actions icon indicating copy to clipboard operation
actions copied to clipboard

Published 20 hours ago verified publisher icon r-lib

Using GITHUB_TOKEN for Pandoc nightly download

Open cderv opened this issue 1 month ago • 1 comments

Not sure what changed, but I recently get pandoc nightly download to fail. Here is the debug logging

##[debug]Evaluating condition for step: 'Run r-lib/actions/setup-pandoc@v2'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Run r-lib/actions/setup-pandoc@v[2](https://github.com/rstudio/rmarkdown/actions/runs/9518128513/job/26246875020#step:7:2)
##[debug]Loading inputs
##[debug]Evaluating: matrix.config.pandoc
##[debug]Evaluating Index:
##[debug]..Evaluating Index:
##[debug]....Evaluating matrix:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'config'
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'pandoc'
##[debug]=> 'nightly'
##[debug]Result: 'nightly'
##[debug]Evaluating: secrets.GITHUB_TOKEN
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'GITHUB_TOKEN'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Loading env
Run r-lib/actions/setup-pandoc@v2
##[debug]got pandoc-version nightly
##[debug]Downloading https://api.github.com/repos/jgm/pandoc/actions/artifacts/1601[3](https://github.com/rstudio/rmarkdown/actions/runs/9518128513/job/26246875020#step:7:3)04781/zip
##[debug]Destination /home/runner/work/_temp/03[4](https://github.com/rstudio/rmarkdown/actions/runs/9518128513/job/26246875020#step:7:4)2ed2d-f740-41f0-9e4e-6c0c29[5](https://github.com/rstudio/rmarkdown/actions/runs/9518128513/job/26246875020#step:7:5)66afb
##[debug]Failed to download from "https://api.github.com/repos/jgm/pandoc/actions/artifacts/1[6](https://github.com/rstudio/rmarkdown/actions/runs/9518128513/job/26246875020#step:7:6)01304781/zip". Code(403) Message(Forbidden)
Error: Failed to download Pandoc nightly build: Error: Unexpected HTTP response: 403
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Run r-lib/actions/setup-pandoc@v2

from https://github.com/rstudio/rmarkdown/actions/runs/9518128513/job/26246875020#step:7:47

I am wondering if the token input is correctly passed to the API call 🤔

  • We see the GITHUB_TOKEN gets read
  • API Docs says Actions read scoped is needed, and this is the case for this workflow: https://github.com/rstudio/rmarkdown/actions/runs/9518128513/job/26246875020#step:1:18
GITHUB_TOKEN Permissions
  Actions: read
  • If I call the URL using gh CLI locally it works gh api /repos/jgm/pandoc/actions/artifacts/1601304781/zip > nightly.zip

I don't know a lot about @action/core but I see we do this for nightly https://github.com/r-lib/actions/blob/fbafc3bc4ba114e72680c71e835c59b022606c46/setup-pandoc/src/setup-pandoc.ts#L111

and so we create octokit without the GITHUB_TOKEN.

There is a function to get Auth Header https://github.com/r-lib/actions/blob/fbafc3bc4ba114e72680c71e835c59b022606c46/setup-pandoc/src/setup-pandoc.ts#L92-L100

but it is not used in the script... So I wonder.

Is token input really used ? Or should we authenticate another way ?

I have seen in https://github.com/octokit/action.js/ that maybe setting GITHUB_TOKEN env could work so trying that now. https://github.com/rstudio/rmarkdown/pull/2559

cderv avatar Jun 14 '24 19:06 cderv