create-github-app-token icon indicating copy to clipboard operation
create-github-app-token copied to clipboard

Published 20 hours ago verified publisher icon actions

Should this work with dependabot PRs?

Open cgravill opened this issue 7 months ago • 6 comments

Thanks for creating this action, it tidied up lots of our workflows. This is more of a question, should I be able to use this action on workflows run by https://github.com/dependabot ?

I'm getting what I presume is a security related issue:

Failed to create token for "OURORGANISATION" (attempt 1): Integration not found - https://docs.github.com/rest
Failed to create token for "OURORGANISATION" (attempt 2): Integration not found - https://docs.github.com/rest
Failed to create token for "OURORGANISATION" (attempt 3): Integration not found - https://docs.github.com/rest
Failed to create token for "OURORGANISATION" (attempt 4): Integration not found - https://docs.github.com/rest
RequestError [HttpError]: Integration not found - https://docs.github.com/rest
    at fetchWrapper (/__w/_actions/actions/create-github-app-token/v2/dist/main.cjs:41019:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async hook4 (/__w/_actions/actions/create-github-app-token/v2/dist/main.cjs:42282:18)
    at async getTokenFromOwner (/__w/_actions/actions/create-github-app-token/v2/dist/main.cjs:42604:20)
    at async RetryOperation._fn (/__w/_actions/actions/create-github-app-token/v2/dist/main.cjs:42487:24) {
  status: 404,
  request: {
    method: 'GET',
    url: 'https://api.github.com/users/OURORGANISATION/installation',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'actions/create-github-app-token',
      authorization: 'bearer [REDACTED]'
    },
    request: { hook: [Function: bound hook4] AsyncFunction }
  },

I have separately granted the app-id and private-key via dependabot secrets, but it seems to be the next step when the action tries to retrieve the installation fails. If I close and reopen the PR (so that it runs as me) the whole workflow passes and I can update the dependency.

Apologies if this is a configuration issue on our side but any pointers would be very much appreciated.

cgravill avatar Apr 28 '25 08:04 cgravill

That is odd, the fact that the bearer token (JSON Web Token) was generated suggests that the action did receive an app ID and a private key, but that the app does not have access to the given OURORGANISATION. Can you share the whole workflow file and/or the full logs of the build?

gr2m avatar Apr 28 '25 17:04 gr2m

Thanks for looking at it.

I can share more of workflow, lightly redacted:

name: test_here_there_everywhere

on:
  pull_request:
  workflow_dispatch:

jobs:
  test_here_there_everywhere:
    runs-on: self-hosted-ephemeral
    timeout-minutes: 80

    strategy:
      fail-fast: true

    container:
      image: ghcr.io/OURORGANISATION/something_or_other:latest
      credentials:
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

    steps:
      - uses: actions/checkout@v4

      - name: Generate GitHub App token
        id: app-token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.ACCESS_KEY }}
          owner: ${{ github.repository_owner }}

and more redacted log (if you need more I can work up a more minimal Action):

2025-04-28T04:35:45.7465581Z Current runner version: '2.323.0'
2025-04-28T04:35:45.7472699Z Runner name: 'ephem-3-runner-23'
2025-04-28T04:35:45.7473721Z Runner group name: 'Default'
2025-04-28T04:35:45.7474794Z Machine name: 'ephem-3'
2025-04-28T04:35:45.7479727Z ##[group]GITHUB_TOKEN Permissions
2025-04-28T04:35:45.7481971Z Actions: read
2025-04-28T04:35:45.7482835Z Attestations: read
2025-04-28T04:35:45.7483608Z Checks: read
2025-04-28T04:35:45.7484389Z Contents: read
2025-04-28T04:35:45.7485118Z Deployments: read
2025-04-28T04:35:45.7485909Z Discussions: read
2025-04-28T04:35:45.7486687Z Issues: read
2025-04-28T04:35:45.7487417Z Metadata: read
2025-04-28T04:35:45.7488236Z Models: read
2025-04-28T04:35:45.7489012Z Packages: read
2025-04-28T04:35:45.7489776Z Pages: read
2025-04-28T04:35:45.7490527Z PullRequests: read
2025-04-28T04:35:45.7491367Z RepositoryProjects: read
2025-04-28T04:35:45.7492185Z SecurityEvents: read
2025-04-28T04:35:45.7492972Z Statuses: read
2025-04-28T04:35:45.7493697Z ##[endgroup]
2025-04-28T04:35:45.7496993Z Secret source: Dependabot
2025-04-28T04:35:45.7498152Z Prepare workflow directory
2025-04-28T04:35:45.8041125Z Prepare all required actions
2025-04-28T04:35:45.8072517Z Getting action download info
2025-04-28T04:35:46.0872028Z Download action repository 'actions/checkout@v4' (SHA:11bd71901bbe5b1630ceea73d27597364c9af683)
2025-04-28T04:35:46.9974077Z Download action repository 'actions/create-github-app-token@v2' (SHA:3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5)
2025-04-28T04:35:58.6033164Z Input 'repositories' is not set. Creating token for all repositories owned by OURORGANISATION.
2025-04-28T04:35:58.7870529Z Failed to create token for "OURORGANISATION" (attempt 1): Integration not found - https://docs.github.com/rest
2025-04-28T04:35:59.8979374Z Failed to create token for "OURORGANISATION" (attempt 2): Integration not found - https://docs.github.com/rest
2025-04-28T04:36:02.0115482Z Failed to create token for "OURORGANISATION" (attempt 3): Integration not found - https://docs.github.com/rest
2025-04-28T04:36:06.1304120Z Failed to create token for "OURORGANISATION" (attempt 4): Integration not found - https://docs.github.com/rest
2025-04-28T04:36:06.1425251Z RequestError [HttpError]: Integration not found - https://docs.github.com/rest
2025-04-28T04:36:06.1427066Z     at fetchWrapper (/__w/_actions/actions/create-github-app-token/v2/dist/main.cjs:41019:11)
2025-04-28T04:36:06.1428854Z     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
2025-04-28T04:36:06.1430713Z     at async hook4 (/__w/_actions/actions/create-github-app-token/v2/dist/main.cjs:42282:18)
2025-04-28T04:36:06.1432176Z     at async getTokenFromOwner (/__w/_actions/actions/create-github-app-token/v2/dist/main.cjs:42604:20)
2025-04-28T04:36:06.1433798Z     at async RetryOperation._fn (/__w/_actions/actions/create-github-app-token/v2/dist/main.cjs:42487:24) {
2025-04-28T04:36:06.1434925Z   status: 404,
2025-04-28T04:36:06.1435477Z   request: {
2025-04-28T04:36:06.1436013Z     method: 'GET',
2025-04-28T04:36:06.1436773Z     url: 'https://api.github.com/users/OURORGANISATION/installation',
2025-04-28T04:36:06.1437615Z     headers: {
2025-04-28T04:36:06.1438392Z       accept: 'application/vnd.github.v3+json',
2025-04-28T04:36:06.1439268Z       'user-agent': 'actions/create-github-app-token',
2025-04-28T04:36:06.1440106Z       authorization: 'bearer [REDACTED]'
2025-04-28T04:36:06.1440804Z     },
2025-04-28T04:36:06.1441462Z     request: { hook: [Function: bound hook4] AsyncFunction }
2025-04-28T04:36:06.1468842Z   },
2025-04-28T04:36:06.1469485Z   response: {
2025-04-28T04:36:06.1470314Z     url: 'https://api.github.com/users/OURORGANISATION/installation',
2025-04-28T04:36:06.1471293Z     status: 404,
2025-04-28T04:36:06.1471893Z     headers: {
2025-04-28T04:36:06.1472552Z       'access-control-allow-origin': '*',
2025-04-28T04:36:06.1475399Z       'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
2025-04-28T04:36:06.1478319Z       'content-encoding': 'gzip',
2025-04-28T04:36:06.1479151Z       'content-security-policy': "default-src 'none'",
2025-04-28T04:36:06.1480099Z       'content-type': 'application/json; charset=utf-8',
2025-04-28T04:36:06.1480972Z       date: 'Mon, 28 Apr 2025 04:36:06 GMT',
2025-04-28T04:36:06.1482115Z       'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
2025-04-28T04:36:06.1483280Z       server: 'github.com',
2025-04-28T04:36:06.1484245Z       'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
2025-04-28T04:36:06.1485287Z       'transfer-encoding': 'chunked',
2025-04-28T04:36:06.1486511Z       vary: 'Accept-Encoding, Accept, X-Requested-With',
2025-04-28T04:36:06.1487456Z       'x-content-type-options': 'nosniff',
2025-04-28T04:36:06.1488351Z       'x-frame-options': 'deny',
2025-04-28T04:36:06.1489152Z       'x-github-media-type': 'github.v3; format=json',
2025-04-28T04:36:06.1490146Z       'x-github-request-id': 'XYZ',
2025-04-28T04:36:06.1491052Z       'x-xss-protection': '0'
2025-04-28T04:36:06.1491706Z     },
2025-04-28T04:36:06.1492237Z     data: {
2025-04-28T04:36:06.1492917Z       message: 'Integration not found',
2025-04-28T04:36:06.1493942Z       documentation_url: 'https://docs.github.com/rest',
2025-04-28T04:36:06.1494941Z       status: '404'
2025-04-28T04:36:06.1495627Z     }
2025-04-28T04:36:06.1496253Z   },
2025-04-28T04:36:06.1496927Z   attemptNumber: 4,
2025-04-28T04:36:06.1497633Z   retriesLeft: 0
2025-04-28T04:36:06.1498425Z }
2025-04-28T04:36:06.1533780Z ##[error]Integration not found - https://docs.github.com/rest
2025-04-28T04:36:06.1788553Z Post job cleanup.

In case it's relevant we're on GitHub Enterprise Cloud

cgravill avatar Apr 28 '25 20:04 cgravill

As an extra note, the GitHub App is only installed for selected repos for us, so as an experiment I tried specifying the exact repositories needed instead. That also failed:

No 'owner' input provided. Using default owner 'OURORGANISATION' to create token for the following repositories:
- OURORGANISATION/repoA
- OURORGANISATION/repoB
- OURORGANISATION/repoC
Failed to create token for "repoA,repoB,repoC" (attempt 1): Integration not found - https://docs.github.com/rest
Failed to create token for "repoA,repoB,repoC" (attempt 2): Integration not found - https://docs.github.com/rest
Failed to create token for "repoA,repoB,repoC" (attempt 3): Integration not found - https://docs.github.com/rest
Failed to create token for "repoA,repoB,repoC" (attempt 4): Integration not found - https://docs.github.com/rest

Related changing the GitHub App to be global on the organisation seemed to have no effect - but there are lots of opaque moving parts to this.

cgravill avatar Apr 29 '25 10:04 cgravill

I am trying to migrate my prior tokens to an org app, and getting a smilar error. I am on a free Github Organization account.

Inputs 'owner' and 'repositories' are not set. Creating token for this repository (tod-org/tod).
Failed to create token for "tod" (attempt 1): Not Found - https://docs.github.com/rest/apps/apps#get-a-repository-installation-for-the-authenticated-app
RequestError [HttpError]: Not Found - https://docs.github.com/rest/apps/apps#get-a-repository-installation-for-the-authenticated-app

stacksjb avatar Jul 29 '25 21:07 stacksjb

@stacksjb Ever solve this? Im getting an identical issue -- think I'm just missing something

nleroy917 avatar Oct 21 '25 21:10 nleroy917

Yes, I resolved it. The app has to be installed on the repo first - see the link it shares.

stacksjb avatar Oct 22 '25 03:10 stacksjb

I went through carefully from scratch on the configuration and got it working. I think some whitespace had gotten into one of the parameters.

With this, yes dependabot PRs are working right now. Thanks for the action again.

cgravill avatar Nov 24 '25 16:11 cgravill