Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bumper jobs failing #1005

Open
yakimant opened this issue Dec 18, 2023 · 12 comments
Open

Bumper jobs failing #1005

yakimant opened this issue Dec 18, 2023 · 12 comments
Assignees

Comments

@yakimant
Copy link
Member Author

yakimant commented Dec 18, 2023

Added status-im-auto token to ACTIONS_GITHUB_TOKEN

And added it to nwaku&nimbus:
https://github.com/waku-org/nwaku/settings/access
https://github.com/status-im/nimbus-eth2/settings/access

@yakimant yakimant self-assigned this Dec 18, 2023
@yakimant
Copy link
Member Author

Found out experimentaly, that public_repo is required, see
https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps

@yakimant
Copy link
Member Author

Codex repo is missing the status-im-auto user with Write permissions.

@yakimant
Copy link
Member Author

@yakimant
Copy link
Member Author

Bumper is green again:
https://github.com/status-im/nim-libp2p/actions/workflows/bumper.yml

@jakubgs, please review this workaround when you are back.

Token for status-im-auto:
https://github.com/settings/tokens/1428298602

@yakimant
Copy link
Member Author

This is a useful part of security guide:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#considering-cross-repository-access

This list describes the recommended approaches for accessing repository data within a workflow, in descending order of preference:

  1. The GITHUB_TOKEN
  2. Repository deploy key
  3. GitHub App tokens
  4. personal access tokens
  5. SSH keys on a personal account

We use 4 approach. And It looks like we can't use 1, because we need write access to other repos. So it's wort to check 2 and 3.

@jakubgs
Copy link

jakubgs commented Jan 3, 2024

If possible we should avoid using old "classic" tokens and we should try to create as specific "Fine-grained personal access tokens" as possible. They can be created to target a specific repo with a specific permission only.

@yakimant
Copy link
Member Author

yakimant commented Jan 10, 2024

"Fine-grained" token didn't work with user owner - git fails to push:

remote: Permission to status-im/nimbus-eth2.git denied to status-im-auto.
fatal: unable to access 'https://github.com/status-im/nimbus-eth2/': The requested URL returned error: 403

https://github.com/status-im/nim-libp2p/actions/runs/7252738074/job/20160975446

Organisation wide token worked! We'll need to have 1 token for each of 3 orgs (waku, status and codex) and update the job.

@kaiserd kaiserd moved this to new in nim-libp2p May 2, 2024
@kaiserd kaiserd moved this from new to In Progress in nim-libp2p May 10, 2024
@diegomrsantos
Copy link
Contributor

@yakimant what's the status here?

@yakimant
Copy link
Member Author

No update since January.

There are 2 options:

  • Deploy keys
  • Create a github user with limited permissions just for this task

@diegomrsantos
Copy link
Contributor

is there any pending input from the libp2p team?

@kaiserd kaiserd moved this from In Progress to Pipeline in nim-libp2p Jul 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Pipeline
Development

No branches or pull requests

3 participants