frogbot
frogbot copied to clipboard
jfrog
JF_USER is undefined
Describe the bug
I created a setup of yarn2 using the workflow you guys provided. And it's seems like JF_USER is undefined even tho it's set up.
To Reproduce Just do your starter flow
Expected behavior The run will go as planned
Screenshots
Versions
- Frogbot version: v2.3.2
- Operating system: Linux (runner)
- JFrog Artifactory version:
- JFrog Xray version (version 3.29.0 or above is required):
Additional context I looked in your code I didn't see any place that you are setting up JF_USER in your env. I also tried to supply JF_USER in:
- workflow context
- job context
- action context
Hi @yarinsa, thank you for informing us about this issue. Can you please share the YAML file that you used?
Frogbot workflow yml
name: 'Frogbot Scan Pull Request'
on: pull_request: types: [opened, synchronize]
permissions: pull-requests: write contents: read
jobs: scan-pull-request: runs-on: self-hosted # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the # "frogbot" GitHub environment can approve the pull request to be scanned. environment: frogbot env: JF_URL: ${{ secrets.JF_URL }} JF_USER: ${{ secrets.JF_USER }} JF_PASSWORD: ${{ secrets.JF_PASSWORD }} GH_TOKEN: ${{ secrets.GH_TOKEN }} steps: - uses: actions/checkout@v2 with: ref: ${{ github.event.pull_request.head.sha }} persist-credentials: false
# Install prerequisites
- uses: actions/checkout@v3
with:
repository: transmit-poc/setup-yarn
token: ${{ env.GH_TOKEN }}
path: setup-yarn
- name: Setup Yarn
uses: ./setup-yarn
with:
artifactory_user: ${{ env.JF_USER }}
artifactory_password: ${{ env.JF_PASSWORD }}
node_version: 16.13.1
# - run: rm .yarnrc.yml
- uses: actions/checkout@v3
with:
repository: transmit-poc/frogbot
token: ${{ env.GH_TOKEN }}
path: frogbot
ref: v2
- name: Run Frogbot
uses: ./frogbot
env:
# [Mandatory]
# The command that installs the dependencies
JF_INSTALL_DEPS_CMD: 'yarn install'
# [Mandatory]
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
JF_URL: ${{ secrets.JF_URL }}
# [Mandatory if JF_ACCESS_TOKEN is not provided]
# JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
JF_USER: ${{ secrets.JF_USER }}
# [Mandatory if JF_ACCESS_TOKEN is not provided]
# JFrog password. Must be provided with JF_USER
JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
# [Mandatory]
# The GitHub token automatically generated for the job
JF_GIT_TOKEN: ${{ secrets.GH_TOKEN }}
# Uncomment the below options if you'd like to use them.
# [Optional, default: https://api.github.com]
# API endpoint to GitHub
# JF_GIT_API_ENDPOINT: https://github.example.com
# [Mandatory if JF_USER and JF_PASSWORD are not provided]
# JFrog access token with 'read' permissions on Xray service
# JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
# [Optional, default: "."]
# Relative path to the project in the git repository
# JF_WORKING_DIR: path/to/package.json/dir
# [Optional]
# Xray Watches. Learn more about them here:
https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches
# JF_WATCHES: <watch-1>,<watch-2>...<watch-n>
# [Optional]
# JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects
# JF_PROJECT: <project-key>
# [Optional, default: "FALSE"]
# Displays all existing vulnerabilities, including the ones that were added by the pull request.
# JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
We had to fork the bot to our organization as we are not installing actions that are not verified, so we security review and fork, but its the exact same code as you guys (no change)
Setup yarn for me is a custom action trying to deal with the difference of authenticating with jfrog: For example: using api_key & user (our local setup) yarn config set npmAuthIdent user:api_key using password & user (CI setup) yarn config set npmAuthIdent (user:password | base64)
Setup yarn
# action.yml
name: "Setup Yarn"
description: "Initial setup for yarn with artifactory credentials"
branding:
icon: "package"
color: "gray-dark"
inputs:
artifactory_user:
description: "Artifactory user name (usually company email)"
required: true
artifactory_password:
description: "Artifactory password (ApiKey can be used for fetching artifacts only)"
required: true
node_version:
description: "Artifactory password"
required: false
default: 16.13.1
runs:
using: composite
steps:
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: ${{ inputs.node_version }}
- name: escape undefined variables
shell: sh
run: |
echo "JF_API_KEY=${{ inputs.artifactory_password }}" >> $GITHUB_ENV
echo "JF_PASSWORD=${{ inputs.artifactory_password }}" >> $GITHUB_ENV
echo "JF_USER=${{ inputs.artifactory_user }}" >> $GITHUB_ENV
- name: Setup credentials # Currently tests and compatible with Yarn2+
shell: sh
run: |
corepack enable
yarn config unset npmAuthIdent
yarn config set npmAuthIdent $(echo -n '${{ inputs.artifactory_user }}:${{ inputs.artifactory_password }}'| base64)
- name: Retrieve Yarn Cache
id: yarn-cache-dir-path
shell: sh
run: echo "::set-output name=dir::$(yarn config get cacheFolder)"
- uses: actions/cache@v3
id: yarn-cache
with:
path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
key: ${{ runner.os }}-yarn-${{ hashFiles('yarn.lock') }}
restore-keys: |
${{ runner.os }}-yarn-
- name: Install dependencies
shell: sh
run: yarn install --immutable
I didn't see any reference of you guys setting this up in the action env here
Thanks, @yarinsa for the detailed information. We do set this env here: https://github.com/jfrog/frogbot/blob/9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250/commands/utils/params.go#L91
Could you please run this again with debug logs? Please add the following environment variable to Frogbot on Github: JFROG_CLI_LOG_LEVEL With value: DEBUG
@yarinsa I'm glad that it worked for you, and thank you for the feedback! It would be greatly appreciated if you could help us understand this issue better, so we can take the right steps moving forward. Have you used the JFrog CLI command 'audit yarn' to fix it?
nope. I fixed them manually , as for the log level, will do and update here
/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot scan-pull-request
07:34:49 [Info] Running Frogbot "scan-pull-request" command
07:34:49 [Info] Auditing /runner/_work/TIP/TIP
07:34:49 [Info] Executing 'yarn' [install] at /runner/_work/TIP/TIP
07:34:49 [Debug] Usage Report: Sending info...
07:34:49 [Debug] Sending HTTP GET request to: ***/artifactory/api/system/version
07:34:49 [Debug] Artifactory response: 200 OK
07:34:49 [Debug] JFrog Artifactory version is: 7.42.5
07:34:49 [Debug] Sending HTTP POST request to: ***/artifactory/api/system/usage
07:34:49 [Debug] Usage Report: Artifactory response: 200 OK
07:34:49 [Debug] Usage Report: Usage info sent successfully.
07:34:54 [Info] Detected: yarn.
07:34:55 [Debug] Sending HTTP GET request to: ***/xray/api/v1/system/version
07:34:55 [Info] JFrog Xray version is: 3.57.6
07:34:55 [Info] Scanning module tip:portal:0.37.0...
07:34:55 [Debug] Sending HTTP POST request to: ***/xray/api/v1/scan/graph?scan_type=dependency
07:34:55 [Info] Waiting for scan to complete...
07:34:55 [Debug] Sending HTTP GET request to: ***/xray/api/v1/scan/graph/9a[15](https://github.com/transmitsecurity-dev/TIP/actions/runs/3172355902/jobs/5166741757#step:7:16)a1d2-1ddf-4109-4fba-e25ba26caa1d?include_vulnerabilities=true
07:34:55 [Info] Auditing TIP refs/pull/59/merge
07:34:55 [Debug] Created temp working directory: /tmp/jfrog.cli.temp.-[16](https://github.com/transmitsecurity-dev/TIP/actions/runs/3172355902/jobs/5166741757#step:7:17)64782495-394088[23](https://github.com/transmitsecurity-dev/TIP/actions/runs/3172355902/jobs/5166741757#step:7:24)43
07:34:55 [Debug] Downloading transmitsecurity-dev/TIP , branch:refs/pull/59/merge to:/tmp/jfrog.cli.temp.-166478[24](https://github.com/transmitsecurity-dev/TIP/actions/runs/3172355902/jobs/5166741757#step:7:25)95-3940882[34](https://github.com/transmitsecurity-dev/TIP/actions/runs/3172355902/jobs/5166741757#step:7:35)3
07:34:56 [Debug] Downloading repository completed
07:34:56 [Info] Executing 'yarn' [install] at /tmp/jfrog.cli.temp.-1664782495-3940882343
07:34:56 [Info] Couldn't run the installation command on the base branch. Assuming new project in the source branch: exit status 1
07:34:56 [Info] Detected: yarn.
07:34:57 [Warn] An error was thrown while collecting dependencies info: exit status 1
Command output:
Usage Error: Environment variable not found (JF_USER) in /tmp/jfrog.cli.temp.-1664782495-[39](https://github.com/transmitsecurity-dev/TIP/actions/runs/3172355902/jobs/5166741757#step:7:40)[40](https://github.com/transmitsecurity-dev/TIP/actions/runs/3172355902/jobs/5166741757#step:7:41)882343/.yarnrc.yml (in /tmp/jfrog.cli.temp.-1664782495-3940882343/.yarnrc.yml)
━━━ Yarn Package Manager - 3.2.2 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
$ yarn <command>
You can also print more details about any of these commands by calling them with
the `-h,--help` flag right after the command name.