英文:
Which GitHub Fine grained access permissions are needed to run brew test-bot --only-formulae?
问题
Here's the translated portion of your text:
我有一个私有的Homebrew tap仓库(通过运行brew tap-new创建),它访问另一个私有的GitHub仓库。
在运行Homebrew自动化进行PR操作时,出现了问题。
我已经更改了.gitconfig,使用了可以访问Homebrew tap和私有仓库的PAT(个人访问令牌),而不是默认的gh-actions令牌,并测试了git ls-remote命令。
然而,在此之后,以下操作失败了(由brew test-bot运行):git -C /path/to/homebrew/repo fetch origin +refs/heads/main,这似乎是不合理的,因为PAT明显具有对这两个仓库的contents范围的读取权限,这似乎应该是运行该命令所需的权限。
以下是您用于下载私有仓库内容的文件,这可能是使setup-homebrew步骤能够工作的原因。
然后是最新的错误信息。
你需要做什么来使它再次工作?
如果您需要进一步的帮助或有其他问题,请随时提出。
英文:
I've got a private homebrew tap repo (from running brew tap-new) which accesses another private repo, both on github.
While running the homebrew automation for a PR, it has started to fail.
I changed the .gitconfig to use a PAT with access to both the homebrew tap and private repo instead of the default gh-actions token, and tested that git ls-remote works.
However, after that, the following fails (when run by brew test-bot): git -C /path/to/homebrew/repo fetch origin +refs/heads/main which doesn't make sense as the PAT clearly has read access to the contents scope of both repos, which seems like it should be the necessary permission to run that command.
Per request base GHA workflow copied into question:
# check for updates at: https://github.com/Homebrew/brew/blob/master/Library/Homebrew/dev-cmd/tap-new.rb
name: brew test-bot
on:
push:
branches:
- main
pull_request:
types:
- opened
- synchronize
- edited
jobs:
test-bot:
runs-on: macos-13
steps:
- name: Set up Homebrew
id: set-up-homebrew
uses: Homebrew/actions/setup-homebrew@master
with:
token: ${{ secrets.GH_PAT }}
- name: Cache Homebrew Bundler RubyGems
id: cache
uses: actions/cache@v3
with:
path: ${{ steps.set-up-homebrew.outputs.gems-path }}
key: ${{ runner.os }}-rubygems-${{ steps.set-up-homebrew.outputs.gems-hash }}
restore-keys: ${{ runner.os }}-rubygems-
- name: Install Homebrew Bundler RubyGems
if: steps.cache.outputs.cache-hit != 'true'
run: brew install-bundler-gems
- run: brew test-bot --only-cleanup-before
- run: brew test-bot --only-setup
- run: brew test-bot --only-tap-syntax
env:
HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
- run: brew test-bot --only-formulae --root-url=https://ghcr.io/v2/getargv/homebrew-tap
if: github.event_name == 'pull_request'
# env:
# HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
# with env var git fetch of homebrew-tap fails, without env var downloading from private repo fails
- name: Upload bottles as artifact
if: github.event_name == 'pull_request'
uses: actions/upload-artifact@main
with:
name: bottles
path: '*.bottle.*'
- uses: actions/github-script@v6
if: github.event_name == 'pull_request'
with:
script: |
github.rest.issues.addLabels({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
labels: ["pr-pull"]
})
and logs from failing step:
Run brew test-bot --only-formulae --root-url=https://ghcr.io/v2/getargv/homebrew-tap
==> Using Homebrew/homebrew-test-bot 1771ae5 (Merge pull request #958 from Homebrew/artifact_id_string)
==> Using Homebrew/brew 4.1.0-29-gfe7aa4b61 (Merge pull request #15732 from EricFromCanada/create-require-version)
==> Using Homebrew/homebrew-core 61015bd9bce (Merge pull request #133372 from chenrui333/bump-vcpkg-2023.06.08)
==> Testing getargv/homebrew-tap c0b8512 (Merge 2eee8ab807436abc38f103e5aa9885a280bf7e2a into eac896727b99cd4a4d144f75e620850786958524):
==> Running FormulaeDetect#detect_formulae!
==> git -C /usr/local/Homebrew/Library/Taps/getargv/homebrew-tap fetch origin +refs/heads/main
url https://github.com/getargv/homebrew-tap/pull/4/checks
tap origin/main eac8967 (only label on PR, run action when PR created or opened not merged)
HEAD c0b8512 (Merge 2eee8ab807436abc38f103e5aa9885a280bf7e2a into eac896727b99cd4a4d144f75e620850786958524)
diff_start_sha1 eac896727b99cd4a4d144f75e620850786958524
diff_end_sha1 c0b851243d08440221151dce2cee268faf74b1f8
testing_formulae getargv/tap/getargv getargv/tap/libgetargv
added_formulae (none)
modified_formulae getargv/tap/getargv getargv/tap/libgetargv
deleted_formulae (none)
==> Running Formulae#run!
==> Running Formulae#formula!(getargv/tap/getargv)
==> brew audit --strict --only=gcc_dependency getargv/tap/getargv
==> brew deps --tree --annotate --include-build --include-test getargv/tap/getargv
==> Determining dependencies...
==> brew install --only-dependencies --verbose --build-bottle getargv/tap/getargv
==> Starting tests for getargv/tap/getargv
==> brew fetch --retry getargv/tap/getargv --build-bottle --force
==> FAILED
Full fetch getargv/tap/getargv --build-bottle output
==> Fetching getargv from getargv/tap
Error: Download failed: Environmental variable HOMEBREW_GITHUB_API_TOKEN is required.
==> brew install --verbose --build-bottle getargv/tap/getargv
==> FAILED
Full install --build-bottle getargv/tap/getargv output
Truncated install --build-bottle getargv/tap/getargv output
==> brew audit getargv/tap/getargv --online --git --skip-style
==> FAILED
Full audit getargv/tap/getargv --online --git --skip-style output
==> SKIPPED getargv/tap/getargv
==> Running Formulae#formula!(getargv/tap/libgetargv)
==> brew audit --strict --only=gcc_dependency getargv/tap/libgetargv
==> brew deps --tree --annotate --include-build --include-test getargv/tap/libgetargv
==> Determining dependencies...
==> brew install --only-dependencies --verbose --build-bottle getargv/tap/libgetargv
==> Starting tests for getargv/tap/libgetargv
==> brew fetch --retry getargv/tap/libgetargv --build-bottle --force
==> FAILED
Full fetch getargv/tap/libgetargv --build-bottle output
==> brew install --verbose --build-bottle getargv/tap/libgetargv
==> FAILED
Full install --build-bottle getargv/tap/libgetargv output
Truncated install --build-bottle getargv/tap/libgetargv output
==> brew audit getargv/tap/libgetargv --online --git --skip-style
==> FAILED
Warning: install failed
Full audit getargv/tap/libgetargv --online --git --skip-style output
==> SKIPPED getargv/tap/libgetargv
==> Skipped or failed formulae:
getargv/tap/getargv
getargv/tap/libgetargv
Warning: 2 failed steps ignored!
brew install --verbose --build-bottle getargv/tap/getargv
brew install --verbose --build-bottle getargv/tap/libgetargv
Error: 4 failed steps!
brew fetch --retry getargv/tap/getargv --build-bottle --force
brew audit getargv/tap/getargv --online --git --skip-style
brew fetch --retry getargv/tap/libgetargv --build-bottle --force
brew audit getargv/tap/libgetargv --online --git --skip-style
Error: Process completed with exit code 1.
The PAT has:
Repository access:
- getargv/getargv
- getargv/homebrew-tap
Permissions:
- Read access to metadata
- Read and Write access to code and pull requests
By removing the token stuff including the HOMEBREW_GITHUB_API_TOKEN env var the git fetch succeeds but the subsequent attempt to build the formula fails due to lack of access to the private repo.
Here is a file I use to be able to download private repo contents which may be what allows the setup-homebrew step to work.
# frozen_string_literal: false
require "download_strategy"
module Monkeypatch
class << self
def apply_patch
unless homebrew_version_ok?
raise "WARNING: It looks like HomeBrew has been upgraded since " \
"this monkeypatch was writen, please reevaluate the patch in #{__FILE__}."
end
const = find_const
return unless const
mtd = find_method(const)
if mtd.nil? || mtd.arity != InstanceMethods.instance_method(:audit_urls).arity
raise "Could not find class or method when patching " \
"HomeBrew's audit helper. Please investigate."
end
const.prepend(InstanceMethods)
end
private
def find_const
Kernel.const_get("Homebrew::ResourceAuditor") if Kernel.const_defined?("Homebrew::ResourceAuditor")
end
def find_method(const)
const.instance_method(:audit_urls) if const.method_defined?(:audit_urls)
end
def homebrew_version_ok?
parsed = Version.parse(HOMEBREW_VERSION)
parsed.major_minor == "4.0"
end
end
module InstanceMethods
def audit_urls
if url.match?(%r{github.com/.*/archive/refs/tags})
strategy = DownloadStrategyDetector.detect(url, using)
si = strategy.new(url, @name, @version)
specs.compare_by_identity
specs["header"] = "Accept: application/vnd.github+json"
specs["header"] = "X-GitHub-Api-Version: 2022-11-28"
specs["header"] = "Authorization: Bearer #{Homebrew::EnvConfig.github_api_token}"
if (http_content_problem = curl_check_http_content(si.download_url,
"source URL",
specs: specs,
use_homebrew_curl: @use_homebrew_curl))
problem http_content_problem
end
else
super
end
end
end
end
class GitHubPrivateRepositoryDownloadStrategy < CurlDownloadStrategy
require "utils/formatter"
require "utils/github"
def initialize(url, name, version, **meta)
super
parse_url_pattern
set_github_token
end
def parse_url_pattern
url_pattern = %r{https://github.com/([^/]+)/([^/]+)/\S+/(\S+)\.(?:tar\.gz|zip)}
unless (match = url.match(url_pattern))
raise CurlDownloadStrategyError, "Invalid url pattern for GitHub Repository."
end
_, @owner, @repo, @version = *match
@ref = "tags/#{@version}"
end
def download_url
"https://api.github.com/repos/#{@owner}/#{@repo}/tarball/#{@ref}"
end
private
def _fetch(url:, resolved_url:, timeout:)
curl_download download_url, to: temporary_path, timeout: timeout
end
def _curl_args
[
"--header", "Accept: application/vnd.github+json",
"--header", "X-GitHub-Api-Version: 2022-11-28",
"--header", "Authorization: Bearer #{@github_token}"
]
end
def set_github_token
@github_token = ENV.fetch("HOMEBREW_GITHUB_API_TOKEN", nil)
unless @github_token
raise CurlDownloadStrategyError, "Environmental variable HOMEBREW_GITHUB_API_TOKEN is required."
end
validate_github_repository_access!
end
def validate_github_repository_access!
# Test access to the repository
GitHub.repository(@owner, @repo)
rescue GitHub::API::HTTPNotFoundError
# We switched to GitHub::API::HTTPNotFoundError,
# because we can now handle bad credentials messages
message = <<~EOS
HOMEBREW_GITHUB_API_TOKEN can not access the repository: #{@owner}/#{@repo}
This token may not have permission to access the repository or the url of formula may be incorrect.
EOS
raise CurlDownloadStrategyError, message
end
end
# GitHubPrivateRepositoryReleaseDownloadStrategy downloads tarballs from GitHub
# Release assets. To use it, add
# `:using => GitHubPrivateRepositoryReleaseDownloadStrategy` to the URL section of
# your formula. This download strategy uses GitHub access tokens (in the
# environment variables HOMEBREW_GITHUB_API_TOKEN) to sign the request.
class GitHubPrivateRepositoryReleaseDownloadStrategy < GitHubPrivateRepositoryDownloadStrategy
def parse_url_pattern
url_pattern = %r{https://github.com/([^/]+)/([^/]+)/releases/download/([^/]+)/(\S+)}
unless (match = @url.match(url_pattern))
raise CurlDownloadStrategyError, "Invalid url pattern for GitHub Release."
end
_, @owner, @repo, @tag, @filename = *match
end
def download_url
"https://api.github.com/repos/#{@owner}/#{@repo}/releases/assets/#{asset_id}"
end
private
def asset_id
@asset_id ||= resolve_asset_id
end
def resolve_asset_id
release_metadata = fetch_release_metadata
assets = release_metadata["assets"].select { |a| a["name"] == @filename }
raise CurlDownloadStrategyError, "Asset file not found." if assets.empty?
assets.first["id"]
end
def fetch_release_metadata
GitHub.get_release(@owner, @repo, @tag)
end
end
Monkeypatch.apply_patch
Latest error:
/usr/bin/env /usr/local/Homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.1.1-19-gdb86a40\ \(Macintosh\;\ Intel\ Mac\ OS\ X\ 13.4\)\ curl/7.88.1 --header Accept-Language:\ en --retry 3 --location https://api.github.com/graphql --header Accept:\ application/vnd.github\+json --write-out '
'\%\{http_code\} --header Authorization:\ token\ ****** --header X-GitHub-Api-Version:2022-11-28 --data @/private/tmp/github_api_post20230725-8726-1gxr8lc --request POST --dump-header /private/tmp/github_api_headers20230725-8726-1la1q6u
Error: FORBIDDEN: Resource not accessible by personal access token
So what do I need to do to get this working again?
答案1
得分: 1
Here are the translated parts from your provided content:
"如果你仍然遇到问题,请尝试为你的令牌使用以下权限。(我认为在我的情况下,这是因为它是一个虚拟测试,类似于Hello World,而在你的情况下,这是一个更复杂的真实应用程序),尝试并告诉我。"
"workflow: 读写"
"actions: 读写"
"contents: 读写"
"pull requests: 读写"
"另外,顺便说一下,也在你的一侧进行虚拟测试,创建2个私有仓库,一个放置公式 .rb,另一个放置代码,上传tar等。但要保持简单。"
"我想知道是不是PAT权限还是代码不读取PAT,如果不读取它,它可能会像你没有权限一样操作。"
"GitHub组织帐户的更新2:"
"针对使用细粒度访问令牌尝试从容器注册表中拉取图像的解决方案,适用于私有GitHub存储库"
"细粒度令牌权限:[图片链接][1]"
"但我也测试了这些权限,并且有效:[图片链接][2]"
"工作流程与我一样,我只是删除了一些我的步骤(你也不必这样做)"
"这些解决方案不适用于OP的问题"
"然而,如果在http.extraheader步骤失败,对于OP,流水线在图像拉取时失败,PAT具有正确的权限,但是你能尝试编辑你的工作流程文件并注释具有http.extraheader的步骤吗?因为Git不是覆盖额外的头部,而是向空列表中添加两个AUTHORIZATION头。"
"解决方案1:"
name: brew test-bot
on:
push:
branches:
- main
pull_request:
types:
- opened
- synchronize
- edited
jobs:
test-bot:
runs-on: macos-13
steps:
- name: Set up Homebrew
id: set-up-homebrew
uses: Homebrew/actions/setup-homebrew@master
with:
token: ${{ secrets.GH_PAT }}
- name: Cache Homebrew Bundler RubyGems
id: cache
uses: actions/cache@v3
with:
path: ${{ steps.set-up-homebrew.outputs.gems-path }}
key: ${{ runner.os }}-rubygems-${{ steps.set-up-homebrew.outputs.gems-hash }}
restore-keys: ${{ runner.os }}-rubygems-
- name: Install Homebrew Bundler RubyGems
if: steps.cache.outputs.cache-hit != 'true'
run: brew install-bundler-gems
# Remove this step to avoid interfering with token usage
# - run: 'git config --replace-all "http.extraheader" "Authorization: Basic $(echo -n "x-access-token:$HOMEBREW_GITHUB_API_TOKEN" | base64 | tr -d '\n'")'
# env:
# HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
# Instead of using 'git ls-remote', use Homebrew 'brew update' to fetch the latest changes
- run: brew update
# (Optional) If you need to verify the existence of specific branches, you can use 'git ls-remote' here
# - run: git ls-remote 'https://github.com/getargv/getargv.git'
# - run: git ls-remote 'https://github.com/getargv/homebrew-tap.git'
- run: brew test-bot --only-formulae --root-url=https://ghcr.io/v2/getargv/homebrew-tap
if: github.event_name == 'pull_request'
env:
HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
- name: Upload bottles as artifact
if: github.event_name == 'pull_request'
uses: actions/upload-artifact@main
with:
name: bottles
path: '*.bottle.*'
- uses: actions/github-script@v6
if: github.event_name == 'pull_request'
with:
script: |
github.rest.issues.addLabels({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
labels: ["pr-pull"]
})
"解决方案2:使用Git命令重置Extraheader列表"
name: brew test-bot
on:
push:
branches:
- main
pull_request:
types:
- opened
- synchronize
- edited
jobs:
test-bot:
runs-on: macos-13
steps:
- name: Set up Homebrew
id: set-up-homebrew
uses: Homebrew/actions/setup-homebrew@master
with:
token: ${{ secrets.GH_PAT }}
- name: Cache Homebrew Bundler RubyGems
id: cache
uses: actions/cache@v3
with:
path: ${{ steps.set-up-homebrew.outputs.gems-path }}
key: ${{ runner.os }}-rubygems-${{ steps.set-up-homebrew.outputs.gems-hash }}
restore-keys: ${{ runner.os }}-rubygems-
- name: Install Homebrew Bundler RubyGems
if: steps.cache.outputs.cache-hit != 'true'
run: brew install-bundler-gems
# Reset the extraheader list using Git commands
- name: Reset Git Extraheader
run: |
GIT_TRACE=1 GIT_TRANSFER_TRACE=1 GIT_CURL_VERBOSE=1 git \
-c "http.https://github.com/.extraheader=" \
-c "http.https://github.com/.extraheader=AUTHORIZATION: basic ${{ secrets.GH_PAT }}" \
push https://github.com/owner/my-repo.git
# Instead of using 'git ls-remote', use Homebrew 'brew update' to fetch the latest changes
- run: brew update
# (Optional) If you need to verify the existence of specific branches, you can use 'git ls-remote' here
# - run: git ls-remote 'https://github.com/getargv/getargv.git'
# - run: git ls-remote 'https://github.com/getargv/homebrew-tap.git'
- run: brew test-bot --only-formulae --root-url=https://ghcr.io/v2/getargv/homebrew-tap
if: github
<details>
<summary>英文:</summary>
In case that you still have issues, try this permissions for your token. (I think in my case is passing because it's a dummy test, similar to a hello world, and in your case is a real application which is more complex), try it an let me know.
workflow: read-write
actions: read-write
contents: read-write
pull requests: read-write
Also, by the way, try and do on your side a dummy test too, create 2 repos private, in one put the formulae .rb and the code in the second repo, upload the tar, so on. But make it simple
I am wondering if is the PAT permissions or the code do not read the PAT, and if do not read it, it might act like you do not have permissions
**UPDATE2 for GitHub organization account:**
**Solution proposed for attempts to pull image from container registry using fine-grained access token, for Private GitHub Repos**
Fine-grained token permissions:
[![image here][1]][1]
however I tested also with this permissions and worked:
[![image][2]][2]
**Workflow is the same I just removed some steps on my end (you do not have too)**
check for updates at: https://github.com/Homebrew/brew/blob/master/Library/Homebrew/dev-cmd/tap-new.rb
name: brew test-bot
on:
push:
branches:
- main
pull_request:
types:
- opened
- synchronize
- edited
jobs:
test-bot:
runs-on: macos-13
steps:
- name: Set up Homebrew
id: set-up-homebrew
uses: Homebrew/actions/setup-homebrew@master
env:
HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
with:
token: ${{ secrets.GH_PAT }}
debug: true
- name: Cache Homebrew Bundler RubyGems
id: cache
uses: actions/cache@v3
with:
path: ${{ steps.set-up-homebrew.outputs.gems-path }}
key: ${{ runner.os }}-rubygems-${{ steps.set-up-homebrew.outputs.gems-hash }}
restore-keys: ${{ runner.os }}-rubygems-
- name: Install Homebrew Bundler RubyGems
# if: steps.cache.outputs.cache-hit != 'true'
run: brew install-bundler-gems
- run: brew test-bot --only-cleanup-before
- run: brew test-bot --only-setup
- run: brew test-bot --only-tap-syntax
env:
HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
- run: brew update
- run: brew test-bot --only-tap-syntax
env:
HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
- run: |
git config --global http.extraheader "Authorization: Basic $(echo -n "x-access-token:${{ secrets.GH_PAT }}" | base64 | tr -d '\n')"
env:
HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
- run: |
git ls-remote 'https://github.com/KekkeiGenkaiCloud/getargv.git'
git ls-remote 'https://github.com/KekkeiGenkaiCloud/homebrew-tap.git'
- name: Run brew test-bot --only-formulae --root-url
run: brew test-bot --only-formulae --root-url=https://ghcr.io/v2/kekkeigenkaicloud/homebrew-tap
# if: github.event_name == 'pull_request'
env:
ACTIONS_STEP_DEBUG: true
HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
- name: Upload bottles as an artifact
# if: github.event_name == 'pull_request'
uses: actions/upload-artifact@v2
with:
name: bottles
path: '*.bottle.*'
- uses: actions/github-script@v6
if: github.event_name == 'pull_request'
with:
script: |
github.rest.issues.addLabels({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
labels: ["pr-pull"]
})
**See pipeline run status**
[![pipeline status][3]][3]
**UPDATE2 for personal account:**
**Solution proposed for attempts to pull image from container registry using fine-grained access token**
Fine-grained token permissions:
Repository permissions
Read access to actions, commit statuses, and metadata
Read and Write access to code and pull requests
[Permission selected at token creation see in picture][4]
Pipeline ran with success:
[See picture here][5]
**Working solution where TOKEN has all permission selected [however OP do not need all permissions the one necessary for github registry pull]**
I managed to make the pipeline run with success, please keep in mind that is a dummy testing, I commented some if's since in my case i do not have events. Modify it to align with your needs. Let me know how it worked on your end.
[See here][6]
TOKEN permissions:
[image here][7]
check for updates at: https://github.com/Homebrew/brew/blob/master/Library/Homebrew/dev-cmd/tap-new.rb
name: brew test-bot
on:
push:
branches:
- main
pull_request:
types:
- opened
- synchronize
- edited
jobs:
test-bot:
runs-on: macos-13
steps:
- name: Set up Homebrew
id: set-up-homebrew
uses: Homebrew/actions/setup-homebrew@master
with:
token: ${{ secrets.GH_PAT }}
debug: true
- name: Cache Homebrew Bundler RubyGems
id: cache
uses: actions/cache@v3
with:
path: ${{ steps.set-up-homebrew.outputs.gems-path }}
key: ${{ runner.os }}-rubygems-${{ steps.set-up-homebrew.outputs.gems-hash }}
restore-keys: ${{ runner.os }}-rubygems-
- name: Install Homebrew Bundler RubyGems
# if: steps.cache.outputs.cache-hit != 'true'
run: brew install-bundler-gems
- run: brew test-bot --only-cleanup-before
- run: brew test-bot --only-setup
env:
HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
- run: brew update
- run: brew test-bot --only-tap-syntax
env:
HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
- run: |
git config --global http.extraheader "Authorization: Basic $(echo -n "x-access-token:${{ secrets.GH_PAT }}" | base64 | tr -d '\n')"
env:
HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
- run: |
git ls-remote 'https://github.com/dummy-andra/getargv.git'
git ls-remote 'https://github.com/dummy-andra/homebrew-tap.git'
- name: Run brew test-bot --only-formulae --root-url=
run: brew test-bot --only-formulae --root-url=https://ghcr.io/v2/dummy-andra/homebrew-tap
# if: github.event_name == 'pull_request'
env:
ACTIONS_STEP_DEBUG: true
HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
- name: Upload bottles as an artifact
# if: github.event_name == 'pull_request'
uses: actions/upload-artifact@v2
with:
name: bottles
path: '*.bottle.*'
- uses: actions/github-script@v6
if: github.event_name == 'pull_request'
with:
script: |
github.rest.issues.addLabels({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
labels: ["pr-pull"]
})
**This solutions are not applicable for OP issue **
// however this solutions are good if the pipeline fail at http.extraheader step, for OP the pipeline fail at image pull
The PAT has the correct permission, however can you try to edit your workflow file and comment the step that has http.extraheader? Because instead of overriding the extraheader git adds two AUTHORIZATION headers.extra headers to the empty list.
Check this dic: https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpextraHeader
Let me know how it goes.
Solution 1:
name: brew test-bot
on:
push:
branches:
- main
pull_request:
types:
- opened
- synchronize
- edited
jobs:
test-bot:
runs-on: macos-13
steps:
- name: Set up Homebrew
id: set-up-homebrew
uses: Homebrew/actions/setup-homebrew@master
with:
token: ${{ secrets.GH_PAT }}
- name: Cache Homebrew Bundler RubyGems
id: cache
uses: actions/cache@v3
with:
path: ${{ steps.set-up-homebrew.outputs.gems-path }}
key: ${{ runner.os }}-rubygems-${{ steps.set-up-homebrew.outputs.gems-hash }}
restore-keys: ${{ runner.os }}-rubygems-
- name: Install Homebrew Bundler RubyGems
if: steps.cache.outputs.cache-hit != 'true'
run: brew install-bundler-gems
# Remove this step to avoid interfering with token usage
# - run: 'git config --replace-all "http.extraheader" "Authorization: Basic $(echo -n "x-access-token:$HOMEBREW_GITHUB_API_TOKEN" | base64 | tr -d ''\n'')"'
# env:
# HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
# Instead of using 'git ls-remote', use Homebrew 'brew update' to fetch the latest changes
- run: brew update
# (Optional) If you need to verify the existence of specific branches, you can use 'git ls-remote' here
# - run: git ls-remote 'https://github.com/getargv/getargv.git'
# - run: git ls-remote 'https://github.com/getargv/homebrew-tap.git'
- run: brew test-bot --only-formulae --root-url=https://ghcr.io/v2/getargv/homebrew-tap
if: github.event_name == 'pull_request'
env:
HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
- name: Upload bottles as artifact
if: github.event_name == 'pull_request'
uses: actions/upload-artifact@main
with:
name: bottles
path: '*.bottle.*'
- uses: actions/github-script@v6
if: github.event_name == 'pull_request'
with:
script: |
github.rest.issues.addLabels({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
labels: ["pr-pull"]
})
Solution 2: Reset the Extraheader List with Git Commands
The second solution involves using Git commands within the workflow to reset the extraheader list and avoid the duplicate AUTHORIZATION headers.
name: brew test-bot
on:
push:
branches:
- main
pull_request:
types:
- opened
- synchronize
- edited
jobs:
test-bot:
runs-on: macos-13
steps:
- name: Set up Homebrew
id: set-up-homebrew
uses: Homebrew/actions/setup-homebrew@master
with:
token: ${{ secrets.GH_PAT }}
- name: Cache Homebrew Bundler RubyGems
id: cache
uses: actions/cache@v3
with:
path: ${{ steps.set-up-homebrew.outputs.gems-path }}
key: ${{ runner.os }}-rubygems-${{ steps.set-up-homebrew.outputs.gems-hash }}
restore-keys: ${{ runner.os }}-rubygems-
- name: Install Homebrew Bundler RubyGems
if: steps.cache.outputs.cache-hit != 'true'
run: brew install-bundler-gems
# Reset the extraheader list using Git commands
- name: Reset Git Extraheader
run: |
GIT_TRACE=1 GIT_TRANSFER_TRACE=1 GIT_CURL_VERBOSE=1 git \
-c "http.https://github.com/.extraheader=" \
-c "http.https://github.com/.extraheader=AUTHORIZATION: basic ${{ secrets.GH_PAT }}" \
push https://github.com/owner/my-repo.git
# Instead of using 'git ls-remote', use Homebrew 'brew update' to fetch the latest changes
- run: brew update
# (Optional) If you need to verify the existence of specific branches, you can use 'git ls-remote' here
# - run: git ls-remote 'https://github.com/getargv/getargv.git'
# - run: git ls-remote 'https://github.com/getargv/homebrew-tap.git'
- run: brew test-bot --only-formulae --root-url=https://ghcr.io/v2/getargv/homebrew-tap
if: github.event_name == 'pull_request'
env:
HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
- name: Upload bottles as artifact
if: github.event_name == 'pull_request'
uses: actions/upload-artifact@main
with:
name: bottles
path: '*.bottle.*'
- uses: actions/github-script@v6
if: github.event_name == 'pull_request'
with:
script: |
github.rest.issues.addLabels({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
labels: ["pr-pull"]
})
[1]: https://i.stack.imgur.com/QgnFJ.png
[2]: https://i.stack.imgur.com/AO44u.png
[3]: https://i.stack.imgur.com/CTGzn.png
[4]: https://i.stack.imgur.com/LcMLX.png
[5]: https://i.stack.imgur.com/GoUUR.png
[6]: https://i.stack.imgur.com/jDraV.png
[7]: https://i.stack.imgur.com/luR6U.png
</details>
# 答案2
**得分**: -1
您遇到了一个问题,即在您的Homebrew测试机器人GitHub Actions工作流中无法识别HOMEBREW_GITHUB_API_TOKEN。此问题源于您已注释掉GitHub Actions工作流的环境中声明HOMEBREW_GITHUB_API_TOKEN的部分:
```yaml
# env:
# HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
我建议您首先执行的操作是取消注释工作流的这部分内容:
env:
HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
然后,您应该尝试再次运行工作流。
如果您仍然遇到问题,可能是您的令牌没有正确的权限。为了使您的工作流能够按预期运行,您的令牌应具有以下权限:
- repo:这授予对私有存储库的完全控制权限,包括repo:status、repo_deployment、public_repo、security_events和read:packages等权限。
- workflow:这授予更新GitHub Actions工作流运行的能力。
请确保您的PAT具有这些权限,如果没有,需要相应地进行更新。
即使在使用正确权限设置PAT并取消注释工作流中的HOMEBREW_GITHUB_API_TOKEN之后,您仍然可能会遇到问题。如果是这种情况,生成一个新的令牌可能会有益。
英文:
You're running into an issue with HOMEBREW_GITHUB_API_TOKEN not being recognized in your Homebrew test-bot GitHub Actions workflow. This issue arises from the fact that you have commented out the part of the GitHub Actions workflow where HOMEBREW_GITHUB_API_TOKEN is declared in the environment:
# env:
# HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
The first action I recommend you take is to uncomment this part of the workflow:
env:
HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.GH_PAT }}
You should then attempt to run the workflow again.
If you're still encountering issues it could be that your token doesn't have the correct permissions. In order for your workflow to function as expected, your token should have the following permissions:
repo: This grants full control of private repositories, which includes repo:status, repo_deployment, public_repo, security_events, and read:packages.
workflow: This grants the ability to update GitHub Actions workflow runs.
Ensure your PAT has these permissions and, if it doesn't, update it accordingly.
Even after setting up the PAT with the correct permissions and uncommenting HOMEBREW_GITHUB_API_TOKEN in your workflow, you might still face issues. If that is the case, it would be beneficial to generate a new token.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论