surge-preview icon indicating copy to clipboard operation
surge-preview copied to clipboard

Published 20 hours ago • verified publisher icon afc163

Can't teardown surge-preview for pull-request

Open uidoyen opened this issue 3 years ago • 3 comments

Can't teardown preview using pull-request https://github.com/debezium/debezium.github.io/runs/3817363212?check_suite_focus=true

Error: The process '/usr/local/bin/npx' failed with exit code 1
Error: Resource not accessible by integration

uidoyen avatar Oct 06 '21 16:10 uidoyen

@uidoyen

You get the Error: Resource not accessible by integration because the Github Token used by surge-preview to update the Pull Request comment has only read permissions.

image

In your log, I also see: Aborted - Unable to remove debezium-debezium-github-io-preview-pr-730.surge.sh. Do you use the surge-preview action to create the deployment? it looks like the token used for the creation and the teardown are not the same (or not related to the same account), so surge reject the teardown

tbouffard avatar Oct 08 '21 08:10 tbouffard

@tbouffard Thanks for the response. I have used the same secrets.SURGE_TOKEN for both actions but since surge-preview was not working with pull_request I have used other actions to do this https://github.com/debezium/debezium.github.io/blob/develop/.github/workflows/surge-preview.yml#L35

uidoyen avatar Oct 08 '21 10:10 uidoyen

about the 'not working with pull_request' I guess you are talking about #124 and you cannot use deploy on 'push' github events for Pull request buit from fork repositories (your surge secret is not available in this case)? Anyway, if you use the same tokens, this should work. For now, I don't see reasons that could explain why the teardown fails.

As I previously explained, Error: Resource not accessible by integration is due to a lack of permission in the GH_TOKEN used by the workflow that manage the teardown. See https://github.community/t/actions-ecosystem-action-remove-labels-fails-resource-not-accessible-by-integration/124188 for instance. Everything acts like the repository set readonly permissions for the GH_TOKEN by default (check settings), in this case, you have to set the write permissions explicitly in the workflow: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token. The token is needed to write a comment about the deployment status.

tbouffard avatar Oct 08 '21 13:10 tbouffard