You are viewing a plain text version of this content. The canonical link for it is here.
Posted to builds@apache.org by Allen Wittenauer <aw...@apache.org> on 2021/12/24 01:59:31 UTC
Github Token Permissions
Did something change with ASF github token permissions? It would appear one of our workflows can no longer write Statuses. (I haven’t checked if Checks still work or not.)
Re: Github Token Permissions
Posted by Gavin McDonald <gm...@apache.org>.
Hi,
On Sat, Dec 25, 2021 at 5:49 PM Allen Wittenauer <aw...@effectivemachines.com>
wrote:
>
>
> > On Dec 25, 2021, at 3:42 AM, Gavin McDonald <gm...@apache.org>
> wrote:
> >
> > Hi
> >
> > On Sat, Dec 25, 2021 at 12:24 PM Gavin McDonald <gm...@apache.org>
> wrote:
> > I'll take a look, note that Infra has not changed anything, so we can
> rule that out as a possible cause.
> >
> > I see the last two builds failed the test-patch step, but doesnt say
> why.
> > Can you let me know how you narrowed the failure down to the built in
> GITHUB_TOKEN ?
>
> If you look at the raw logs, you’ll see Yetus trying to write a
> github status and throwing that error. If it could write, it would tell you
> why the job failed. Looking at a working vs. not working job setup, it is
> clear the token permissions have changed from write to read.
>
To reiterate, and it seems you are again implying Infra changed something,
we have not. the only token in that code in the built in GITHUB_TOKEN.
> At this point, I’m just going to assume that we’ll need to code
> around this change. :(. Not sure how we’ll do that, but…
>
Or, I can continue to investigate, like I said I would, up to you...
--
*Gavin McDonald*
Systems Administrator
ASF Infrastructure Team
Re: Github Token Permissions
Posted by Allen Wittenauer <aw...@effectivemachines.com.INVALID>.
> On Dec 25, 2021, at 3:42 AM, Gavin McDonald <gm...@apache.org> wrote:
>
> Hi
>
> On Sat, Dec 25, 2021 at 12:24 PM Gavin McDonald <gm...@apache.org> wrote:
> I'll take a look, note that Infra has not changed anything, so we can rule that out as a possible cause.
>
> I see the last two builds failed the test-patch step, but doesnt say why.
> Can you let me know how you narrowed the failure down to the built in GITHUB_TOKEN ?
If you look at the raw logs, you’ll see Yetus trying to write a github status and throwing that error. If it could write, it would tell you why the job failed. Looking at a working vs. not working job setup, it is clear the token permissions have changed from write to read.
At this point, I’m just going to assume that we’ll need to code around this change. :(. Not sure how we’ll do that, but…
Re: Github Token Permissions
Posted by Gavin McDonald <gm...@apache.org>.
Hi
On Sat, Dec 25, 2021 at 12:24 PM Gavin McDonald <gm...@apache.org>
wrote:
> I'll take a look, note that Infra has not changed anything, so we can rule
> that out as a possible cause.
>
I see the last two builds failed the test-patch step, but doesnt say why.
Can you let me know how you narrowed the failure down to the built in
GITHUB_TOKEN ?
Gav...
>
> On Fri, Dec 24, 2021 at 7:32 PM Allen Wittenauer <aw...@effectivemachines.com>
> wrote:
>
>>
>> The one that actually uses Apache Yetus to test Apache Yetus:
>>
>> https://github.com/apache/yetus/blob/main/.github/workflows/yetus.yml
>>
>> "ERROR: Failed to write github status. Token expired or missing
>> repo:status write?"
>>
>> It was working fine a bit over 2 weeks ago and now it isn’t. I forgot
>> that the ’Set up job’ section actually shows the permissions of the token.
>> Comparing working vs. not-working, it is pretty obvious something has
>> changed. (Given what Apache Yetus does, this functionality is _very_
>> critical…)
>>
>>
>> > On Dec 24, 2021, at 12:29 AM, Gavin McDonald <gm...@apache.org>
>> wrote:
>> >
>> > Hi Allen,
>> >
>> > Which workflow please?
>> >
>> > On Fri, Dec 24, 2021 at 2:59 AM Allen Wittenauer <aw...@apache.org> wrote:
>> >
>> >>
>> >>
>> >> Did something change with ASF github token permissions? It would
>> appear
>> >> one of our workflows can no longer write Statuses. (I haven’t checked
>> if
>> >> Checks still work or not.)
>> >
>> >
>> >
>> > --
>> >
>> > *Gavin McDonald*
>> > Systems Administrator
>> > ASF Infrastructure Team
>>
>>
Re: Github Token Permissions
Posted by Gavin McDonald <gm...@apache.org>.
I'll take a look, note that Infra has not changed anything, so we can rule
that out as a possible cause.
On Fri, Dec 24, 2021 at 7:32 PM Allen Wittenauer <aw...@effectivemachines.com>
wrote:
>
> The one that actually uses Apache Yetus to test Apache Yetus:
>
> https://github.com/apache/yetus/blob/main/.github/workflows/yetus.yml
>
> "ERROR: Failed to write github status. Token expired or missing
> repo:status write?"
>
> It was working fine a bit over 2 weeks ago and now it isn’t. I forgot that
> the ’Set up job’ section actually shows the permissions of the token.
> Comparing working vs. not-working, it is pretty obvious something has
> changed. (Given what Apache Yetus does, this functionality is _very_
> critical…)
>
>
> > On Dec 24, 2021, at 12:29 AM, Gavin McDonald <gm...@apache.org>
> wrote:
> >
> > Hi Allen,
> >
> > Which workflow please?
> >
> > On Fri, Dec 24, 2021 at 2:59 AM Allen Wittenauer <aw...@apache.org> wrote:
> >
> >>
> >>
> >> Did something change with ASF github token permissions? It would appear
> >> one of our workflows can no longer write Statuses. (I haven’t checked
> if
> >> Checks still work or not.)
> >
> >
> >
> > --
> >
> > *Gavin McDonald*
> > Systems Administrator
> > ASF Infrastructure Team
>
>
--
*Gavin McDonald*
Systems Administrator
ASF Infrastructure Team
Re: Github Token Permissions
Posted by Allen Wittenauer <aw...@effectivemachines.com.INVALID>.
The one that actually uses Apache Yetus to test Apache Yetus:
https://github.com/apache/yetus/blob/main/.github/workflows/yetus.yml
"ERROR: Failed to write github status. Token expired or missing repo:status write?"
It was working fine a bit over 2 weeks ago and now it isn’t. I forgot that the ’Set up job’ section actually shows the permissions of the token. Comparing working vs. not-working, it is pretty obvious something has changed. (Given what Apache Yetus does, this functionality is _very_ critical…)
> On Dec 24, 2021, at 12:29 AM, Gavin McDonald <gm...@apache.org> wrote:
>
> Hi Allen,
>
> Which workflow please?
>
> On Fri, Dec 24, 2021 at 2:59 AM Allen Wittenauer <aw...@apache.org> wrote:
>
>>
>>
>> Did something change with ASF github token permissions? It would appear
>> one of our workflows can no longer write Statuses. (I haven’t checked if
>> Checks still work or not.)
>
>
>
> --
>
> *Gavin McDonald*
> Systems Administrator
> ASF Infrastructure Team
Re: Github Token Permissions
Posted by Gavin McDonald <gm...@apache.org>.
Hi Allen,
Which workflow please?
On Fri, Dec 24, 2021 at 2:59 AM Allen Wittenauer <aw...@apache.org> wrote:
>
>
> Did something change with ASF github token permissions? It would appear
> one of our workflows can no longer write Statuses. (I haven’t checked if
> Checks still work or not.)
--
*Gavin McDonald*
Systems Administrator
ASF Infrastructure Team