Bad Credentials

[duxbuse]

Hey guys, I am trying to run this on github enterprise server.

I set up the PAT correctly I think, perhaps i'm getting this issue cause its not reaching out to my github server but rather github.com?

Error Log

Run rmacklin/team-sync@v0
  with:
    repo-token: ***
    prefix-teams-with: GCP-
    team-data-path: .github/teams.yml
Error: HttpError: Bad credentials
Error: Bad credentials

[rmacklin]

If you haven't tried this already, can you set the GITHUB_API_URL environment variable to your server's API URL? I believe that's how GHES is supported in the underlying actions/toolkit library:
https://github.com/actions/toolkit/pull/449/files#diff-90fa39202b2443e6608f1455a9ad340d0dd924bbe910c5440944d0e817725212R140

[rmacklin]

Actually, I'm now remembering I had pushed another change related to GHES support, but I didn't have a GHES deployment to test it with so it's just been sitting on a branch. If you could try using rmacklin/team-sync@042d3b844823ea5ae2a03c23ea55e1c822deab51 and reporting back if it works (I think you would still need to set the environment variable I mentioned above), that would be helpful!

[duxbuse]

Hey mate gave it a whirl but ran into the same issue for both https://corp-url.com and https://corp-url.com/api/v3/

Run rmacklin/team-sync@042d3b844823ea5ae2a03c23ea55e1c822deab51
  with:
    repo-token: ***
    team-data-path: .github/teams.yaml
    prefix-teams-with: GCP-
  env:
    GITHUB_API_URL: https://corp-url.com/api/v3/
Error: HttpError: Bad credentials
Error: Bad credentials

[rmacklin]

Did you try https://api.corp-url.com?

[duxbuse]

Same issue, though for GHE im 99% sure it cant change the pre-domian and so must use the /api/v3 format.

Run rmacklin/team-sync@042d3b844823ea5ae2a03c23ea55e1c822deab51
  with:
    repo-token: ***
    team-data-path: .github/teams.yaml
    prefix-teams-with: GCP-
  env:
    GITHUB_API_URL: https://api.corp-url/
Error: HttpError: Bad credentials
Error: Bad credentials

[rmacklin]

Gotcha. It's difficult for me to help debug this since I don't have access to a GHES deployment.

Some ideas:

• Can you try setting the ACTIONS_STEP_DEBUG variable to true in the repository settings? That would enable the debug logs so we could see if it's failing immediately or if it's during the synchronization requests.

• Are you comfortable forking the action and doing some debugging, where you could leverage https://github.com/mxschmitt/action-tmate to connect to the running instance and inspect its environment?

• The @actions/github docs mention returning "an authenticated Octokit client that follows the machine proxy settings and correctly sets GHES base urls" with a link to: https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners - this is a shot in the dark, but could you check if those proxy settings are set up correctly?

[duxbuse]

Ok tried with debug doesn't look that helpful:

##[debug]Evaluating condition for step: 'Run rmacklin/team-sync@042d3b844823ea5ae2a03c23ea55e1c822deab51'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Run rmacklin/team-sync@04[2]
##[debug]Loading inputs
##[debug]Evaluating: secrets.ORG_ADMIN_ACCESS_TOKEN
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'ORG_ADMIN_ACCESS_TOKEN'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Loading env
Run rmacklin/team-sync@042d3b[8]
##[debug]Fetching authenticated user
Error: HttpError: Bad credentials
Error: Bad credentials
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Run rmacklin/team-sync@042d3b844823ea5ae2a03c23ea55e1c822deab51

And yes our self hosted runners do have the proxy info set up, and we need to use a corp cert to auth. But that seems to be working.

[rmacklin]

Another stab in the dark: are you able to successfully authenticate using the same token to connect manually to the GHES API, e.g. via curl (with no "Bad credentials" error)?

If so, can you try to create a standalone nodejs script that uses the token to create an octokit client and calls the same client.users.getAuthenticated() method?

If that also works, I think the next step would be to try forking the action and using https://github.com/mxschmitt/action-tmate for further debugging, if you're up for it.

[duxbuse]

Hey mate,

I tried running

import * as github from '@actions/github'

const token = "****"


const client = new github.GitHub(token)
const authenticatedUserResponse = await client.users.getAuthenticated()
console.log(authenticatedUserResponse)

But I get:

const client = new github.GitHub(token)
               ^

TypeError: github.GitHub is not a constructor

Node.js v20.3.1

So looks like github.GitHub has become github.getOctokit

So then I tried

const token = "***"
const org = "my-org***"

const octokit = github.getOctokit(token);

const response = await octokit.rest.teams.list({
    org,
  });

And I got the same issue:
401 "Bad credentials"

So then I looked through the response and realised it was still calling github.com so I added the env var GITHUB_API_URL=https://corp-url/api/v3

Now I get 500: unable to verify the first certificate Doh ok so we add NODE_EXTRA_CA_CERTS env var.

Now the js runs fine and we get a 200 ok response.

Same for curl

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer *****"\
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://corp-url.com/api/v3/orgs/my-org***/teams

responds 200 ok

Key takeaways:
GITHUB_API_URL=https://courp-url.com/api/v3 - note no trailing /. Extra / breaks it.
Also certificate issues are also masked as Bad credentials which makes it tough to debug.

However that being said it doesn't work in my github action

Run rmacklin/team-sync@042d3b844823ea5ae2a03c23ea55e1c822deab51
  with:
    repo-token: ***
    team-data-path: .github/teams.yaml
    prefix-teams-with: GCP-
  env:
    GITHUB_API_URL: https://corp-url.com/api/v3
    NODE_EXTRA_CA_CERTS: /etc/ssl/certs/ca-certificates.crt

Error: HttpError: Bad credentials
Error: Bad credentials

So now I'm not sure what to try next?

Would really appreciate some more logs from octokit to help narrow down the issue.

[duxbuse]

Could we perhaps add https://octokit.github.io/rest.js/v19#debug

[duxbuse]

Luckily I am using self hosted runners so I can access the underlying runner very easily.

I tired running the above script directly on the runner and go the same results. So looks like rmacklin/team-sync@042d3b844823ea5ae2a03c23ea55e1c822deab51 doesn't respect the env var GITHUB_API_URL properly.

[duxbuse]

Ok realised i had an issue with my package version.

So re ran the tests this time pinning to

"dependencies": {
    "@actions/core": "^1.2.6",
    "@actions/github": "^2.2.0",
    "@octokit/rest": "^16.43.1"
  },

Code

// connection.js
import * as github from '@actions/github'

const token = "****"

const client = new github.GitHub(token);
const authenticatedUserResponse = await client.users.getAuthenticated();
const authenticatedUser = authenticatedUserResponse.data.login;
console.log(authenticatedUser)

Now if you just run that you get [HttpError]: Bad credentials

But if you set the env vars

GITHUB_API_URL=https://corp-url/api/v3 NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt node conenction.js 

Then it works fine.

This is running directly on the github actions runner itself.

So when I run:

- uses: rmacklin/team-sync@042d3b844823ea5ae2a03c23ea55e1c822deab51
      env:
        GITHUB_API_URL: https://corp-url/api/v3
        NODE_EXTRA_CA_CERTS: /etc/ssl/certs/ca-certificates.crt
      with:
        repo-token: "${{ secrets.ORG_ADMIN_ACCESS_TOKEN }}"

I am really confused why it fails

[duxbuse]

Ok so I was looking at

https://github.com/rmacklin/team-sync/blob/51102c729cfc2a68dbae1e745c7d596f1f3d8920/dist/index.js#L4207C18-L4207C18

and if i switch it to using

const client = new github.GitHub(token, {baseUrl: "https://corp-url/api/v3"});

I can get it to connect. So seems to me that the old version being used does not honor the GITHUB_API_URL env var.

So @rmacklin I think the easy fix here is to update the version of @actions/github if you go all the way to latest we need to change github.GitHub() -> github.getOctokit() a pretty small change though.

What is strange though is that version 2.2.0 should support it as per:
https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md#220

[rmacklin]

Hey @duxbuse,

Thanks for looking into this more! Could you try using rmacklin/team-sync@85f43964155f083db1b573accaedab207eab3c95 to see if that fixes it? If so, I'll merge into main and cut a new release.

[duxbuse]

Hey mate works a charm thanks for this.

Only issue i've got now is:

##[debug]Existing team members for team slug gcp-team-reviewers:
##[debug]["s41853"]
##[debug]Keeping s41853 in gcp-team-reviewers
##[debug]Adding s76785 to gcp-team-reviewers
Error: HttpError: Not Found
Error: Not Found
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Run rmacklin/team-sync@85f43964155f083db1b573accaedab207eab3c95

I am trying to add a user to a team that doesn't exist on github (yet) would be really nice if the error message reflected that rather than Error: HttpError: Not Found Had to switch debugging on to make sense of it.

[rmacklin]

Glad to hear that worked! I've gone ahead and released that under v0.6.0 - thank you for your help in testing against a GHES deployment!

[rmacklin]

As for improving that error message, we might be able to explicitly catch that exception and print a more specific error message - that said, it seems like an edge case and as you mentioned, with debug logging enabled, the reason for the error becomes pretty clear...

[duxbuse]

Thanks mate appreciate your work ❤️