Github Actions custom deployment protection rule approval not working

[juicemia]

Select Topic Area

Bug

Body

Hello,

I'm following the documentation here for creating a webhook server that will handle approvals/rejections of deployments in an environment.

I have my code in this gist. It's very messy I'm just trying to get a basic POC running locally using ngrok.

I'm stuck on actually making the approval. It's failing on the POST request to https://api.github.com/repos/ORG/REPO/actions/runs/RUN_ID/deployment_protection_rule. I'm getting the following response:

{"message":"No pending custom deployment requests in workflow run `RUN_ID` to approve or reject","documentation_url":"https://docs.github.com/rest/actions/workflow-runs#review-custom-deployment-protection-rules-for-a-workflow-run","status":"422"}

This is for a private repo, but we have Github Enterprise so according to the docs here we should have access to all the forms of protection rules on our private repos.

It seems like the whole flow works even though the repos are private. The webhook is firing the way I expect, I just can't figure out why this last part is failing.

I'm suspecting it might be a permissions issue due to a discrepancy between the docs (which are probably geared towards public repositories) and my private repo. I see the following permissions on my installation token:

  "permissions": { "deployments": "write", "metadata": "read" },

I see that the installation token is being granted access to the right repository. I'm thinking maybe there's a missing permission so when the request is made, it can't see the protection rule even though I can see it in the UI.

UPDATE

I ported over the code to JavaScript seeing as how this webhook would be implemented in a NextJS app anyways. I have everything set up and I'm getting the same error. This is the webhook code:

interface WebhookPayload {
  deployment_callback_url: string;
  deployment: {
    environment: string;
  };
  installation: {
    id: number;
  };
  repository: {
    id: number;
    name: string;
    owner: {
      login: string;
    };
  };
}

export const POST = async (request: NextRequest): Promise<NextResponse> => {
  // TODO: verify header with HMAC(buf, secretToken)

  const payload: WebhookPayload = await request.json();

  const token = jwt.sign(
    {
      iss: "client id",
    },
    jwt_signing_key,
    { algorithm: "RS256", expiresIn: "5 minutes" }
  );

  const octokit = new Octokit({
    auth: token,
  });

  const installation_token = await octokit.rest.apps
    .createInstallationAccessToken({
      installation_id: payload.installation.id,
      repository_ids: [payload.repository.id],
      permissions: {
        deployments: "write",
      },
    })
    .then((resp) => {
      return resp.data.token;
    })
    .catch((e) => {
      console.error(
        `unable to get installation token for installation: ${payload.installation.id}, repository: ${payload.repository.id}`,
        e
      );

      throw e;
    });

  const path = payload.deployment_callback_url.slice(
    "https://api.github.com".length
  );

  const appOctokit = new Octokit({ auth: installation_token });

  await appOctokit.rest.actions.reviewCustomGatesForRun({
    environment_name: payload.deployment.environment,
    owner: payload.repository.owner.login,
    repo: payload.repository.name,
    run_id: parseInt(path.split("/").slice(-2, -1)[0]),
    state: "approved",
  });

  return new NextResponse(null, { status: 200 });
};

This is the error object getting logged:

{
  status: 422,
  request: {
    method: 'POST',
    url: 'https://api.github.com/repos/OWNER/REPO/actions/runs/RUN_ID/deployment_protection_rule',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'octokit-rest.js/21.0.1 octokit-core.js/6.1.2 Node.js/20.18.0 (darwin; arm64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: [Object: null prototype] {
      environment_name: 'production',
      state: 'approved'
    },
    request: { hook: [Function: bound bound register] }
  },
  response: {
    url: 'https://api.github.com/repos/OWNER/REPO/actions/runs/RUN_ID/deployment_protection_rule',
    status: 422,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      'content-length': '251',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: 'Mon, 18 Nov 2024 15:55:02 GMT',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'github.com',
      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-accepted-github-permissions': 'deployments=write',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-api-version-selected': '2022-11-28',
      'x-github-media-type': 'github.v3; format=json',
      'x-github-request-id': 'E1EF:2961A2:29E88F:52312F:673B6356',
      'x-ratelimit-limit': '15000',
      'x-ratelimit-remaining': '14999',
      'x-ratelimit-reset': '1731948902',
      'x-ratelimit-resource': 'core',
      'x-ratelimit-used': '1',
      'x-xss-protection': '0'
    },
    data: {
      message: 'No pending custom deployment requests in workflow run `RUN_ID` to approve or reject',
      documentation_url: 'https://docs.github.com/rest/actions/workflow-runs#review-custom-deployment-protection-rules-for-a-workflow-run',
      status: '422'
    }
  }
}

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐

[juicemia]

I was able to figure this out with the help of Github Support.

According to the docs for creating an environment, the environment name isn't case sensitive. However, it seems like when passing the environment name in the HTTP request, the environment name is case sensitive.

The working code looks like this:

interface WebhookPayload {
  deployment_callback_url: string;
  environment: string;
  deployment: {
    environment: string;
  };
  installation: {
    id: number;
  };
  repository: {
    id: number;
    name: string;
    owner: {
      login: string;
    };
  };
}

export const POST = async (request: NextRequest): Promise<NextResponse> => {
  // TODO: verify header with HMAC(buf, secretToken)

  const payload: WebhookPayload = await request.json();

  const appOctokit = new Octokit({
    authStrategy: createAppAuth,
    auth: {
      appId: client_id,
      privateKey: jwt_signing_key,
      installationId: payload.installation.id,
    },
  });

  await appOctokit.request({
    url: payload.deployment_callback_url,
    method: "POST",
    // Even though environment names aren't case-sensitive according to the docs,
    // they are case sensitive when being used here. This field has the environment
    // name in the correct case.
    environment_name: payload.environment,
    // TODO: get this from the database
    state: "approved",
  });

  return new NextResponse(null, { status: 200 });
};