Action fails with API rate limit

Question

Action fails with API rate limit

marcofranssen opened this issue 2 years ago · 3 comments

      - name: tfsec
        uses: aquasecurity/tfsec-pr-commenter-action@v1.2.0
        with:
          working_directory: ${{ matrix.module }}
          tfsec_args: --soft-fail
          github_token: ${{ secrets.GITHUB_TOKEN }}

Using the action as following consequently fails with the following. Despite adding the GITHUB token for higher rate limits.

/bin/docker run --name bea70de1c4c008ef342d927c3d1ac_9489f7 --label 765292 --workdir /github/workspace --rm -e "INPUT_WORKING_DIRECTORY" -e "INPUT_TFSEC_ARGS" -e "INPUT_GITHUB_TOKEN" -e "INPUT_TFSEC_VERSION" -e "INPUT_TFSEC_FORMATS" -e "INPUT_COMMENTER_VERSION" -e "INPUT_SOFT_FAIL_COMMENTER" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/opt/actions-runner/_work/_temp/_github_home":"/github/home" -v "/opt/actions-runner/_work/_temp/_github_workflow":"/github/workflow" -v "/opt/actions-runner/_work/_temp/_runner_file_commands":"/github/file_commands" -v "/opt/actions-runner/_work/fiesta-terraform-examples/fiesta-terraform-examples":"/github/workspace" 765292:366bea70de1c4c008ef342d927c3d1ac
+ TFSEC_VERSION=
+ '[' latest '!=' latest ']'
++ head -n1
++ grep -m 1 -o -E 'https://.+?tfsec-linux-amd64'
++ wget -q https://api.github.com/repos/aquasecurity/tfsec/releases -O -
wget: server returned error: HTTP/1.1 403 rate limit exceeded
+ wget -O - -q ''
wget: bad address ''

Answer 1 · 2022-10-17T11:53:52.000Z

I'm afraid this isn't something we can resolve - I'm surprised to see the rate limit is on the download of the tfsec binary though, do you have other processes hitting github hard with requests?

Answer 2 · 2022-10-18T09:48:52.000Z

We do have other workflows running all kind of third party actions that might use these tokens as well. Just want to rule out this is not an issue with the TOKEN being passed to the code that fetches the tfsec binary. Basically leaving it unauthenticated and therefore having very low API rate limits.

Answer 3 · 2022-10-18T09:51:46.000Z

Actually checking the issue here in more detail myself, you can actually resolve it by doing an authenticated request using the token here

https://github.com/aquasecurity/tfsec-pr-commenter-action/blob/main/entrypoint.sh#L10-L23