GoReleaser
Publishing brew taps via GitHub App #5175
-
|
So for a bit of context:
This is my sample of the You can see that the GitHub token I am passing through is actually the access token for the app, which does indeed have rights to push, pull and create PRs in every repo under my org. I tried creating a release here: https://github.com/mirceanton/talswitcher/actions/runs/11134112137/job/30941658207 But I get the following error: Which is a bit confusing to me, as I am 100% sure that github app has rights to push commits to my Are there any extra steps I need to make this work? As far as I understand this is a common issue with workflow-scoped tokens and the solution is to provide a PAT. I am, however, not using workflow tokens but a github app, which should be the equivalent of providing a PAT. Am I missing something here? Thanks in advance! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
you are likely missing some permission, you could probably test it by crafting a PUT request using the problematic token https://docs.github.com/en/rest/repos/contents?apiVersion=2022-11-28#create-or-update-file-contents |
Beta Was this translation helpful? Give feedback.
-
|
It is not a missing permission. I followed the linked documentation as follows:
#!/usr/bin/env bash
set -o pipefail
client_id=$1 # Client ID as first argument
pem=$( cat $2 ) # file path of the private key as second argument
installation_id=$3 # Installation ID as third argument
now=$(date +%s)
iat=$((${now} - 60)) # Issues 60 seconds in the past
exp=$((${now} + 600)) # Expires 10 minutes in the future
b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
header_json='{
"typ":"JWT",
"alg":"RS256"
}'
# Header encode
header=$( echo -n "${header_json}" | b64enc )
payload_json="{
\"iat\":${iat},
\"exp\":${exp},
\"iss\":\"${client_id}\"
}"
# Payload encode
payload=$( echo -n "${payload_json}" | b64enc )
# Signature
header_payload="${header}"."${payload}"
signature=$(
openssl dgst -sha256 -sign <(echo -n "${pem}") \
<(echo -n "${header_payload}") | b64enc
)
# Create JWT
JWT="${header_payload}"."${signature}"
printf '%s\n' "JWT: $JWT"
curl --request POST \
--url "https://api.github.com/app/installations/$installation_id/access_tokens" \
--header "Accept: application/vnd.github+json" \
--header "Authorization: Bearer $JWT" \
--header "X-GitHub-Api-Version: 2022-11-28"
Output: {
"token": "ghs_...
"expires_at": "2024-10-08T19:29:21Z",
"permissions": {
"members": "read",
"organization_projects": "write",
"administration": "read",
"attestations": "write",
"checks": "write",
"contents": "write",
"discussions": "read",
"issues": "write",
"metadata": "read",
"packages": "write",
"pages": "write",
"pull_requests": "write",
"statuses": "write",
"vulnerability_alerts": "read",
"workflows": "write"
},
"repository_selection": "all"
}
#!/bin/bash
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $1" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/mirceanton/homebrew-taps/contents/test.md \
-d '{"message":"my commit message","committer":{"name":"Monalisa Octocat","email":"[email protected]"},"content":"bXkgbmV3IGZpbGUgY29udGVudHM="}'
Output: {
"content": {
"name": "test.md",
"path": "test.md",
"sha": "0d5a690c8fad5e605a6e8766295d9d459d65de42",
"size": 20,
"url": "https://api.github.com/repos/mirceanton/homebrew-taps/contents/test.md?ref=main",
"html_url": "https://github.com/mirceanton/homebrew-taps/blob/main/test.md",
"git_url": "https://api.github.com/repos/mirceanton/homebrew-taps/git/blobs/0d5a690c8fad5e605a6e8766295d9d459d65de42",
"download_url": "https://raw.githubusercontent.com/mirceanton/homebrew-taps/main/test.md",
"type": "file",
"_links": {
"self": "https://api.github.com/repos/mirceanton/homebrew-taps/contents/test.md?ref=main",
"git": "https://api.github.com/repos/mirceanton/homebrew-taps/git/blobs/0d5a690c8fad5e605a6e8766295d9d459d65de42",
"html": "https://github.com/mirceanton/homebrew-taps/blob/main/test.md"
}
},
"commit": {
"sha": "aa3d56dc48ef307b9e8bdaeefaa55258816c9933",
"node_id": "C_kwDOM6GHZdoAKGFhM2Q1NmRjNDhlZjMwN2I5ZThiZGFlZWZhYTU1MjU4ODE2Yzk5MzM",
"url": "https://api.github.com/repos/mirceanton/homebrew-taps/git/commits/aa3d56dc48ef307b9e8bdaeefaa55258816c9933",
"html_url": "https://github.com/mirceanton/homebrew-taps/commit/aa3d56dc48ef307b9e8bdaeefaa55258816c9933",
"author": {
"name": "Monalisa Octocat",
"email": "[email protected]",
"date": "2024-10-08T18:30:33Z"
},
"committer": {
"name": "Monalisa Octocat",
"email": "[email protected]",
"date": "2024-10-08T18:30:33Z"
},
"tree": {
"sha": "7f6208a2660e7efe11c2dea051a459a6dff73347",
"url": "https://api.github.com/repos/mirceanton/homebrew-taps/git/trees/7f6208a2660e7efe11c2dea051a459a6dff73347"
},
"message": "my commit message",
"parents": [
{
"sha": "dcc7413bc6c9577c6b69cf15594652fadbce72ef",
"url": "https://api.github.com/repos/mirceanton/homebrew-taps/git/commits/dcc7413bc6c9577c6b69cf15594652fadbce72ef",
"html_url": "https://github.com/mirceanton/homebrew-taps/commit/dcc7413bc6c9577c6b69cf15594652fadbce72ef"
}
],
"verification": {
"verified": false,
"reason": "unsigned",
"signature": null,
"payload": null
}
}
}Here you can see that very commit: mirceanton/homebrew-taps@aa3d56d |
Beta Was this translation helpful? Give feedback.
-
|
After some more troubleshooting, I was able to make it work by passing in a github PAT to the I tried to put the app token in the I'd love to get that to work properly, but for now I'll call this good enough I guess |
Beta Was this translation helpful? Give feedback.
After some more troubleshooting, I was able to make it work by passing in a github PAT to the
TAP_GITHUB_TOKEN. I have no idea why the github app is not working. I was able to push to the repo manually by generating a token for it.I tried to put the app token in the
TAP_GITHUB_TOKENenv var as well and it failed with the same error.I'd love to get that to work properly, but for now I'll call this good enough I guess