Renovate GitHub Action with GitHub App Token and authentication failure
ruzickap opened this issue · 7 comments
Hello guys.
I'm trying to configure Renovate GH Action with GH App token, but I'm getting the "Authentication failure":
DEBUG: Found valid git version: 2.36.0
DEBUG: Using default github endpoint: https://api.github.com/
DEBUG: GitHub failure: Resource not accessible by integration
"err": {
"name": "HTTPError",
"code": "ERR_NON_2XX_3XX_RESPONSE",
"timings": {
"start": 1652761788363,
"socket": 1652761788365,
"lookup": 1652761788385,
"connect": 1652761788418,
"secureConnect": 1652761788454,
"upload": 1652761788454,
"x-frame-options": "deny",
"x-content-type-options": "nosniff",
"x-xss-protection": "0",
"referrer-policy": "origin-when-cross-origin, strict-origin-when-cross-origin",
"content-security-policy": "default-src 'none'",
"vary": "Accept-Encoding, Accept, X-Requested-With",
"content-encoding": "gzip",
"x-github-request-id": "07C0:1215:12ABBB:3E1C26:628324BC",
"connection": "close"
},
"httpVersion": "1.1"
}
}
DEBUG: Error authenticating with GitHub
"err": {
"message": "integration-unauthorized",
"stack": "Error: integration-unauthorized\n at handleGotError (/usr/src/app/node_modules/renovate/lib/util/http/github.ts:115:12)\n at GithubHttp.request (/usr/src/app/node_modules/renovate/lib/util/http/github.ts:336:13)\n at processTicksAndRejections (node:internal/process/task_queues:96:5)\n at GithubHttp.requestJson (/usr/src/app/node_modules/renovate/lib/util/http/index.ts:221:17)\n at getUserDetails (/usr/src/app/node_modules/renovate/lib/modules/platform/github/user.ts:13:7)\n at Proxy.initPlatform (/usr/src/app/node_modules/renovate/lib/modules/platform/github/index.ts:138:36)\n at initPlatform (/usr/src/app/node_modules/renovate/lib/modules/platform/index.ts:47:24)\n at globalInitialize (/usr/src/app/node_modules/renovate/lib/workers/global/initialize.ts:58:12)\n at Object.start (/usr/src/app/node_modules/renovate/lib/workers/global/index.ts:117:14)\n at /usr/src/app/node_modules/renovate/lib/renovate.ts:16:22"
}
FATAL: Authentication failure
DEBUG: Renovate exiting
INFO: Renovate is exiting with a non-zero code due to the following logged errors
"loggerErrors": [
{
"name": "renovate",
"level": 60,
"logContext": "a_X5GDj50KffxveKqItnC",
"msg": "Authentication failure"
}
]
I created the new GH App with permissions described here, I let the GH App to operate on my repository, but I'm not able to find out the root cause of error.
My GH App permissions:
This is my renovate workload:
name: Renovate
on:
workflow_dispatch:
inputs:
dryRun:
type: choice
description: "Dry-Run"
default: "false"
options:
- true
- false
required: false
logLevel:
type: choice
description: "Log-Level"
default: "debug"
options:
- info
- debug
- trace
required: false
push:
branches:
- main
paths:
- ".github/renovate.json5"
# schedule:
# - cron: "0 * * * *"
env:
LOG_LEVEL: info
RENOVATE_DRY_RUN: false
RENOVATE_REPOSITORIES: ${{ github.repository }}
RENOVATE_CONFIG_FILE: .github/renovate.json5
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Generate Token
uses: tibdex/github-app-token@v1
id: generate-token
with:
app_id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }}
private_key: "${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}"
- name: Override default config from dispatch variables
run: |
echo "RENOVATE_DRY_RUN=${{ github.event.inputs.dryRun || env.RENOVATE_DRY_RUN }}" | tee -a "${GITHUB_ENV}"
echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.LOG_LEVEL }}" | tee -a "${GITHUB_ENV}"
echo "RENOVATE_BASE_BRANCHES=${GITHUB_REF##*/}" | tee -a "${GITHUB_ENV}"
- name: Self-hosted Renovate
uses: renovatebot/github-action@v32.39.0
with:
configurationFile: "${{ env.RENOVATE_CONFIG_FILE }}"
token: "x-access-token:${{ steps.generate-token.outputs.token }}"Here is a link to the whole log / repository:
https://github.com/ruzickap/test123/runs/6464380508?check_suite_focus=true
Any ideas are welcome...
Thank you...
From the requests looks like it also wants read access to the user profile, could you please add that permission and try again? Just to confirm though, did you add the repositories you're running this on to the app?
Thank you for quick response.
I added the read-write access to the user profile:
I already had the app installed to the repository:
The problem persists:
https://github.com/ruzickap/test123/runs/6464969015?check_suite_focus=true
Thanks...
Looks like apps can't access the GET /user endpoint, as it isn't include in this list. Maybe @viceice or @rarkins can shed some light on why those requests are needed and/or other insights. From the setup I'd be expecting that other endpoints, that are in the list and have correct app permissions, would work just fine.
It's in our docs that if you run as an app then you need to specify username: https://docs.renovatebot.com/modules/platform/github/#running-as-a-github-app
Why does Renovate need to know it's username? So that it can find and filter its own issues/PRs.
Why do you need to configure it manually when running as an app? Because an app installation token doesn't have any endpoint like /user which it can call to learn its identity - you have to tell it.
Please close this issue once you've confirmed it's working.
Thanks.
I tried to add the RENOVATE_USERNAME (see below) env variable to GH Action file, but it is still the same... :-(
env:
LOG_LEVEL: info
RENOVATE_CONFIG_FILE: .github/renovate.json5
RENOVATE_DRY_RUN: false
RENOVATE_REPOSITORIES: ${{ github.repository }}
# RENOVATE_USERNAME: "renovate-bot"
RENOVATE_USERNAME: "ruzickap"Log:
https://github.com/ruzickap/test123/runs/6466160523?check_suite_focus=true
@ruzickap Your username is wrong, and you also missed configuring gitAuthor. Please fully read this doc section before trying again: https://docs.renovatebot.com/modules/platform/github/#running-as-a-github-app
Thank you.
Now it is working like expected.
The final configuration yaml (if somebody else want to see it):
name: Renovate
on:
workflow_dispatch:
inputs:
dryRun:
type: choice
description: "Dry-Run"
default: "false"
options:
- true
- false
required: false
logLevel:
type: choice
description: "Log-Level"
default: "debug"
options:
- info
- debug
- trace
required: false
push:
branches:
- main
paths:
- ".github/renovate.json5"
# schedule:
# - cron: "0 * * * *"
env:
LOG_LEVEL: info
RENOVATE_CONFIG_FILE: .github/renovate.json5
RENOVATE_DRY_RUN: false
RENOVATE_REPOSITORIES: ${{ github.repository }}
RENOVATE_USERNAME: ${{ github.repository_owner }}
RENOVATE_GIT_AUTHOR: "Renovate Bot <bot@renovateapp.com>"
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Generate Token
uses: tibdex/github-app-token@v1
id: generate-token
with:
app_id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }}
private_key: "${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}"
- name: Override default config from dispatch variables
run: |
echo "RENOVATE_DRY_RUN=${{ github.event.inputs.dryRun || env.RENOVATE_DRY_RUN }}" | tee -a "${GITHUB_ENV}"
echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.LOG_LEVEL }}" | tee -a "${GITHUB_ENV}"
echo "RENOVATE_BASE_BRANCHES=${GITHUB_REF##*/}" | tee -a "${GITHUB_ENV}"
- name: Self-hosted Renovate
uses: renovatebot/github-action@v32.39.0
with:
configurationFile: "${{ env.RENOVATE_CONFIG_FILE }}"
token: "x-access-token:${{ steps.generate-token.outputs.token }}"Thank you guys...