-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Github app tokens being conflated with personal access token #94
Comments
@amoosbr, this is the line you're hitting:
|
I did some further test and I'm not able to list container packages using my GitHub App token. # get token for GitHub App using: https://github.com/Link-/gh-token
❯ token=$(gh token generate --key /path/to/key.pem --app-id 111111 --installation-id 2222222)
❯ echo $token
{
"token": "ghs_....",
"expires_at": "2024-07-29T17:01:47Z",
"permissions": {
"contents": "read",
"metadata": "read",
"packages": "write"
}
}
❯ token=$(jq -r ".token" <<< $token)
❯ curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $token" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"https://api.github.com/orgs/ORG/packages?package_type=container"
{
"message": "Invalid argument.",
"documentation_url": "https://docs.github.com/rest/packages/packages#list-packages-for-an-organization",
"status": "400"
} I also forked this repo and adjusted all temporal token checks and also got the same error response:
Will stick with the PAT tokens until GitHub adjusts it's API. |
There's a working example of a Github token being used, here: https://github.com/snok/container-retention-policy/blob/main/.github/workflows/live_test.yaml#L40:L59, so I think it should be possible. You do need to install the app into your org., and so on. |
@sondrelg that specific test points to a single package name and not a wildcard, so that's likely why it works. For what it's worth I can confirm what @amoosbr described: I am also unable to list all organization packages using a Github App token (using either this action or a direct curl request), while I can using a PAT with |
I've also confirmed with GitHub support that this is not possible:
|
Created from @amoosbr's comment in the v3 issue:
Hi,
not sure if my question belongs to the v3 release or not.
Just wanted to let you know, about my experience, when I tried to use v3.0.0 with a GitHub App token.
Based on the README image-names section, I expected to use a GitHub App for cleanup a image name like
bla/*
Readme snippet:
Unfortunately, when I tried to use it as documented in the GitHub App token sample, I got the following response:
Looking at the latest history, I saw a commit, that mentions GitHub App tokens behave like temporal tokens.
I tried using building and running the 3.0.0 release candidate, where the GitHub App tokens was not treated as temporal token. Then my GitHub App token didn't have the needed scopes:
My GitHub App has
packages:write
permission and is installed on the org with access to all repositories. I didn't find apackages:delete
option for GitHub Apps.I'm not 100% sure, if I just used the action wrong or my App has wrong settings. But if it is not possible to have wildcard image names with GitHub App tokens, perhaps the README can be updated.
As soon as I switched to using a classical PAT, the workflow stated to work as expected.
Originally posted by @amoosbr in #84 (comment)
The text was updated successfully, but these errors were encountered: