atlantis
atlantis copied to clipboard
runatlantis
Unable to update status at url via Github App
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
- If you are interested in working on this issue or have submitted a pull request, please leave a comment.
Overview of the Issue
I set up an Atlantis bot with GitHub App. The bot does comments on my PR, but it can't update commit statuses. I allowed necessary permissions defined in the document. I think it's enough to update status.
Do I miss something?
Reproduction Steps
I deployed atlantis via the official Fargate module
module "atlantis" {
source = "terraform-aws-modules/atlantis/aws"
version = "~> 3.0"
name = "atlantis"
# VPC
cidr = "10.20.0.0/16"
azs = ["us-west-2a", "us-west-2b", "us-west-2c"]
private_subnets = ["10.20.1.0/24", "10.20.2.0/24", "10.20.3.0/24"]
public_subnets = ["10.20.101.0/24", "10.20.102.0/24", "10.20.103.0/24"]
# DNS (without trailing dot)
route53_zone_name = "atlantis.example.com"
# Atlantis
atlantis_github_app_id = "xxxxxx"
atlantis_github_app_key = data.local_file.secret_key.content
atlantis_repo_allowlist = ["github.com/omajinaiHouse/*"]
atlantis_github_webhook_secret = "xxxxxxx"
}
Added permissions for my Github App
- Administration: Read-only
- Checks: Read and Write
- Commit statuses: Read and Write
- Contents: Read and Write
- Issues: Read and Write
- Metadata: Read-only
- Pull requests: Read and Write
- Webhooks: Read and Write
- Members: Read-only
Logs
Logs
{
"level": "error",
"ts": "2023-03-31T05:26:24.851Z",
"caller": "vcs/instrumented_client.go:210",
"msg": "Unable to update status at url: , error: POST https://api.github.com/repos/omajinaiHouse/test-atlantis/statuses/xxxxxxxxx: 403 Resource not accessible by integration []",
"json": {
"repository": "omajinaiHouse/test-atlantis",
"pull-num": "1"
}
Environment details
As I mentioned above, I used default configuration in the module.
Additional Context
I also have the same issue going through roll my own using EC2 and systemd. I think this issue isn't inside the terraform module.
Furthermore, I made test bench for the investigation as public repository, you can see actual behavior of that bot with you browsing the pr.
https://github.com/omajinaiHouse/test-atlantis/pull/1
I have the same situation
I noticed that when Atlantis is trying to update statuses, it tries to hit https://api.github.com/repos/org/repo/statuses/master, I assume it wants to update commit statuses here, so it has read write permissions on it, but I'm still getting 403 Resource not accessible by integration, does not sound like a lack of permissions
github api docs say that /repos/{owner}/{repo}/statuses/{sha} is the endpoint for updating statuses, but atlantis is trying to hit /repos/{owner}/{repo}/statuses/{branch} maybe that's the root cause of this?
I opened a thread in the community about this issue, JFYI
This is where the github function updates the status which uses the pull.HeadCommit as the ref.
https://github.com/runatlantis/atlantis/blob/67686e71a242837716fe62150b1ce605648e11fb/server/events/vcs/github_client.go#L556-L575
Here is the client.Repositories.CreateStatus function header in the upstream library
https://github.com/google/go-github/blob/c96ba417f7b022bee92bc04d831e89fd9fc70edc/github/repos_statuses.go#L74-L88
If we need to use the branch
https://github.com/runatlantis/atlantis/blob/67686e71a242837716fe62150b1ce605648e11fb/server/events/models/models.go#L155-L168
We can use pull.HeadBranch instead. Perhaps we need logic to check if its a non github app and use the HeadCommit and if its using the github app use the HeadBranch? Or perhaps the latter works for both?
It would be ideal to have a pull request with adequate unit tests and a validation from the author (and/or others) who has checked in both scenarios end to end test.
@pomcho555 @ovceev Are you still having issues with the latest release? We reverted a feature in #3321 that was causing errors like 403 Resource not accessible by integration []
@GenPage Thanks for the fix. I upgraded Atlantis up to 0.24.2. However, I still got this error.
Apart from this bug, I suggest this function has a feature which print a debug log of the github api request so that we could easily debug the actual request payload unless it shows up sensitive info.
0.25.0 the issue still persists :(
403 Resource not accessible by integration []
has anyone added Org read access and try it ?
On Thu, Sept 14, 2023, 6:14 a.m. Ilia Kovalev @.***> wrote:
0.25.0 the issue still persists :(
403 Resource not accessible by integration []
— Reply to this email directly, view it on GitHub https://github.com/runatlantis/atlantis/issues/3285#issuecomment-1719429959, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAQ3ERFNTBF5WBUQUB74T6DX2L7K5ANCNFSM6AAAAAAWOHDJAQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Update: after one day we see some progress here
Looks like enabling org read access fixes the issue
Will continue monitoring
- pre-workflow hooks are working (we were prevented from using them because of the error)
- 0 update status PR errors the issue is gone for me, thank you so much guys
now does this match the docs ?
On Tue, Sept 19, 2023, 4:50 p.m. Ilia Kovalev @.***> wrote:
- pre-workflow hooks are working (we were prevented from using them because of the error)
- 0 update status PR errors the issue is gone for me, thank you so much guys
— Reply to this email directly, view it on GitHub https://github.com/runatlantis/atlantis/issues/3285#issuecomment-1726689858, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAQ3ERAGOUU3ZFZBKKGOGHTX3IVUJANCNFSM6AAAAAAWOHDJAQ . You are receiving this because you commented.Message ID: @.***>
Not really, the org permissions above are not listed here
https://www.runatlantis.io/docs/access-credentials.html#github-app