Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@types/github-script install fails in github action in dependabot pr's #487

Open
Quintisimo opened this issue Sep 17, 2024 · 7 comments
Open

@types/github-script install fails in github action in dependabot pr's #487

Quintisimo opened this issue Sep 17, 2024 · 7 comments

Comments

@Quintisimo
Copy link

Describe the bug
When npm dependencies are being installed in a github action in a dependabot pr, it fails on @types/github-script with a permission denied error. I am using pnpm but I would assume this error occurs in all package managers.

To Reproduce
Steps to reproduce the behavior:

  1. Install @types/github-script
  2. Add a github action to run pnpm install
  3. Wait for dependabot to create a pr and run pnpm install in github action
  4. See error

Expected behavior
The install is successful

Screenshots
CleanShot 2024-09-17 at 10 58 32@2x

Desktop (please complete the following information):

  • OS: linux
@joshmgross
Copy link
Member

Can you include the full set of commands you're using to install the types?

@Quintisimo
Copy link
Author

  • To install the types in my project I ran: pnpm add -D @actions/github-script@github:actions/github-script
  • In the github action I run: 
      - name: Install pnpm
        uses: pnpm/action-setup@v4
        with:
          version: ${{ steps.pnpm_version.outputs.version }}

  - name: Install Node
    uses: actions/setup-node@v4
    with:
      node-version: ${{ steps.node_version.outputs.version }}

  - name: Install dependencies
    working-directory: ${{ inputs.working-directory }}
    shell: bash
    run: pnpm install
    env:
      NODE_AUTH_TOKEN: ${{ inputs.node-auth-token }}

Just to note again this error only occurs in pr's that are created by dependabot for dependencies or security updates. The install works fine in normal pr's

@joshmgross

@joshmgross
Copy link
Member

@Quintisimo where does node-auth-token come from?

If that's an Actions secret, is it also set as a Dependabot secret?

https://docs.github.com/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#investigating-failed-workflow-runs

@Quintisimo
Copy link
Author

@joshmgross yes I have set it both as an action secret and a dependabot secret

@joshmgross
Copy link
Member

Could you provide the full workflow?

@Quintisimo
Copy link
Author

@joshmgross that is all the steps of the action. It is a custom org composite action that we use across multiple repos. Here is the it in full action.yml it is called setup-node-enivronment:

name: Setup Node Environment
description: Install Node, Pnpm, and dependencies

inputs:
  node-auth-token:
    description: Token to authenticate with npm registry
    required: true

  working-directory:
    description: The directory to run the install command in
    required: false
    default: ${{ github.workspace }}

runs:
  using: composite
  steps:
    - name: Get Pnpm Version from package.json
      id: pnpm_version
      working-directory: ${{ inputs.working-directory }}
      shell: bash
      run: |
        version=$(jq -r '.packageManager' package.json)
        echo "version=$(echo "$version" | sed 's/^pnpm@//')" >> $GITHUB_OUTPUT

    - name: Get Node Version from .nvmrc
      id: node_version
      working-directory: ${{ inputs.working-directory }}
      shell: bash
      run: |
        version=$(cat .nvmrc)
        echo "version=$version" >> $GITHUB_OUTPUT

    - name: Install pnpm
      uses: pnpm/action-setup@v4
      with:
        version: ${{ steps.pnpm_version.outputs.version }}

    - name: Install Node
      uses: actions/setup-node@v4
      with:
        node-version: ${{ steps.node_version.outputs.version }}

    - name: Install dependencies
      working-directory: ${{ inputs.working-directory }}
      shell: bash
      run: pnpm install
      env:
        NODE_AUTH_TOKEN: ${{ inputs.node-auth-token }}

and here is how it is used in a workflow:

name: Linting
run-name: Linting

on:
  pull_request:

jobs:
  linting:
    name: Linting
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repo
        uses: actions/checkout@v4

      - name: Setup node and install dependencies
        uses: The-Legal-Tech-Company/actions/src/setup-node-environment@main
        with:
          node-auth-token: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}

      - name: Run eslint
        run: pnpm lint

      - name: Run typecheck
        run: pnpm typecheck

      - name: Run test
        run: pnpm test

@joshmgross
Copy link
Member

@Quintisimo this is a bit outside the scope of the actions/github-script action, but I'll try my best to help out.

Can you double check that PRIVATE_REGISTRY_TOKEN is set to the same value for both Actions and Dependabot secrets? And if that's an org secret ensure that it's shared with the same set of repositories.

That's the only clear difference I see here, nothing in this action or the exported types should differ for a Dependabot run.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joshmgross @Quintisimo