Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token generated from GitHub App not working with push-to-fork #2848

Closed
AjayJagan opened this issue Apr 11, 2024 · 6 comments · Fixed by #3057
Closed

Token generated from GitHub App not working with push-to-fork #2848

AjayJagan opened this issue Apr 11, 2024 · 6 comments · Fixed by #3057

Comments

@AjayJagan
Copy link

AjayJagan commented Apr 11, 2024
edited
Loading

Subject of the issue

GitHub App can be used as a service account to generate short-lived tokens in the workflows. While trying to use such a token to create a pull request in a remote repo + push-to-fork, it fails with the error: Resource not accessible by integration
The fork exists in the same org, where the workflow runs and has the GH app installed in the fork repo.

Steps to reproduce

name: "test"
on:
  workflow_dispatch:
jobs:
  test:
    name: Test gh app token pr creation
    runs-on: ubuntu-latest
    steps:
      - uses: tibdex/github-app-token@v1
        id: generate-token
        with:
          app_id: ${{ secrets.APP_ID }}
          private_key: ${{ secrets.APP_PRIVATE_KEY }}
      - name: Checkout remote repo
        uses: actions/checkout@v4
        with:
          token: ${{ steps.generate-token.outputs.token }}
          repository: <remote-repo-org>/<remote-repo-name>

     # Make changes to files

      - name: Create PR
        uses: peter-evans/create-pull-request@v6
        with:
          token: ${{ steps.generate-token.outputs.token }}
          push-to-fork: <fork-repo-org>/<fork-repo-name> # This repo exists in the same org as the workflow and has the GH App installed.
          commit-message: <commit-message>
          delete-branch: true
          title: <title>

If this issue is describing a possible bug please provide (or link to) your GitHub Actions workflow.

Any help would be much appreciated :)
@peter-evans
Copy link
Owner

Hi @AjayJagan

Firstly, you should check that generate-token is actually generating tokens.

The fork exists in the same org, where the workflow runs and has the GH app installed in the fork repo.

The GH app should be installed in the repo where the workflow that needs to generate tokens is running. So it should be installed where the workflow runs, not the fork.
Please see the docs here to make sure it's setup correctly: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens

By the way, are you manually triggering this workflow from the UI? Or are you triggering it in some other way?

@AjayJagan
Copy link
Author

AjayJagan commented Apr 12, 2024
edited
Loading

I can see that it is generating the tokens using gh auth status(I tried using the action -> tibdex/github-app-token@v1 as well. No luck :()
The above step is when I tried to create a pr directly using a shell script + gh cli.(The same works with a PAT)

  ✓ Logged in to github.com account aj-gh-app[bot] (GH_TOKEN)
  - Active account: true
  - Git operations protocol: https
  - Token: ghs_************************************

Also, I tried using this token for updating repo variables, creating pr in the same repo etc and it worked well 😅
To make sure, I gave the option to install in All repositories and gave all the available permissions to the app.
For this case, I am manually triggering the workflow from UI

@peter-evans
Copy link
Owner

This issue might be related: https://github.com/orgs/community/discussions/69154#discussioncomment-7191057
Could be worth trying that action with the owner input set.

There might be similar settings on tibdex/github-app-token to give wider permissions. See the installation_retrieval_mode and installation_retrieval_payload inputs here.

I don't know anything further to help you, but I think this use case is possible. It's just a matter of finding the right permissions and setup of the GH app.

Please let me know if you manage to solve this.

@AjayJagan
Copy link
Author

tried both, still the same issue :(

@AjayJagan AjayJagan mentioned this issue Apr 26, 2024
Merged
@peter-evans
Copy link
Owner

peter-evans commented Aug 18, 2024
edited
Loading

Hi @AjayJagan

For the upcoming v7 release I've been doing lots of testing and I think I understand why this wasn't working for you. I've managed to get GitHub App generated tokens working with push-to-fork, but there are limitations, which may make it not viable for your particular case.

Please read the new documentation for the v7 release at the following link. If it's not clear and you don't understand how it applies to your case, please let me know.
https://github.com/peter-evans/create-pull-request/blob/signed-commits/docs/concepts-guidelines.md#pushing-to-a-fork-with-fine-grained-permissions

You can try the release candidate for v7 like this:

- uses: peter-evans/create-pull-request@v7-rc

@peter-evans peter-evans mentioned this issue Aug 18, 2024
Merged
39 tasks
@AjayJagan
Copy link
Author

Sorry for the late reply but thanks for this @peter-evans :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

v7 - signed commits peter-evans/create-pull-request
2 participants
@peter-evans @AjayJagan