TypeError: Cannot read properties of undefined (reading 'createReview')

[maciejmakowski]

I am still in the process of further investigating what could have changed, but I thought I am going to post here in case anyone else has an idea.

As far as we know, nothing changed in the configuration of the token itself or the secret, but suddenly (around 12-24h ago) the setup that we had successfully working for months started failing with:

dependency type: production
security critical: false
config: production:semver:patch
production:semver:patch detected, will auto-merge
Error: Cannot read properties of undefined (reading 'createReview')
TypeError: Cannot read properties of undefined (reading 'createReview')
    at approve ([file:///action/lib/api.js:2:23](https://github.com/ahmadnassri/action-dependabot-auto-merge/blob/master/action/lib/api.js#L2))
    at default (file:///action/lib/index.js:31:11)
    at file:///action/index.js:[53](https://github.com/1debit/dependabot-test/actions/runs/3527941119/jobs/5919738455#step:4:54):7
    at ModuleJob.run (node:internal/modules/esm/module_job:194:25)

The line in question is this:

  await octokit.pulls.createReview({

Which appears to mean that octokit.pulls is undefined, but also that it does not appear to be a permission issue as such with the token since it got that far.

At first I thought that something might have changed on the latest 2.6.1 release from earlier today, but I confirmed that the issue is also still happening with 2.6.0 which as I said before we've been using fine for months.

I am also sending this to Github support, but I was wondering whether anyone else has seen this and if yes, whether they found a solution for it.

Thanks in advance.

[calteran]

I'm also seeing this in my projects, again, without changes on my side.

Run ahmadnassri/action-dependabot-auto-merge@v2
  with:
    github-token: ***
    target: minor
    config: .github/auto-merge.yml
    command: merge
    botName: dependabot
    approve: true
/usr/bin/docker run --name ghcrioahmadnassriactiondependabotautomergev2_55639b --label 290506 --workdir /github/workspace --rm -e "INPUT_GITHUB-TOKEN" -e "INPUT_TARGET" -e "INPUT_CONFIG" -e "INPUT_COMMAND" -e "INPUT_BOTNAME" -e "INPUT_APPROVE" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/phoenix/phoenix":"/github/workspace" ghcr.io/ahmadnassri/action-dependabot-auto-merge:v2
using workflow's "target": 
- match:
    dependency_type: all
    update_type: semver:minor

title: "Bump cypress from 11.1.0 to 11.2.0"
depName: cypress
from: 11.1.0
to: 11.2.0
dependency type: development
security critical: false
config: all:semver:minor
all:semver:minor detected, will auto-merge
Error: Cannot read properties of undefined (reading 'createReview')
TypeError: Cannot read properties of undefined (reading 'createReview')
    at approve (file:///action/lib/api.js:2:23)
    at default (file:///action/lib/index.js:31:11)
    at file:///action/index.js:53:7
    at ModuleJob.run (node:internal/modules/esm/module_job:194:25)

[mauriciabad]

Same here

[MarcelScheeler]

I can confirm the problem.

[char0n]

I can confirm as well. I've tried downgrading down to 2.5.x, with no effect. Still seeing the error.

[boboldehampsink]

Same here

[sdk1990]

Another one here.

[char0n]

For anybody looking for a solution for this problem.

Here is how my workflow looked before (using this action):

name: Merge me!

on:
  pull_request_target:

jobs:
  merge-me:
    name: Merge me!
    if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
      - name: Merge me!
        uses: ahmadnassri/action-dependabot-auto-merge@v2
        with:
          target: minor
          github-token: ${{ secrets.SWAGGER_BOT_GITHUB_TOKEN }}
          command: squash and merge

Here is the replacement workflow which works exactly the same:

name: Merge me!

on:
  pull_request_target:

jobs:
  merge-me:
    name: Merge me!
    runs-on: ubuntu-latest
    # Checking the actor will prevent your Action run failing on non-Dependabot
    # PRs but also ensures that it only does work for Dependabot PRs.
    if: github.actor == 'dependabot[bot]'
    steps:
      # This first step will fail if there's no metadata and so the approval
      # will not occur.
      - name: Dependabot metadata
        id: dependabot-metadata
        uses: dependabot/fetch-metadata@v1.1.1
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      # Finally, tell dependabot to merge the PR if all checks are successful
      - name: Instruct dependabot to squash & merge
        if: ${{ steps.dependabot-metadata.outputs.update-type != 'version-update:semver-major' }}
        uses: mshick/add-pr-comment@v2
        with:
          repo-token: ${{ secrets.SWAGGER_BOT_GITHUB_TOKEN }}
          allow-repeats: true
          message: |
            @dependabot squash and merge
        env:
          GITHUB_TOKEN: ${{ secrets.SWAGGER_BOT_GITHUB_TOKEN }}

[eliashaeussler]

Nice, thanks for sharing @char0n! 👍

[leezumstein]

Fairly certain you need to use octokit.rest.<api method> now with the latest version, why it's throwing an undefined error.

I can open a PR in a bit to update this.

[maciejmakowski]

Thank you for the quick turnaround on this @leezumstein and @ahmadnassri! I updated to 2.6.2 and things started working for us again. 🚀

I'm still trying to understand though how this broke without any visible changes? Or was Octokit somehow updated at the time when it broke without it being visible in the code changes in this repo?

I don't see any new releases of Octokit here either (or is that not the package this GH action is using?):
https://github.com/octokit/octokit.js/releases

[leezumstein]

Thank you for the quick turnaround on this @leezumstein and @ahmadnassri! I updated to 2.6.2 and things started working for us again. 🚀

I'm still trying to understand though how this broke without any visible changes? Or was Octokit somehow updated at the time when it broke without it being visible in the code changes in this repo?

I don't see any new releases of Octokit here either (or is that not the package this GH action is using?): https://github.com/octokit/octokit.js/releases

I believe this action still ends up pulling the updated docker image irregardless of which version of the action you're targeting.

Dependencies we're updated with the recent docker image push which caused the breaking change.

[maciejmakowski]

Can you please clarify @leezumstein: What is the Docker image you are referring to? Is it this one?
https://github.com/ahmadnassri/action-dependabot-auto-merge/pkgs/container/action-dependabot-auto-merge

I believe that's governed by this Dockerfile:
https://github.com/ahmadnassri/action-dependabot-auto-merge/blob/master/Dockerfile

With that, shouldn't the octokit dependencies be governed by what's in the package-lock.json?

There was only one change to dependencies in this repo when things broke (#162) and that didn't appear to touch on anything Github action or Octokit related.

I don't see at all when the change to have to use octokit.rest. was introduced, but I have to admit I don't really know where I should be looking for this:
https://github.com/octokit/octokit.js/releases
https://github.com/octokit/core.js/releases
https://github.com/octokit/rest.js/releases

As far as I can see, it should have been octokit.rest. for a long time, and so it's even more of a conundrum for me what changed and why this broke two days ago.

Again, just trying to understand what happened here for future reference and also as a learning experience for me.

[mknepprath]

I updated to 2.6.2 and things started working for us again. 🚀

Same, thanks!

[maciejmakowski]

@mknepprath looking at your PR (mknepprath/mknepprath-next#976), you probably want to go back to @2 now again, otherwise you'll get stuck on 2.6.2 or will have to continue to update it manually, unlike with @2 where you get update automatically.

Alternatively, you can also set up Dependabot to update your Github Actions too.