tfsec-pr-commenter-action icon indicating copy to clipboard operation
tfsec-pr-commenter-action copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Unable to find PR

Open nascit opened this issue 3 years ago • 20 comments

  • '[' -n /github/workspace ']'
  • cd /github/workspace
  • tfsec --format=json .
  • echo 'tfsec violations were identified, running commenter...' tfsec violations were identified, running commenter...
  • commenter Starting the github commenter... The commenter failed with the following error: PR number [8] not found for DSC/github_actions

This is my workflow:

name: tfsec-pr-commenter
on:
  pull_request:
jobs:
  tfsec:
    name: tfsec PR commenter
    runs-on: [ self-hosted ]

    steps:
      - name: Clone repo
        uses: actions/checkout@master

      - name: tfsec
        uses: aquasecurity/[email protected]
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}

Am I missing something?

nascit avatar Sep 09 '21 14:09 nascit

Hey @nascit - that seems strange - can I just confirm you're running it in the DSC/github_actions repo and that the GITHUB_TOKEN you're using does have permissions against it?

might be worth changing it to

with:
   github_token: ${{ github.token }}

which is the automatically generated token and should definitely have the correct permissions to read PRs

owenrumney avatar Sep 23 '21 16:09 owenrumney

The error comes from github commenter:

https://github.com/owenrumney/go-github-pr-commenter/blob/605aaddf11ea687ceb97f619f1ee0dd9b4f21cb3/commenter/connector.go#L35

I'm using GHES, possibly it only supports github.com ?

nascit avatar Sep 30 '21 09:09 nascit

Hey @nascit - I'm assuming that's Github Enterprise server and it's self-hosted? If this is the case then I think I just need to support passing in API URL.

Are you happy to be a bit of tester for this if I add the feature?

owenrumney avatar Sep 30 '21 13:09 owenrumney

Yes, I'd love to test that

nascit avatar Oct 05 '21 11:10 nascit

i have the same probleme with GHE self-hosted. :)

jplanckeel avatar Oct 14 '21 09:10 jplanckeel

I am also getting this error. I had this running without issue for over a month and these started popping up recently

brandon-bailey-rc avatar Dec 10 '21 20:12 brandon-bailey-rc

Hey - apologies for the [huge] delay on this - the underlying library is being tested with GHE this week then I'll update this to use it

owenrumney avatar Jan 19 '22 11:01 owenrumney

We recently tried to switch to this with our self-hosted GitHub Enterprise instance and ran into the same issue. We used to use this: triat/[email protected], but it also broke do to a golang version issue. Should I start looking for another solution or is a fix in progress here?

mdolian avatar Feb 10 '22 14:02 mdolian

I also run into that problem on GHES with self-hosted runner:

The commenter failed with the following error: failed to create a new commenter. PR number [number] not found for [repo-name]

Is there any fix in the pipeline or workaround? Thanks a lot.

JulianSchmidgall avatar Feb 10 '22 17:02 JulianSchmidgall

Also on GHE with the same error when using 1.2.0 of the action. Would be appreciated if this could support GHE. Would love to help testing it.

nmollerup avatar Mar 24 '22 13:03 nmollerup

As I'm also encountering the same issue with Github Enterprise, I'm also available to test out stuff. Thank you!

tzeappa avatar Jun 03 '22 11:06 tzeappa

@owenrumney Could you please take a look at #77 - is this similar to your idea?

I tested the change with my GitHub Enterprise environment. However, I run the commenter outside of GitHub Actions workflows (long story, need to orchestrate everything with Jenkins). Would appreciate a second pair of eyes on the PR.

Feedback from real GitHub Enterprise + GitHub Actions users is much appreciated!

kolomied avatar Aug 03 '22 08:08 kolomied

I tested your PR #77 in my GHE Actions and I still encounter the same error: `+ tfsec --out=results.json --format=json --soft-fail --soft-fail projects/ 1 file(s) written: results.json

  • commenter Starting the github commenter... The commenter failed with the following error: failed to create a new commenter. PR number [139] not found for #redacted#`

tzeappa avatar Aug 03 '22 11:08 tzeappa

Sorry @tzeappa - it was a silly typo on my side. Updated the PR - can you please give it another go?

kolomied avatar Aug 09 '22 14:08 kolomied

I'm running the action from command line, not from GitHub Actions workflow, and pass the following variables:

INPUT_GITHUB_TOKEN=<my-github-token> GITHUB_REPOSITORY=<my-repository> GITHUB_API_URL="https://github.<my-company>.com/api/v3" GITHUB_EVENT_PATH=<path-to-event-json> GITHUB_WORKSPACE=<workspace-folder> INPUT_SOFT_FAIL_COMMENTER=true ./commenter

GITHUB_EVENT_PATH variable would work only if you apply #76 as well.

kolomied avatar Aug 09 '22 14:08 kolomied

Tested today invoking through a reusable workflow (Github Enterprise) with ubuntu-latest and bash as shell, resulting in failed to create a new commenter. PR number [34] not found. I can confirm the PR exists.

When invoking in a job with the default shell (unset), it works as intended, as does invoking it with a non-reusable workflow.

nikonet avatar Aug 15 '22 12:08 nikonet

@nikonet thanks for the update. Just to confirm - are you saying that you can successfully publish the comments to a PR in GtHub Enterprise repo if you use default shell / non-reusable workflow?

If reusable workflow is the only remaining issue, I would try to set GITHUB_API_URL variable explicitly (use https://github.<my-company>.com/api/v3 as a value). I suspect that can be the issue because of the following:

Any environment variables set in an env context defined at the workflow level in the caller workflow are not propagated to the called workflow. For more information about the env context, see "Context and expression syntax for GitHub Actions."

kolomied avatar Aug 16 '22 10:08 kolomied

Yes, I can publish through a reusable-workflow as long as I do not use bash as shell. Meaning the tfsec-pr-commenter is invoked in the reusable workflow entirely. I'm not sure if it works if using bash in a non-reusable workflow.

nikonet avatar Aug 18 '22 13:08 nikonet 

      - name: Set Github Enterprise URL
        id: set-env-variables
        run: |
          echo "GITHUB_API_URL=https://github.<my-company>.com/api/v3" >> $GITHUB_ENV
      - name: tfsec PR Commentor
        uses: kolomied/[email protected]
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}

I tried this and this is still failing. Is there something wrong I have done? @kolomied

@nikonet thanks for the update. Just to confirm - are you saying that you can successfully publish the comments to a PR in GtHub Enterprise repo if you use default shell / non-reusable workflow?

If reusable workflow is the only remaining issue, I would try to set GITHUB_API_URL variable explicitly (use https://github.<my-company>.com/api/v3 as a value). I suspect that can be the issue because of the following:

Any environment variables set in an env context defined at the workflow level in the caller workflow are not propagated to the called workflow. For more information about the env context, see "Context and expression syntax for GitHub Actions."

krisha-vumc avatar Sep 09 '22 16:09 krisha-vumc

  • name: tfsec PR Commentor uses: kolomied/[email protected] with: github_token: ${{ secrets.GITHUB_TOKEN }}

@kolomied No still getting "error failed to create a new commenter. PR number [260] not found" after trying above line, Also we are not using reusable workflow here,. kindly suggest.

krisha-vumc avatar Sep 12 '22 16:09 krisha-vumc