v0.18.0 github events fail with teams api permisison error

[hhsnow]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

Overview of the Issue

After upgrading to v0.18.0, GitHub events processing fails due to lack of permissions to the GitHub teams API. No response from Atlantis appears in GitHub comments. Atlantis is configured via GitHub App credentials. I'm guessing this relates to #1694

Logs below.

Reproduction Steps

• configure atlantis to run as a github app with v0.17.6 or below
• run v0.18.0
• trigger a plan from github

Logs

Logs

{"level":"info","ts":"2021-12-30T20:27:32.921Z","caller":"events/events_controller.go:417","msg":"parsed comment as command=\"plan\" verbose=false dir=\"\" workspace=\"\" project=\"\" flags=\"\"","json":{}} 
{"level":"error","ts":"2021-12-30T20:27:32.978Z","caller":"events/command_runner.go:212","msg":"Unable to check user permissions: retrieving GitHub teams: GET https://api.github.com/orgs/<$org>/teams: 403 Resource not accessible by integration []","json":{},"stacktrace":"github.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand\n\tgithub.com/runatlantis/atlantis/server/events/command_runner.go:212"}

Environment details

Additional Context

Adding members:read permissions to the Github app allows the events to process as expected.

[cilindrox]

Came here to report this as well. There seems to be a regression with v0.18.0. Got hit by atlantis unlock reporting Error: User ${USERNAME} does not have permissions to execute 'unlock' command..

From the app's logs, it seems as if the api is just responding with 404 on both GetTeamNamesForUser and checkUserPermissions calls. There's a common "Failed to get team membership from GitHub" trace amongst every call.

[joncolby]

I also get a similar error message with gitlab (GitLab Enterprise Edition 13.12.8-ee). Which might be "good" news because it might not depend on the github/gitlab api call, but rather some regression in the event handling, which would could be easier to fix. I will try to debug more.

The error only occurs for the command atlantis unlock. For me, atlantis plan and atlantis apply work fine.

An example error message

{"level":"debug","ts":"2022-01-03T19:06:20.108Z","caller":"logging/simple_logger.go:155","msg":"Ignoring non-command comment: \"```\\nError: User @foo.bar does not have permissions to execute 'unlock' command\"","json":{}}

[xiao-pp]

The GH app installed in your organization should request more permissions now. Organization admin should receive emails about it. After granting the permission everything works again for us.

[jamengual]

the Github allowlist only works on Github Orgs where there are teams, meaning that it will not work for example for the free version of Github since there is no teams API. If you want to use the github allowlist option you will have to get new API permissions to be able to pull team membership status.

[alk-jozog]

Hi, we don't use the new allowlist option but it seems atlantis is still trying to check team membership nevertheless. It fails with {"level":"error","ts":"2022-01-04T17:29:19.118Z","caller":"events/command_runner.go:212","msg":"Unable to check user permissions: retrieving GitHub teams: GET https://api.github.com/orgs/alkemics/teams: 403 Must have admin rights to Repository. []".
The error message doesn't make much sense to me (what the relation between org team membership and admin right on a repo?!).
I've tried to switch the atlantis user to admin on the associated repo and add the read:org on the user's token (we don't use an app) but it still failing.
I've tried to forcibly disable this feature by adding --gh-team-allowlist "" from my understanding of https://github.com/runatlantis/atlantis/pull/1694/files#diff-109553999737766a4d911457be29794d244c25fbae7cd19ff2cea75604a55c86R177 but still same issue.

[nishkrishnan]

Forcibly disabling the feature won't work because of:
https://github.com/lyft/atlantis/blob/767a5e7a01e97d92379076281b9cee9728abfcdd/cmd/server.go#L666-L667

Additionally, this default ensures that this statement is not true:
https://github.com/lyft/atlantis/blob/767a5e7a01e97d92379076281b9cee9728abfcdd/server/events/command_runner.go#L177-L178

and therefore calls to vcs are made.

This must have been missed during the pull review, I'll see if i can get something out.

[cilindrox]

@xiao-pp @jamengual we're using a GH setup with an org + teams and a service account (bot with a token) - no GH app installed and we're still seeing the same errors.

[alk-jozog]

@paulerickson @jamengual Thank you for the change on default value. Should we expect a new release soon or should we downgrade in the meantime?

[joncolby]

I don't quite understand how release 0.18.0 introduced a regression for gitlab users as well, if this user check is supposedly a github specific feature. I will update this ticket after testing the next release that contains the fix.

[edbighead]

please release 🙏🏻

[chenrui333]

We will rollout a release today. #1976