nur-{combined,search} repos not updating - 403 (token/permission issue?)

[Rhys-T]

Neither nur-combined nor nur-search has received a commit since 2/10/2025, despite this main repo being continuously updated. It looks like the ad-m/github-push-action steps for update_combined and update_search are getting 403 Forbidden errors when trying to push to GitHub. It seems to either not like the token it's getting, or not think that token has the right permissions. Possibly something to do with the switch to peter-murray/workflow-application-token-action starting in 3979c65? I can't see anything more specific about the errors from what's in those logs, though.

[Pandapip1]

The weird thing is that I switched to the old PAT that was used for the original action in f2ae4c0 (${{ secrets.API_TOKEN_GITHUB }} rather than ${{ steps.get_workflow_token.outputs.token }}) and yet it still fails. Unfortunately, I got swamped with midterms and problem sets right after I started the transition, which is why I haven't fixed this yet. However, it seems that the action wants to try to push as github-actions[bot] despite this (I believe) being a user PAT.

[Rhys-T]

Possibly relevant: ad-m/github-push-action#52
Early comments there suggest that the actions/checkout step is adding a setting to the git config that messes up the push authentication. The checkout action's post step does clean up that setting, but that only happens after the push has already been attempted. Someone in that thread pointed to ad-m/github-push-action#44 (comment), which suggests adding persist-credentials: false to the checkout step as a solution (along with fetch-depth: 0, but you already have that).

There were also people saying to add permissions: write-all to the workflow, but I wouldn't think that would be relevant if you're using the app token.

[Pandapip1]

Resolved by putting the update workflows in the repositories the workflows update. I don't know why it kept on trying to log in at github-actions[bot]. It very well may be still doing that, but the system works now, so I'm closing this.

[Rhys-T]

Hmm… it's updating the main branches of both repos okay now, but it doesn't look like the gh-pages branch that actually runs the NUR site is getting rebuilt and updated yet.

I see the make command that builds the pages was removed from ci/update-nur-search.sh in 1867eb5 - what should be running it instead?

[Pandapip1]

Good catch -- I'll fix that right now.

[Rhys-T]

The old version of the command used nix-shell to pull in Hugo, instead of installing a .deb:

NUR/ci/update-nur-search.sh

Line 34 in aa1a5c3

nix-shell --run "make clean && make && make publish"

Would it be worth changing back to that?

(The make publish part can probably go away since you're using actions/upload-pages-artifact. Not sure whether the make clean is important or not.)

Edit: Ah, I guess that's what the # TODO: Use nix / flakes is about. Never mind.

[Rhys-T]

@Pandapip1

It looks like the deploy_website job is failing now - either not getting a token, or not getting one with enough permissions. I don't know whether it needs to go through peter-murray/workflow-application-token-action or the builtin token stuff.

However, before fixing that, there's also a problem with the update_website job - it's not actually generating any web pages! I noticed in the output from Hugo that it only showed 7 pages, and sure enough, when I downloaded the artifact, there were no HTML files - just a few RSS and other XML files. My guess is that the checkout step needs to have submodules: true added to its with: section, to make sure the theme files get checked out as well.

[Pandapip1]

Thanks! I'll try to fix this now. I had some stuff I had to do.

[Rhys-T]

As far as I can tell so far, the site seems to be working correctly now. Thanks!

(At first I thought there was a problem, since my repo disappeared from the site entirely, but on closer examination of the update_search logs, it turned out that I had messed something up on my end, and one of my packages' meta.homepage wasn't evaluating properly - it was being inherited from the wrong thing. I've pushed the fix to my repo and will check on it tomorrow. Edit: Yep, that's all it was.)

[Pandapip1]

Yea, I'll see how feasible implementing #376 is.