Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release permission issues #86

Closed
ianhi opened this issue Jul 30, 2023 · 12 comments
Closed

release permission issues #86

ianhi opened this issue Jul 30, 2023 · 12 comments
Labels
bug Something isn't working

Comments

@ianhi
Copy link
Collaborator

ianhi commented Jul 30, 2023
edited

Description

It seems that non-admin users (e.g. me) cannot run the prep_release workflow.

https://github.com/jupyterlab-contrib/jupyterlab-vim/actions/runs/5708296240

Getting GitHub connection for jupyterlab-contrib/jupyterlab-vim
Getting permission level for ianhi
User ianhi does not have admin permission
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/opt/hostedtoolcache/Python/3.11.4/x64/lib/python3.11/site-packages/jupyter_releaser/actions/prep_release.py", line 9, in <module>
    setup(False)
  File "/opt/hostedtoolcache/Python/3.11.4/x64/lib/python3.11/site-packages/jupyter_releaser/actions/common.py", line 19, in setup
    return prepare_environment(fetch_draft_release=fetch_draft_release)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/hostedtoolcache/Python/3.11.4/x64/lib/python3.11/site-packages/jupyter_releaser/util.py", line 619, in prepare_environment
    raise RuntimeError(msg) from None
RuntimeError: Could not get user permission level, assuming user was not admin!
Prepare Environment

It would be good if all people with commit rights were able to run that workflow and have it succeed. Or is it possible for me to induce the bot (which seems to have permissions) to take action?

not sure who would know more about this. maybe @fcollonval and/or @jtpio seeing the conversation here: jupyterlab-contrib/jupyterlab-contrib.github.io#42
@ianhi ianhi added the bug Something isn't working label Jul 30, 2023
@ianhi ianhi mentioned this issue Jul 30, 2023
Merged
@jtpio
Copy link
Member

jtpio commented Jul 31, 2023

Thanks @ianhi.

There is indeed some effort to ease right managements for all the repos in this org: jupyterlab-contrib/jupyterlab-contrib.github.io#46

In the meantime I have added you to be an admin on the repo, if you would like to try running the workflow again.

@ianhi
Copy link
Collaborator Author

ianhi commented Jul 31, 2023

thanks @jtpio we are about to make a new release so I will try it out!

@ianhi
Copy link
Collaborator Author

ianhi commented Jul 31, 2023

thakn you! that definitely helped. I was able ot run both workflows. However, there may still be permission issues with tokens. in particular when I ran the publish release workflow it ran into this issue regarding tokens:

https://github.com/jupyterlab-contrib/jupyterlab-vim/actions/runs/5719591677/job/15497830782

Traceback (most recent call last):
  File "/opt/hostedtoolcache/Python/3.11.4/x64/bin/jupyter-releaser", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/opt/hostedtoolcache/Python/3.11.4/x64/lib/python3.11/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/hostedtoolcache/Python/3.11.4/x64/lib/python3.11/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/opt/hostedtoolcache/Python/3.11.4/x64/lib/python3.11/site-packages/jupyter_releaser/cli.py", line 122, in invoke
    super().invoke(ctx)
  File "/opt/hostedtoolcache/Python/3.11.4/x64/lib/python3.11/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/hostedtoolcache/Python/3.11.4/x64/lib/python3.11/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/hostedtoolcache/Python/3.11.4/x64/lib/python3.11/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/hostedtoolcache/Python/3.11.4/x64/lib/python3.11/site-packages/jupyter_releaser/cli.py", line 657, in publish_assets
    lib.publish_assets(
  File "/opt/hostedtoolcache/Python/3.11.4/x64/lib/python3.11/site-packages/jupyter_releaser/lib.py", line 362, in publish_assets
    twine_token = python.get_pypi_token(release_url, python_package_path)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/hostedtoolcache/Python/3.11.4/x64/lib/python3.11/site-packages/jupyter_releaser/python.py", line 156, in get_pypi_token
    return fetch_pypi_api_token()
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/hostedtoolcache/Python/3.11.4/x64/lib/python3.11/site-packages/jupyter_releaser/python.py", line 139, in fetch_pypi_api_token
    r.raise_for_status()
  File "/opt/hostedtoolcache/Python/3.11.4/x64/lib/python3.11/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 422 Client Error: Unprocessable Entity for url: https://pypi.org/_/oidc/github/mint-token

@jtpio
Copy link
Member

jtpio commented Aug 1, 2023

Looks like the workflow seems to be properly configured to use the PyPI trusted publisher and nmp provenance though:

jupyterlab-vim/.github/workflows/publish-release.yml

Lines 18 to 21 in 78f3d62

permissions:
# This is useful if you want to use PyPI trusted publisher
# and NPM provenance
id-token: write

@ianhi
Copy link
Collaborator Author

ianhi commented Aug 1, 2023

ooh maybe it's that there are existings pypi and npm api keys on this repo:
image

I'm going to try to removing them and see if that fixes things

@ianhi
Copy link
Collaborator Author

ianhi commented Aug 1, 2023

hmm sadly removing them did not help

https://github.com/jupyterlab-contrib/jupyterlab-vim/actions/runs/5729062563/job/15525005353

@fcollonval
Copy link
Member

@ianhi I updated the project config on pypi.org to use the trusted publisher mechanism. It should now work.

@ianhi
Copy link
Collaborator Author

ianhi commented Aug 3, 2023

thanks @fcollonval it works now!

https://github.com/jupyterlab-contrib/jupyterlab-vim/actions/runs/5756014352/job/15604654019

@krassowski
Copy link
Collaborator

@ianhi Shall we close this issue now? Any thoughts about cutting a patch release now that #107 and #105 are in?

@ianhi
Copy link
Collaborator Author

ianhi commented Sep 6, 2023

Any thoughts about cutting a patch release now that #107 and #105 are in?

Let's do it! @krassowski do you have the permissions to release? In general I think anyone with the permissions on this repo should feel free to release at any point after an improvement has been merged.

I don't think there's ever been a formal release policy, but if I had to come up with one it would err pretty far on the side of releasing often. No downstream libraries depend on us (as far as I know) and I can't see much benefit in waiting to bundle multiple changes (as there just aren't that many). So after a bug fix unless there are some related fixes soon to be merged it makes sense to release immediately.

@ianhi ianhi closed this as completed Sep 6, 2023
@ianhi
Copy link
Collaborator Author

ianhi commented Sep 6, 2023

I have started the new release actions

@krassowski
Copy link
Collaborator

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jtpio @krassowski @fcollonval @ianhi