Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build-ref-matrix failures preventing deployment #899

Closed
jameshadfield opened this issue Jun 5, 2024 · 8 comments
Closed

build-ref-matrix failures preventing deployment #899

jameshadfield opened this issue Jun 5, 2024 · 8 comments
Labels
bug Something isn't working

Comments

@jameshadfield
Copy link
Member

jameshadfield commented Jun 5, 2024
edited
Loading

The recent CI action failed due to

 ./scripts/get-resource-index-ref-matrix: line 12: HEROKU_TOKEN: The HEROKU_TOKEN environment variable is required.
Error: Process completed with exit code 1.

(and thus correctly wasn't deployed). I re-ran it and it failed again (same error). A run ~20 mintutes previous succeeded.
@jameshadfield jameshadfield added the bug Something isn't working label Jun 5, 2024
@tsibley
Copy link
Member

tsibley commented Jun 5, 2024

I looked into this (cause I got a Slack notification) and observed that the HEROKU_TOKEN is resolving to empty:

image

but is defined as:

nextstrain.org/.github/workflows/index-resources.yml

Lines 44 to 45 in d05fac2

env:
HEROKU_TOKEN: ${{ secrets.HEROKU_TOKEN_READ_PROTECTED }}

which implies to me that either GitHub Actions is experiencing issues resolving secrets (but there's nothing on https://githubstatus.com), or that particular workflow-triggering event precludes access to secrets, possibly because it was a commit/merge by Dependabot.

@tsibley
Copy link
Member

tsibley commented Jun 5, 2024

I suspect we need to configure secrets for Dependabot separately from secrets for GitHub Actions. Even though Actions is running here, it's because of Dependabot.

@joverlee521
Copy link
Contributor

Ah dependabot doesn't have access

When a Dependabot event triggers a workflow, the only secrets available to the workflow are Dependabot secrets. GitHub Actions secrets are not available. Consequently, you must store any secrets that are used by a workflow triggered by Dependabot events as Dependabot secrets

@tsibley
Copy link
Member

tsibley commented Jun 5, 2024

Yeah, was just about to link to https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#responding-to-events

@tsibley
Copy link
Member

tsibley commented Jun 5, 2024

If you have a workflow that will be triggered by Dependabot and also by other actors, the simplest solution is to store the token with the permissions required in an action and in a Dependabot secret with identical names.

That is a frustrating way to do things.

@joverlee521
Copy link
Contributor

Added HEROKU_TOKEN_READ_PROTECTED to dependabot secrets and rerunning the workflow

@jameshadfield
Copy link
Member Author

Thanks all! I figured it was something to do with "environments", and it kinda was but not what GitHub calls "environments".

P.S. There's some Dependabot secrets that we no longer have as actions secrets that we may want to remove

@victorlin
Copy link
Member

P.S. There's some Dependabot secrets that we no longer have as actions secrets that we may want to remove

#903

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tsibley @jameshadfield @victorlin @joverlee521