updating Version Packages PR uses GITHUB_TOKEN instead of PAT #70
Comments
|
Could you describe in more detail which part of the workflow is not using the PAT? I'm a little bit confused considering the given description. |
|
Hi @Andarist, A1 and B1 are where the new features are merged into master A2 is correctly triggering GH Actions, while B2 does not (preventing status checks from passing) Hope that made it clearer (and not worse lol) Thanks |
|
Hah, that's a little bit strange - I would suspect that it's a problem with triggers that you have set up for your CI job. Could you paste in your |
|
Yes using GH actions, master CI branch has: npm run release does a And on pull requests: On feature/* branches, this PR action runs whenever pull requests are created or updated with new commits. On changeset-release/master branches (the Version Packages pull request) will use my PAT and trigger the action: But the next changes from master would be pushed by github-actions bot which won't trigger the action: |
|
Wow, that's quite strange - the PRs are opened & updated using very similar logic: Lines 266 to 283 in b3300fa that uses the very same Octokit instance that is created using the same token: Line 172 in b3300fa But actually, all commits (including the first one that "creates" a PR) are signed by a github-actions bot: Lines 24 to 27 in b3300fa It's only the PR itself that is authored by your personal account. One thing - could you change your CI triggers to: on: [pull_request, push] |
|
i'd think it would still not get triggered with a push from github-actions bot. i should set up a public repo to repro this, didn't realize there's free minutes for gh actions |
|
I'm facing this issue as well. Maybe this is a bug with GitHub Actions. Perhaps it would be better to rename |
|
That's an interesting idea - would be great if you could test this with a different name for this env. |
|
I was wrong. I read another issue that reminded me that we need to tell the checkout action to use the PAT as well. This looks like your issue as well @emilgp. It should look like: - name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0
token: ${{ secrets.PAT_TOKEN }} |
|
my PAT token actually stopped working, i keep getting this error after Regenerating the token didn't help. Changed back to GITHUB_TOKEN which creates the Version Packages PR but does not trigger the PR action. Tried changing back to PAT then it worked again, so i can't tell if applying changes from @ianwalter would help. I'm facing issues around the tokens in other actions as well, will have to see how github support figures them out. |
|
@ianwalter did switching to PAT solve your problem entirely? are workflows run even after the versioning PR gets force-pushed after a fresh merge to your main branch? @emilgp let me know if I can be of any assistance |
|
Any action with GITHUB_TOKEN will not trigger actions. This is to stop circular triggers. Basically if you want to do anything with GITHUB_TOKEN and have an action trigger you need to use your own PAT rather than GITHUB_TOKEN. So if you manually merged the PR then the master workflow would run, but any pushes to the PR would not. |
Yes |
Right. I don't think this is really that developer-friendly though. There is no such guard when using other CI providers and somehow we don't end up having this problem that often 😉 |
|
Yep, it is an annoying limitation. We have created a service account and generated a PAT which we put in our organisations secrets and use that for anything we need to trigger actions. |
|
This could be addressed by allowing configuration of the git user here Lines 4 to 17 in aacbc22 |
|
@jonrohan are you saying that using PAT is not enough and GitHub doesn't trigger workflows based on the user as well? |
|
PAT tokens work on triggering actions, but this library is still using the GitHub action token when pushing commits |
|
@jonrohan not sure if I understand the issue you are facing. To the best of my knowledge, this is not possible - if you only give the PAT to us. We can't access the secrets on our own so the only way for us to access any token is for users to give it to us. Which is done using the |
|
Hi I seem to have ran into this - subsequent "force pushes" to the version PRs aren't having CI run - the branches are "force pushed" by github-actions-bot, not the user account. Strangely - keystone js doesn't seem to have this problem? What's different? Mine: atlassian-labs/compiled#698
Keystones: keystonejs/keystone#5086
|
|
It'll be because of this line: https://github.com/keystonejs/keystone/blob/955787055a54fb33eb45c80dd39fa86a9ff632a0/.github/workflows/release.yml#L17 |
|
Interesting! Will change it and see what happens.
Edit: That works! atlassian-labs/compiled#698
Thanks @mitchellhamilton +++
|
|
yep, indeed, guys, it works for us too 👍 maybe we should include this recommendation in the docs? |
changesets/action#70 seems to help Hopefully it does lol
#1833) ## Summary: This uses the checkout action with ssh-key and persist-credentials to see if it fixes the release workflow so that updates to Version Packages run our expected actions. This approach was garnered through reading various responses to changesets/action#70. Specifically: - changesets/action#70 (comment) - changesets/action#70 (comment) Issue: XXX-XXXX ## Test plan: Land this PR and see what happens with the Version Packages PR when it is created, updated, and landed. Author: somewhatabstract Reviewers: jandrade Required Reviewers: Approved By: jandrade Checks: ✅ codecov/project, ✅ Check build sizes (ubuntu-latest, 16.x), ✅ Test (ubuntu-latest, 16.x, 2/2), ✅ Test (ubuntu-latest, 16.x, 1/2), ✅ Lint (ubuntu-latest, 16.x), ⏭ Chromatic - Build on Release PR (PR opened), ✅ gerald, ✅ Prime node_modules cache for primary configuration (ubuntu-latest, 16.x), ⏭ dependabot, ✅ Chromatic - Build on review PR (push) / chromatic (ubuntu-latest, 16.x), ⏭ Chromatic - Skip on dependabot PRs (push) Pull Request URL: #1833
Background
We have this running in master.yml
We also have a separate pull_request.yml that runs the usual lint and test status checks before it can be merged
When we used
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}before the PR action is not being triggered, so we had to use PAT. Now after a successful changeset merge it will create a new Version Packages PR and trigger the PR Action.Problem
After a changeset merge with an existing Version Packages PR, the changes are pushed into the Version Packages PR correctly, however it is not triggering the action (git push is using GITHUB_TOKEN again)
Anyone found a way to have that git push use PAT as well?
Thanks
The text was updated successfully, but these errors were encountered: