Use default visibility for GitLab IPLab token

[ptziegler]

Whenever a pull-request is created by dependabot, the license check fails with a 401 - Unauthorized. Given that the same check works for normal committers, it is likely that the token is still valid, just inaccessible.

See my PR: https://github.com/eclipse-windowbuilder/windowbuilder/actions/runs/10548647503/job/29575348859

Error: Failed to execute goal org.eclipse.dash:license-tool-plugin:1.1.1-SNAPSHOT:license-check (default-cli) on project org.eclipse.wb.root: Some dependencies must be vetted. -> [Help 1]

And see one from dependabot: https://github.com/eclipse-windowbuilder/windowbuilder/actions/runs/10660680894/job/29575430345

[ERROR] Failed to execute goal org.eclipse.dash:license-tool-plugin:1.1.1-SNAPSHOT:license-check (default-cli) on project org.eclipse.wb.root: Execution default-cli of goal org.eclipse.dash:license-tool-plugin:1.1.1-SNAPSHOT:license-check failed: org.gitlab4j.api.GitLabApiException: 401 Unauthorized -> [Help 1]

[eclipse-otterdog]

This is your friendly self-service bot.

Thank you for raising a pull request to update the configuration of your GitHub organization.
You can manually add reviewers to this PR to eventually enable auto-merging.

The following conditions need to fulfilled for auto-merging to be available:

• valid configuration
• approved by a project lead
• does not require any secrets
• does not update settings only accessible via the GitHub Web UI
• does not remove any resource

Otterdog commands and options

You can trigger otterdog actions by commenting on this PR:

• /otterdog team-info checks the team / org membership for the PR author
• /otterdog validate validates the configuration change
• /otterdog validate info validates the configuration change, printing also validation infos
• /otterdog check-sync checks if the base ref is in sync with live settings
• /otterdog merge merges and applies the changes if the PR is eligible for auto-merging (only accessible for the author)
• /otterdog done notifies the self-service bot that a required manual apply operation has been performed (only accessible for members of the admin team)
• /otterdog apply re-apply a previously failed attempt (only accessible for members of the admin team)

[eclipse-otterdog]

This is your friendly self-service bot.

The author (ptziegler) of this PR is associated with this organization in the role of MEMBER.

Additionally, ptziegler is a member of the following teams:

• tools-windowbuilder-committers

• tools-windowbuilder-project-leads

[eclipse-otterdog]

This is your friendly self-service bot.
Please find below the validation of the requested configuration changes:

Diff for de55936

Organization tools.windowbuilder[id=eclipse-windowbuilder]
  there have been 3 validation infos, enable verbose output with '-v' to to display them.

  
!   org_secret[name="GITLAB_API_TOKEN"] {
!     selected_repositories             = "['windowbuilder']" -> "[]"
!     visibility                        = "selected" -> "public"
!   }
  
  Plan: 0 to add, 2 to change, 0 to delete.

Warnings

• some of requested changes require secrets, need to apply these changes manually

cc @eclipse-windowbuilder/eclipsefdn-security

cc @eclipse-windowbuilder/eclipsefdn-releng

[eclipse-otterdog]

This is your friendly self-service bot. The current configuration is in-sync with the live settings. 🚀

[eclipse-otterdog]

This is your friendly self-service bot.

The following changes have been successfully applied:

Organization tools.windowbuilder[id=eclipse-windowbuilder]
  there have been 3 validation infos, enable verbose output with '-v' to to display them.

  No changes required.

Note

The pull request was only partially applied as it requires some access to secrets or the Web UI,
please apply the remaining changes manually and confirm with replying with /otterdog done.

cc @eclipse-windowbuilder/eclipsefdn-security

cc @eclipse-windowbuilder/eclipsefdn-releng

[netomi]

the change has been applied but I dont think that is the source of the problem.

When looking at the dependabot actions you can see that some dependencies are not et vetted which would be expected for some updates introduced by dependabot.

[netomi]

/otterdog done

[eclipse-otterdog]

This is your friendly self-service bot. The PR has been marked as being completed.

[ptziegler]

the change has been applied but I dont think that is the source of the problem.

When looking at the dependabot actions you can see that some dependencies are not et vetted which would be expected for some updates introduced by dependabot.

As far as I'm aware, the license checker doesn't check the versions of the GitHub actions, just the project dependencies. More specifically, it's this artifact here:

[INFO] License information could not be automatically verified for the following content:
[INFO]
[INFO] maven/mavencentral/org.osgi/org.osgi.util.tracker/1.5.4

Though you are correct and the execution continues to fail, even with the updated configuration. 🤷

[netomi]

so yeah, dependabot updated a maven plugin which not vetted yet.
You need to invoke the dash license check workflow with the /request-review option to create a ticket in the IPLab project.

[netomi]

I triggered a harvest action at clearlydefined for the plugin, maybe that resolves it already:

[ptziegler]

I've also created an IPLab issue. Let's hope the error is gone once the dependency has been approved.
Thank you for your time and help!

[netomi]

yeah I see the ticket being opened, so ideally we would have a workflow that does that automatically for dependabot PRs (or any PR that changes dependencies).

Will see what I can do there.

[netomi]

fyi: I created now a PR for the default mavenLicenseCheck.yml workflow at eclipse-dash/dash-licenses#372

Please take a look, it should provide more information in case something went wrong. Ideally will also add the functionality to add comments to the PR also for PRs from forks. Atm the PR adds the same information to the job summary, so you dont have the need to browse through the full logs to get the information you need.