Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub Enterprise private repository action fails #923

Open
seantfish opened this issue Oct 12, 2024 · 2 comments · May be fixed by #926
Open

GitHub Enterprise private repository action fails #923

seantfish opened this issue Oct 12, 2024 · 2 comments · May be fixed by #926
Labels
bug Something isn't working

Comments

@seantfish
Copy link

Description

I am using a mirrored action-ros-ci repository to use on an Enterprise server. The action fails due to an issue seemingly related with Git and the way credentials are handled.

Expected Behavior

What I would expect is that this error would not happen and it would continue on into the build process.

Actual BehaviorWhen attempting to run the following:

name: Humble Source Build
on:
  workflow_dispatch:

jobs:
  humble_source:
    runs-on: ubuntu-latest
    container:
      image: osrf/ros:humble-desktop
      env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - uses: <ENTERPRISE_MIRROR>/action-ros-ci@v0.3
        with:
          ref: humble
          target-ros2-distro: humble
          skip-tests: true
          import-token: ${{ secrets.GITHUB_TOKEN }}
          skip-rosdep-install: true
          rosdep-check: true

The action fails at:

Invoking: bash -c,vcs import --force --recursive src/ < package.repo
  /usr/bin/bash -c vcs import --force --recursive src/ < package.repo
  === src/yg5xuzuncnh/greenhorn (git) ===
Could not determine ref type of version: fatal: could not read Username for 'https://<ENTERPRISE_URL>/': No such device or address

To Reproduce

  1. Have the Git repository on an Enterprise server and run the above GitHub action.

  2. Navigate to details of failed action

  3. Look under Invoking: bash -c,vcs import --force --recursive src/ < package.repo

System (please complete the following information)

  • OS: Ubuntu 22.04 Jammy
  • ROS 2 Distro: Humble
  • Self-hosted GitHub Action runner

Additional context

There are no .repos dependencies specified for this repository.

This seems to possibly be an intersection of #533, #691, and #835.

I know this is hard to reproduce and I am happy to help. I am not very experienced with TypeScript however.
@seantfish seantfish added the bug Something isn't working label Oct 12, 2024
@christophebedard christophebedard linked a pull request Oct 15, 2024 that will close this issue
Draft
@christophebedard
Copy link
Member

Could not determine ref type of version: fatal: could not read Username for 'https://<ENTERPRISE_URL>/': No such device or address

is the address valid? It uses the GitHub server URL from the GITHUB_SERVER_URL (see the default environment variables here) here:

action-ros-ci/src/action-ros-ci.ts

Line 631 in 8bcafc2

const githubServerUrl = process.env.GITHUB_SERVER_URL as string;

Now that I'm looking at the code, though, it's probably because the code that sets up authentication using the provided token uses github.com:

  1. In the setup:

    action-ros-ci/src/action-ros-ci.ts

    Lines 523 to 572 in 8bcafc2

    // Unset all local extraheader config entries possibly set by actions/checkout,
    // because local settings take precedence and the default token used by
    // actions/checkout might not have the right permissions for any/all repos
    await execShellCommand(
    [
    `/usr/bin/git config --local --unset-all http.https://github.com/.extraheader || true`,
    ],
    options,
    );
    await execShellCommand(
    [
    String.raw`/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader'` +
    ` && git config --local --unset-all 'http.https://github.com/.extraheader' || true`,
    ],
    options,
    );
    // Use a global insteadof entry because local configs aren't observed by git clone
    await execShellCommand(
    [
    `/usr/bin/git config --global url.https://x-access-token:${importToken}@github.com.insteadof 'https://github.com'`,
    ],
    options,
    );
    // same as last three comands but for ssh urls
    await execShellCommand(
    [
    `/usr/bin/git config --local --unset-all git@github.com:.extraheader || true`,
    ],
    options,
    );
    await execShellCommand(
    [
    String.raw`/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'git@github\.com:.extraheader'` +
    ` && git config --local --unset-all 'git@github.com:.extraheader' || true`,
    ],
    options,
    );
    // Use a global insteadof entry because local configs aren't observed by git clone (ssh)
    await execShellCommand(
    [
    `/usr/bin/git config --global url.https://x-access-token:${importToken}@github.com/.insteadof 'git@github.com:'`,
    ],
    options,
    );
    if (core.isDebug()) {
    await execShellCommand(
    [`/usr/bin/git config --list --show-origin || true`],
    options,
    );
    }
  2. In the cleanup:

    action-ros-ci/src/action-ros-ci.ts

    Lines 786 to 792 in 8bcafc2

    // Unset config so that it doesn't leak to other actions
    await execShellCommand(
    [
    `/usr/bin/git config --global --unset-all url.https://x-access-token:${importToken}@github.com.insteadof`,
    ],
    options,
    );

It should use the URL from the GITHUB_SERVER_URL environment variable, which would need to be stripped of https:// in some cases. I've quickly implemented it, see #926. Please give it a try using action-ros-ci@christophebedard/token-auth-use-github-server-url-env-var. I assume you can easily mirror the branch into your enterprise server.

This does mean you couldn't access private repos on github.com from an enterprise server using a token from github.com saved in the enterprise server, but I don't know if that's a common use-case.

@seantfish
Copy link
Author

Thank you @christophebedard! The branch solved the issue. I agree that private repos from github.com while on GitHub Enterprise seems unlikely, though perhaps one day someone will make an issue for this. I imagine this would require a fair amount of restructuring to work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use GITHUB_SERVER_URL for authentication configuration ros-tooling/action-ros-ci
2 participants
@christophebedard @seantfish