repository-dispatch icon indicating copy to clipboard operation
repository-dispatch copied to clipboard

Published 20 hours ago verified publisher icon peter-evans

Error: Parameter token or opts.auth is required

Open AntonSaurytski83 opened this issue 1 year ago • 6 comments
trafficstars

with: repository: antonsaurytski83/polar-deployment event-type: app_delivery client-payload: { "app_image": "ghcr.io/antonsaurytski83/catalog-service", "app_name": "catalog-service", "app_version": "dc4704191e8b1c3d46d22929c7eff93232e5378d" } env: OWNER: antonsaurytski83 REGISTRY: ghcr.io APP_REPO: catalog-service DEPLOY_REPO: polar-deployment VERSION: dc4704191e8b1c3d46d22929c7eff93232e5378d Error: Parameter token or opts.auth is required

AntonSaurytski83 avatar Oct 30 '24 18:10 AntonSaurytski83

This is happening to me also...

meyrevived avatar Dec 12 '24 21:12 meyrevived

+1

sitolam avatar Dec 18 '24 13:12 sitolam

Is this happening consistently, or just occasionally?

peter-evans avatar Dec 18 '24 15:12 peter-evans

For me, it's consistently. However, I do see it when I use this action in a pull_request workflow that runs pull requests from forked repositories to the main repository. Github has a security policy to stop secrets from being used in these scenarios, so it could be that this is the cause of the "bug" we're seeing.

This policy is a good policy, it makes a lot of sense, but it should be refined. I am a Red Hat worker, I am a member of one of their github organizations, the main repo I'm running pull requests on is in this organization and so if my forked repo. It's a repo of a component of one of their products and I'm developing it. Furthermore, I am a maintainer on said main repository. Security is very important, but not to the point of paranoia ;)

meyrevived avatar Dec 18 '24 21:12 meyrevived

However, I do see it when I use this action in a pull_request workflow that runs pull requests from forked repositories to the main repository. Github has a security policy to stop secrets from being used in these scenarios, so it could be that this is the cause of the "bug" we're seeing.

That is very likely to be the issue. The workflow just doesn't have access to secrets in that scenario. My only advice would be to try and refactor the workflows to avoid running on fork pull requests. Perhaps look into using pull_request_target instead, which I believe allows access to secrets.

peter-evans avatar Dec 19 '24 09:12 peter-evans

This is what I've had to do. The second paragraph of my reply is where this is a pain point and should be addressed by someone on github: I ran into this issue because I was adding a code scan by test coverage analysis tool to my ci workflow which used to be one file. The tool requires a token because there's live data sent to a cloud server etc. The easiest and fastest safe place to keep such a token would be a github secret. Alas, we have this security policy. The code coverage tools has capabilities to separate their analysis of code changes and test runs between the results of code scans that were run on a main branch and those that were run during pull requests. This is one of the features that we wanted from this tool, actually. Because of the github security policy one simple github workflow yaml became four files just to make sure the tool gets it's token properly. Again, this is a fork in the organization, created by one of the maintainer.

meyrevived avatar Dec 19 '24 09:12 meyrevived

If you're calling from another workflow, make sure to include secrets: inherit

theRamenWithin avatar Jun 25 '25 06:06 theRamenWithin