nim-libp2p icon indicating copy to clipboard operation
nim-libp2p copied to clipboard

Published 20 hours ago verified publisher icon vacp2p

Bumper jobs failing

Open yakimant opened this issue 1 year ago • 12 comments

Started to fail after Tanguy left. After getting access to the repo Settings @diegomrsantos and I discovered the probably personal token was used for ACTIONS_GITHUB_TOKEN.

Token is setup here: https://github.com/status-im/nim-libp2p/settings/secrets/actions

See action code: https://github.com/status-im/nim-libp2p/blob/d2c98bd87d540ec2f2d1a7c244b60386dfda66d3/.github/workflows/bumper.yml#L28

Actions & security docs:

  • https://docs.github.com/en/actions/security-guides
  • https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
  • https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens
  • https://github.com/actions/checkout

yakimant avatar Dec 18 '23 14:12 yakimant

Added status-im-auto token to ACTIONS_GITHUB_TOKEN

And added it to nwaku&nimbus: https://github.com/waku-org/nwaku/settings/access https://github.com/status-im/nimbus-eth2/settings/access

yakimant avatar Dec 18 '23 14:12 yakimant

Found out experimentaly, that public_repo is required, see https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps

yakimant avatar Dec 18 '23 16:12 yakimant

Codex repo is missing the status-im-auto user with Write permissions.

yakimant avatar Dec 18 '23 16:12 yakimant

Done, added: https://github.com/codex-storage/nim-codex/settings/access

yakimant avatar Dec 18 '23 16:12 yakimant

Bumper is green again: https://github.com/status-im/nim-libp2p/actions/workflows/bumper.yml

@jakubgs, please review this workaround when you are back.

Token for status-im-auto: https://github.com/settings/tokens/1428298602

yakimant avatar Dec 18 '23 16:12 yakimant

This is a useful part of security guide: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#considering-cross-repository-access

This list describes the recommended approaches for accessing repository data within a workflow, in descending order of preference:

  1. The GITHUB_TOKEN
  2. Repository deploy key
  3. GitHub App tokens
  4. personal access tokens
  5. SSH keys on a personal account

We use 4 approach. And It looks like we can't use 1, because we need write access to other repos. So it's wort to check 2 and 3.

yakimant avatar Dec 22 '23 16:12 yakimant

If possible we should avoid using old "classic" tokens and we should try to create as specific "Fine-grained personal access tokens" as possible. They can be created to target a specific repo with a specific permission only.

jakubgs avatar Jan 03 '24 15:01 jakubgs

"Fine-grained" token didn't work with user owner - git fails to push:

remote: Permission to status-im/nimbus-eth2.git denied to status-im-auto.
fatal: unable to access 'https://github.com/status-im/nimbus-eth2/': The requested URL returned error: 403

https://github.com/status-im/nim-libp2p/actions/runs/7252738074/job/20160975446

Organisation wide token worked! We'll need to have 1 token for each of 3 orgs (waku, status and codex) and update the job.

yakimant avatar Jan 10 '24 15:01 yakimant

Looks like Deploy key is actually might be useful for us:

  1. https://stackoverflow.com/questions/76888117/how-can-i-push-changes-to-a-private-repository-using-github-actions
  2. https://tabris.com/using-deploy-keys-on-github-actions/
  3. https://docs.github.com/en/authentication/connecting-to-github-with-ssh/managing-deploy-keys#set-up-deploy-keys

yakimant avatar Jan 10 '24 15:01 yakimant

@yakimant what's the status here?

diegomrsantos avatar May 10 '24 13:05 diegomrsantos

No update since January.

There are 2 options:

  • Deploy keys
  • Create a github user with limited permissions just for this task

yakimant avatar May 10 '24 15:05 yakimant

is there any pending input from the libp2p team?

diegomrsantos avatar Jun 26 '24 12:06 diegomrsantos