Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openedx SEMANTIC_RELEASE_GITHUB_TOKEN secret lacks permissions to publish a release on GitHub #33

Open
OmarIthawi opened this issue Aug 8, 2023 · 0 comments
Open

openedx SEMANTIC_RELEASE_GITHUB_TOKEN secret lacks permissions to publish a release on GitHub #33

OmarIthawi opened this issue Aug 8, 2023 · 0 comments

Comments

@OmarIthawi
Copy link
Member

OmarIthawi commented Aug 8, 2023
edited
Loading

Description

This repo uses the release.yml GitHub workflow which runs the semantic-release npm package to publish GitHub releases and uploads the atlas binary to it.

The npx semantic-release fails on this repo when the secrets.SEMANTIC_RELEASE_GITHUB_TOKEN is being used and the GitHub API returns a 404 error, which is sometimes another way to say permission error.

Here's the failed job attempt https://github.com/openedx/openedx-atlas/actions/runs/5786749334/attempts/1 with a 404 error

RequestError [HttpError]: Not Found
    at /home/runner/.npm/_npx/d32d92066bae6c10/node_modules/@octokit/request/dist-node/index.js:112:21
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async requestWithGraphqlErrorHandling (/home/runner/.npm/_npx/d32d92066bae6c10/node_modules/@octokit/plugin-retry/dist-node/index.js:71:20)
    at async Job.doExecute (/home/runner/.npm/_npx/d32d92066bae6c10/node_modules/bottleneck/light.js:405:18) {
  status: 404,
  response: {
    url: 'https://api.github.com/repos/openedx/openedx-atlas/releases',
    status: 404,

Current workaround

Because this affects the wider @openedx GitHub repository @brian-smith-tcril and I chose not to edit the SEMANTIC_RELEASE_GITHUB_TOKEN.

We opted to use the github.token on the release.yml workflow instead. However, the github.token could be a bit less secure since it grants wider permissions as far as I know:

The release process now works well and upload the binary successfully: https://github.com/openedx/openedx-atlas/releases/tag/v0.2.0

The updated workflow looks like the following:

openedx-atlas/.github/workflows/release.yml

Lines 16 to 18 in 18eb0cc

- name: semantic release
env:
GITHUB_TOKEN: ${{ github.token }}

Suggested fix

Update the @openedx organization-wide secret to include permissions to manage the releases, upload artifacts, etc -- I don't really know what how to fix it because I don't have access to see what's in the SEMANTIC_RELEASE_GITHUB_TOKEN permissions list.
@OmarIthawi OmarIthawi changed the title openedx SEMANTIC_RELEASE_GITHUB_TOKEN secret is missing permissions to publish a release on GitHub openedx SEMANTIC_RELEASE_GITHUB_TOKEN secret lacks permissions to publish a release on GitHub Aug 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@OmarIthawi