laminas-ci-matrix-action icon indicating copy to clipboard operation
laminas-ci-matrix-action copied to clipboard

Published 20 hours ago verified publisher icon laminas

Initial clone not working for private repositories

Open basz opened this issue 2 years ago • 5 comments

Bug Report

Q A
Version(s) 1.17

Summary

Initial git clone fails for private repositories

Current behavior

Run laminas/laminas-ci-matrix-action@v1
/usr/bin/docker run --name ghcriolaminaslaminascimatrix1_c6d[2](https://github.com/plhw/lab-api-model-valueobject/runs/8200006290?check_suite_focus=true#step:3:3)87 --label 786a9b --workdir /github/workspace --rm -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/lab-api-model-valueobject/lab-api-model-valueobject":"/github/workspace" ghcr.io/laminas/laminas-ci-matrix:1
Cloning into '.'...
Cloning repository
fatal: could not read Username for 'https://github.com/': No such device or address

How to reproduce

  1. create a private repository on github
  2. add this workflow https://github.com/laminas/workflow-continuous-integration
  3. Add GITHUB_TOKEN as environment variable to the steps
  4. push

Expected behavior

Initial checkout succeeds

Notes

  • edited: added step 3
  • I've checked the token permissions on https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-default-github_token-permissions
  • Been reading this https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret
    • looking at the example they set and use the token differently. That might be a clue as git won't use the GITHUB_TOKEN env variable by itself.

Shouldn't the auth token be persisted to the local git config before it can be used by git commands? actions/checkout action seems to do that (See the Readme).

basz avatar Sep 06 '22 05:09 basz

I wonder if we could use actions/checkout as child action :thinking:

Doing the cloning ourselves is both inefficient (github is smarter about it), and unsafe (we may leak secrets during crashes).

@basz meanwhile, do you know which git command it executed, precisely?

Ocramius avatar Sep 06 '22 08:09 Ocramius

My thought exactly. Just don't know how...

Looking at the output "Cloning repository" I'm guessing here and combined with GITHUB_REPOSITORY from that should be;

git clone https://github.com/plhw/lab-api-model-valueobject.

Could it be double "'s? in that line or in the docker command? -e "$SOME_ENV" vs -e SOME_ENV

basz avatar Sep 06 '22 08:09 basz

asked because it seems GITHUB_REPOSITORY is empty...

basz avatar Sep 07 '22 14:09 basz

just noting; adding a checkout step before laminas/laminas-ci-matrix-action resolves this issue. credentials are saved and laminas cn continue

- name: Checkout
  uses: actions/checkout@v3

basz avatar Oct 06 '22 06:10 basz

I've also found it's necessary to set fetch-depth to zero for the matrix to be generated on a pull request to a private project.

jobs:
  matrix:
    name: Generate job matrix
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.matrix.outputs.matrix }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: '0'
      - name: Gather CI configuration
        id: matrix
        uses: laminas/laminas-ci-matrix-action@v1

  qa:
    name: QA Checks
    needs: [ matrix ]
    runs-on: ${{ matrix.operatingSystem }}
    strategy:
      fail-fast: false
      matrix: ${{ fromJSON(needs.matrix.outputs.matrix) }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: ${{ matrix.name }}
        uses: laminas/laminas-continuous-integration-action@v1
        env:
          "GITHUB_TOKEN": ${{ secrets.GITHUB_TOKEN }}
        with:
          job: ${{ matrix.job }}

gsteel avatar Nov 29 '23 11:11 gsteel