The issue appears to be specific to multi-gitter, I wonder if parsing the repositories is the problem?
response with multi-gitter
{ 2022-01-27T07:00:15.0920886Z "host": "api.github.com", 2022-01-27T07:00:15.0921276Z "level": "trace", 2022-01-27T07:00:15.0921608Z "msg": "http request", 2022-01-27T07:00:15.0923119Z "request": "GET /orgs/xxxx/repos?page=1\u0026per_page=100 HTTP/1.1\r\nHost: api.github.com\r\nUser-Agent: go-github\r\nAccept: application/vnd.github.mercy-preview+json, application/vnd.github.nebula-preview+json\r\nAuthorization: Basic \u003cCENSORED\u003e\nAccept-Encoding: gzip\r\n\r\n", 2022-01-27T07:00:15.2640493Z "response": "HTTP/2.0 200 OK\r\nAccess-Control-Allow-Origin: *\r\nAccess-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset\r\nCache-Control: private, max-age=60, s-maxage=60\r\nContent-Security-Policy: default-src 'none'\r\nContent-Type: application/json; charset=utf-8\r\nDate: Thu, 27 Jan 2022 07:00:15 GMT\r\nEtag: W/\"122717a36610aa3b6881db1871bc5285493eea207663614e64af2d6e83c4dfa8\"\r\nLink: \u003chttps://api.github.com/organizations/1874256/repos?page=2\u0026per_page=100\u003e; rel=\"next\", \u003chttps://api.github.com/organizations/1874256/repos?page=5\u0026per_page=100\u003e; rel=\"last\"\r\nReferrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin\r\nServer: GitHub.com\r\nStrict-Transport-Security: max-age=31536000; includeSubdomains; preload\r\nVary: Accept, Authorization, Cookie, X-GitHub-OTP\r\nVary: Accept-Encoding, Accept, X-Requested-With\r\nX-Content-Type-Options: nosniff\r\nX-Frame-Options: deny\r\nX-Github-Media-Type: github.mercy-preview; param=nebula-preview; format=json\r\nX-Github-Request-Id: 0740:7B0E:5B2CF6:C2FED9:61F242FD\r\nX-Ratelimit-Limit: 15000\r\nX-Ratelimit-Remaining: 14914\r\nX-Ratelimit-Reset: 1643267605\r\nX-Ratelimit-Resource: core\r\nX-Ratelimit-Used: 86\r\nX-Xss-Protection: 0\r\n\r\n[{\"id\":4307171,\"node_id\":\"MDEwOlJlcG9zaXRvcnk0MzA3MTcx\",\"name\":\"repo-xxxx\",\"full_name\":\"xxxx/repo-xxxx\",\"private\":false,\"owner\":{\"login\":\"xxxx\",\"id\":1874256,\"node_id\":\"MDEyOk9yZ2FuaXphdGlvbjE4NzQyNTY=\",\"avatar_url\":\"https://avatars.githubusercontent.com/u/1874256?v=4\",\"gravatar_id\":\"\",\"url\":\"https://api.github.com/users/xxxx\",\"html_url\":\"https://github.com/xxxx\",\"followers_url\":\"https://api.github.com/users/xxxx/followers\",\"following_url\":\"https://api.github.com/users/xxxx/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/xxxx/gists{/gist_id}\",\"starred_url\":\"https://api.github.com/users/xxxx/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/xxxx/subscriptions\",\"organizations_url\":\"https://api.github.com/users/xxxx/orgs\",\"repos_url\":\"https://api.github.com/users/xxxx/repos\",\"events_url\":\"https://api.github.com/users/xxxx/events{/privacy}\",\"received_events_url\":\"https://api.github.com/users/xxxx/received_events\",\"type\":\"Organization\",\"site_admin\":false},\"html_url\":\"https://github.com/xxxx/repo-xxxx\",\"description\":\"xxxx\",\"fork\":false,\"url\":\"https://api.github.com/repos/xxxx/repo-xxxx\",\"forks_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/forks\",\"keys_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/keys{/key_id}\",\"collaborators_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/collaborators{/collaborator}\",\"teams_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/teams\",\"hooks_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/hooks\",\"issue_events_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/issues/events{/number}\",\"events_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/events\",\"assignees_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/assignees{/user}\",\"branches_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/branches{/branch}\",\"tags_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/tags\",\"blobs_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/git/blobs{/sha}\",\"git_tags_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/git/tags{/sha}\",\"git_refs_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/git/refs{/sha}\",\"trees_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/git/trees{/sha}\",\"statuses_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/statuses/{sha}\",\"languages_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/languages\",\"stargazers_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/stargazers\",\"contributors_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/contributors\",\"subscribers_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/subscribers\",\"subscription_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/subscription\",\"commits_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/commits{/sha}\",\"git_commits_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/git/commits{/sha}\",\"comments_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/comments{/number}\",\"issue_comment_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/issues/comments{/number}\",\"contents_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/contents/{+path}\",\"compare_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/compare/{base}...{head}\",\"merges_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/merges\",\"archive_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/{archive_format}{/ref}\",\"downloads_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/downloads\",\"issues_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/issues{/number}\",\"pulls_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/pulls{/number}\",\"milestones_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/milestones{/number}\",\"notifications_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/notifications{?since,all,participating}\",\"labels_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/labels{/name}\",\"releases_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/releases{/id}\",\"deployments_url\":\"https://api.github.com/repos/xxxx/repo-xxxx/deployments\",\"created_at\":\"2012-05-12T14:47:15Z\",\"updated_at\":\"2021-06-14T02:46:19Z\",\"pushed_at\":\"2021-12-12T11:43:20Z\",\"git_url\":\"git://github.com/xxxx/repo-xxxx.git\",\"ssh_url\":\"[email protected]:xxxx/repo-xxxx.git\",\"clone_url\":\"https://github.com/xxxx/repo-xxxx.git\",\"svn_url\":\"https://github.com/xxxx/repo-xxxx\",\"homepage\":null,\"size\":147,\"stargazers_count\":85,\"watchers_count\":85,\"language\":\"Ruby\",\"has_issues\":true,\"has_projects\":true,\"has_downloads\":true,\"has_wiki\":false,\"has_pages\":false,\"forks_count\":68,\"mirror_url\":null,\"archived\":false,\"disabled\":false,\"open_issues_count\":6,\"license\":null,\"allow_forking\":true,\"is_template\":false,\"topics\":[],\"visibility\":\"public\",\"forks\":68,\"open_issues\":6,\"watchers\":85,\"default_branch\":\"master\",\"permissions\":{\"admin\":false,\"maintain\":false,\"push\":false,\"triage\":false,\"pull\":false}}, 2022-01-27T15:49:36.0650855Z { 2022-01-27T15:49:36.0651395Z "level": "info", 2022-01-27T15:49:36.0652074Z "msg": "Running on 0 repositories", 2022-01-27T15:49:36.0653241Z "time": "2022-01-27T15:49:36Z" 2022-01-27T15:49:36.0660835Z }Running a curl command with the exact same token given to multi-gitter works successfully
Expected behavior
multi-gitter includes an option(or just accepts) to use a github app installation token and runs against repos it finds.
This is related to #223
The text was updated successfully, but these errors were encountered: