Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error releasing v1.22.0 #7875

Closed
DanBuild opened this issue Feb 5, 2020 · 8 comments
Closed

Error releasing v1.22.0 #7875

DanBuild opened this issue Feb 5, 2020 · 8 comments

Comments

@DanBuild
Copy link

@DanBuild DanBuild commented Feb 5, 2020

An error was encountered while processing the CircleCI release build of v1.22.0:

Client error: `POST https://build.dan.cx/job/yarn-version/buildWithParameters` resulted in a `403 No valid crumb was included in the request` response:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 No valid crumb was in (truncated...)


Response:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 No valid crumb was included in the request</title>
</head>
<body><h2>HTTP ERROR 403</h2>
<p>Problem accessing /job/yarn-version/buildWithParameters. Reason:
<pre>    No valid crumb was included in the request</pre></p><hr><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.4.z-SNAPSHOT</a><hr/>

</body>
</html>

Re-running the build on CircleCI might fix it. Click "Rebuild" on this page to trigger a rebuild

Full logs: https://release.yarnpkg.com/log/release_circleci

cc @Daniel15 @arcanis

@Daniel15

This comment has been minimized.

Copy link
Member

@Daniel15 Daniel15 commented Feb 5, 2020

@arcanis I manually kicked off the build which seemed to work.

I think our scripts are broken because of this change in a Jenkins update:

CSRF tokens (crumbs) are now only valid for the web session they were created in to limit the impact of attackers obtaining them. Scripts that obtain a crumb using the /crumbIssuer/api URL will now fail to perform actions protected from CSRF unless the scripts retain the web session ID in subsequent requests.
Scripts could instead use an API token, which has not required a CSRF token (crumb) since Jenkins 2.96.
To disable this improvement you can set the system property hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID to true. Alternatively, you can install the Strict Crumb Issuer Plugin which provides more options to customize the crumb validation. It allows excluding the web session ID from the validation criteria, and instead e.g. replacing it with time-based expiration for similar (or even better) protection from CSRF.

from https://jenkins.io/doc/upgrade-guide/2.176/#SECURITY-626 and spinnaker/spinnaker#2067

We can probably move this to GitHub Actions now that it exists (there wasn't really anything similar when we built out this infra), but for now I'll just try out that plugin mentioned in the Jenkins docs, or figure out how to switch it to use an API token.

@Daniel15

This comment has been minimized.

Copy link
Member

@Daniel15 Daniel15 commented Feb 5, 2020

@arcanis Did you want to bump this from RC to stable? I imagine we probably won't release RC versions of Yarn v1 any more, and everything will be stable releases.

@arcanis

This comment has been minimized.

Copy link
Member

@arcanis arcanis commented Feb 5, 2020

@Daniel15 Yep I agree, let's promote it to stable 👍

@Daniel15

This comment has been minimized.

Copy link
Member

@Daniel15 Daniel15 commented Feb 5, 2020

The "promote to stable" button doesn't appear until the site shows the new RC version... Netlify is still building it. I'll click it once available.

@Daniel15

This comment has been minimized.

Copy link
Member

@Daniel15 Daniel15 commented Feb 5, 2020

Promote to stable isn't working as the release is missing from npm. The release is missing from npm because the CircleCI build failed so it didn't complete the release process. I'm re-running the failed tests on CircleCI to see if that works to fix it.

@arcanis

This comment has been minimized.

Copy link
Member

@arcanis arcanis commented Feb 5, 2020

I think a regression got released together with recent Node 13 builds, hence the fails 🤔 This test should probably be silenced if possible, otherwise I'll open a PR tomorrow to disable it and republish a 1.22.1.

@Daniel15

This comment has been minimized.

Copy link
Member

@Daniel15 Daniel15 commented Feb 5, 2020

The tarball (https://github.com/yarnpkg/yarn/releases/download/v1.22.0/yarn-v1.22.0.tar.gz) looks fine and that's what we publish to npm, so I'll try just run the update-npm.sh script locally.

@Daniel15

This comment has been minimized.

Copy link
Member

@Daniel15 Daniel15 commented Feb 5, 2020

Completed

@Daniel15 Daniel15 closed this Feb 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.