Skip to content

Gate googlesource cookie setup on cookie presence#6618

Merged
emily-shen merged 1 commit intomainfrom
fix/googlesource-cookie-gate
Apr 21, 2026
Merged

Gate googlesource cookie setup on cookie presence#6618
emily-shen merged 1 commit intomainfrom
fix/googlesource-cookie-gate

Conversation

@ascorbic
Copy link
Copy Markdown
Contributor

@ascorbic ascorbic commented Apr 20, 2026
edited
Loading

The Configure Googlesource credentials steps in setup-runner currently run whenever github.event.pull_request.head.repo.fork == false. Dependabot PRs satisfy that condition (their branches live in-repo), but Dependabot-triggered workflows don't have access to repository Actions secrets, so inputs.GOOGLESOURCE_COOKIE resolves to an empty string. We still rewrite chromium.googlesource.com to the authenticated /a/ endpoint and write an empty cookie, and Bazel then fails every dependency fetch with:

fatal: unable to access 'https://chromium.googlesource.com/a/chromium/src/third_party/zlib.git/': The requested URL returned error: 400
remote: message: "Invalid authentication credentials. Please generate a new identifier: https://chromium.googlesource.com/new-password"

This broke every Dependabot PR, e.g. #6418.

This PR switches to gate the credential setup on the cookie actually being present, instead of just whetehr it's a fork.
When the cookie is empty (forks, Dependabot, local/manual runs) we skip the rewrite and the cookie file, letting Bazel fall back to the unauthenticated chromium.googlesource.com endpoint. That endpoint is slower and more rate-limited - which is why #6511 introduced auth - but it works without credentials and is no worse than the state prior to #6511 for these cases.

@ascorbic
Gate googlesource cookie setup on cookie presence
9fd16c0 
The current check (head.repo.fork == false) lets Dependabot PRs through
because their branches live in-repo, but Dependabot-triggered workflows
don't have access to Actions secrets. GOOGLESOURCE_COOKIE ends up empty,
yet we still rewrite chromium.googlesource.com URLs to the authenticated
/a/ endpoint, which then fails every Bazel dependency fetch with
HTTP 400.

Gate on the input being non-empty instead. This naturally covers forks
(secrets not forwarded), Dependabot (no secret access), and local runs
(no cookie at all), falling back to the unauthenticated endpoint which
is slower / rate-limited but functional.

Fixes CI on Dependabot PRs, e.g. #6418.
@ascorbic ascorbic requested review from a team as code owners April 20, 2026 14:12
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 20, 2026
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@ask-bonk
Copy link
Copy Markdown
Contributor

ask-bonk Bot commented Apr 20, 2026

All callers pass ${{ secrets.GOOGLESOURCE_COOKIE }}, which resolves to an empty string when secrets aren't available (Dependabot, forks). The input is marked required: true but GitHub Actions treats an empty string as satisfying required for composite action inputs. The condition change from github.event.pull_request.head.repo.fork == false to inputs.GOOGLESOURCE_COOKIE != '' is a strictly better guard -- it checks the actual precondition (cookie presence) rather than a proxy (fork status) that doesn't account for Dependabot.

The change is minimal, correct, and well-documented with a clear comment explaining the fallback behavior. No security, compatibility, or logic issues.

LGTM

github run

@ascorbic
Copy link
Copy Markdown
Contributor Author

ascorbic commented Apr 20, 2026

I have read the CLA Document and I hereby sign the CLA

github-actions Bot added a commit that referenced this pull request Apr 20, 2026
@github-actions
@ascorbic has signed the CLA in #6618
6f346b3
penalosa
penalosa approved these changes Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@penalosa penalosa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved, but can you reword the comments and description to reflect the actual problem this is solving?

@emily-shen emily-shen merged commit b71cfd7 into main Apr 21, 2026
23 of 24 checks passed
@emily-shen emily-shen deleted the fix/googlesource-cookie-gate branch April 21, 2026 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@npaun npaun npaun approved these changes

@penalosa penalosa penalosa approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ascorbic @npaun @penalosa @emily-shen