github.ActionsEnvironmentSecret gives 404 Not Found

[phitoduck]

What happened?

Hi there,

TL;DR I believe github.ActionsEnvironmentSecret may be hitting an out of date GitHub endpoint.

I'm trying to create a new github.Repository via Pulumi and also create 3 GitHub actions environments with several secrets in each.

This forum answer made me realize you have to encrypt strings before you can send them to the GitHub API via the pulumi resource.

The github.get_actions_public_key(repository) recommended in the forum answer calls this endpoint (GitHub docs on the endpoint here) to fetch the "GitHub environment public key".

Here is the error message I get on pulumi up when I try to do this:

Diagnostics:
  github:index:ActionsEnvironmentSecret (Sandbox-environment--environment--env-secret):
    error: GET https://api.github.com/repositories/543829938/environments/sample-repo:Sandbox/secrets/public-key: 404 Not Found []

Note the repository URL is 543829938 in this example, and the environment name is Sandbox. The repo name is sample-repo.

I was able to reproduce the error by hitting the GitHub API myself like so:

REPO_ID=543829938
ENVIRONMENT_NAME=Sandbox
REPO_NAME=sample-repo
curl \
    -H "Accept: application/vnd.github+json" \
    -H "Authorization: Bearer $GITHUB_TOKEN" \
    https://api.github.com/repositories/$REPO_ID/environments/$REPO_NAME:$ENVIRONMENT_NAME/secrets/public-key

# result
{
  "message": "Not Found",
  "documentation_url": "https://docs.github.com/rest/reference/actions#get-an-environment-public-key"
}

I was able to solve it by removing the $REPO_NAME: portion of the request path:

REPO_ID=543829938
ENVIRONMENT_NAME=Sandbox
REPO_NAME=sample-repo
curl \
    -H "Accept: application/vnd.github+json" \
    -H "Authorization: Bearer $GITHUB_TOKEN" \
    https://api.github.com/repositories/$REPO_ID/environments/$ENVIRONMENT_NAME/secrets/public-key

# response
{
  "key_id": "568250167242549743",
  "key": "4sJ/GHfjfYtb6kE0+CazB6MopDEiJ1E22Gh4ntzN+Cw="
}

Can the underlying provider be modified so that the correct URL endpoint is used?

Steps to reproduce

from base64 import b64encode
from nacl import encoding, public # pip install pynacl

def encrypt_github_action_secret(public_encryption_key: str, secret_value: str) -> str:
    """
    Encrypt a Unicode string using the public key.

    The implementation for this function came from the GitHub API docs here:
    https://docs.github.com/en/rest/actions/secrets#create-or-update-an-organization-secret

    We found that by landing on this forum question on how to create GitHub Actions secrets:
    https://github.com/pulumi/pulumi/discussions/9377
    """
    public_key = public.PublicKey(public_encryption_key.encode("utf-8"), encoding.Base64Encoder())
    sealed_box = public.SealedBox(public_key)
    encrypted = sealed_box.encrypt(secret_value.encode("utf-8"))
    return b64encode(encrypted).decode("utf-8")


repo = github.Repository(
    resource_name="sample-repo",
    name="sample-repo",
    archive_on_destroy=False,
)

public_key = github.get_actions_public_key(repository=repo)

env = github.RepositoryEnvironment(
    resource_name=f"sandbox-environment",
    repository=repo,
    environment="Sandbox",
)

encrypted_secret = encrypt_github_action_secret(public_encryption_key=public_key.key, secret_value="I'm a secret!")
github.actions_environment_secret.ActionsEnvironmentSecret(
    resource_name=f"{env._name}--{secret_name.lower()}--env-secret",
    secret_name=secret_name,
    encrypted_value=encrypted_secret,
    environment=env,
    repository=env.repository,
)

Expected Behavior

A public key is fetched.

Actual Behavior

A public key is not found, instead a 404 error is returned.

View Live: https://app.pulumi.com/phitoduck/repogen/repogen/updates/22

     Type                                      Name                                              Status                  Info
     pulumi:pulumi:Stack                       repogen-repogen                                   **failed**              1 error
 +   └─ github:index:ActionsEnvironmentSecret  Sandbox-environment--environment--env-secret   **creating failed**     1 error
 
Diagnostics:
  github:index:ActionsEnvironmentSecret (Sandbox-environment--environment--env-secret):
    error: GET https://api.github.com/repositories/543829938/environments/sample-repo:Sandbox/secrets/public-key: 404 Not Found []

Output of pulumi about

CLI          
Version      3.40.2
Go Version   go1.19.1
Go Compiler  gc

Plugins
NAME    VERSION
github  5.0.0
python  unknown

Host     
OS       darwin
Version  10.15.7
Arch     x86_64

This project is written in python: executable='/Users/eric/.pyenv/shims/python3' version='3.10.4
'

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/phitoduck
User           phitoduck
Organizations  phitoduck

Dependencies:
NAME              VERSION
GitPython         3.1.27
phitoduck-projen  0.0.2
pip               22.2.2
pulumi-github     5.0.0
PyNaCl            1.5.0
python-dotenv     0.21.0
rich              12.5.1
setuptools        65.4.0
wheel             0.37.1

Pulumi locates its logs in /var/folders/cn/6x3hstc532b_gdnvrvn0p7600000gp/T/ by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[phitoduck]

This seems related, but not the same as #246

[Frassle]

Possibly related to integrations/terraform-provider-github#667

[lblackstone]

Could this be related to integrations/terraform-provider-github#578?

integrations/terraform-provider-github#578 (comment) suggests setting the owner field of the Provider configuration as a workaround.

[robsoned]

I'm also having a related problem here.

When I run pulumi up locally, it does work and create the GitHub secret. But, when running with GitHub actions, it seems to duplicate the GITHUB_OWNER in the URL:

Error: **creating failed** error: GET https://api.github.com/repos/{GITHUB_OWNER}/{GITHUB_OWNER}/repository: 404 Not Found []

Github Action:

When I try removing the GITHUB_OWNER, the instead of duplicating GITHUB_OWNER. It adds my github username to the url:

github:index:ActionsEnvironmentSecret  creating (0s) error: GET https://api.github.com/repos/robsoned/{GITHUB_OWNER}/repo: 404 Not Found []

Maybe I'm missing something here, I'm passing the exact same env variables that I use locally to the GitHub actions.

[Zemnmez]

I'm also having a similar (but not the same) issue:

  
    github:index:ActionsSecret (monorepo_bazel_remote_cache_server_actions_secret_cache_url):
      error: GET https://api.github.com/repos//zemn-me/monorepo/actions/secrets/public-key: 404 Not Found []

It looks like, somehow, there's an extra slash being interpolated for me. I tried to use the workaround above and it didn't fix the issue. Any suggestions?

Edit: managed to work around it by adding ../ before my repo name; it's now ../my-org/my-repo.

[ringods]

The extra slash indeed seems to be related. Removing it resulted in a 403, requiring admin access:

message	            "Must have admin rights to Repository."
documentation_url   "https://docs.github.com/rest/actions/secrets#get-a-repository-public-key"
status	            "403"

[smith558]

Hello everyone. I've resolved this by following the instructions here https://www.pulumi.com/registry/packages/github/installation-configuration/#configuring-credentials.

[guineveresaenger]

Hi @smith558 - thank you for reporting here!

I'm going to close this issue as resolved for now - but do feel free to file a follow-up issue if you believe we can improve the experience.