Skip to content

Commit d15beb2

Browse files
fix: increase token scope to create PRs or sent events in other repositories (#1834)
After the release action creates a release successfully, it sends an event to trigger this [workflow](https://github.com/open-component-model/ocm/blob/44e518eb1228ef2eddaac0bf71cb25941701636b/.github/workflows/publish-to-other-than-github.yaml), so the release is propagated through other repositories (website, brew) and package registries (chocolatey, ...). For the release `0.36.0` the workflow [failed](https://github.com/open-component-model/ocm/actions/runs/22340840543) for the ocm-website and homebrew-tab with an error such as ```log Error: Error creating blob for file 'Formula/ocm@0.36.0.rb': Resource not accessible by integration - https://docs.github.com/rest/git/blobs#create-a-blob ``` The `Resource not accessible by integration` indicates a permission-scope issue. A week before the workflow was run, the generation of GitHub-Tokens was [changed](001ac9f): ```diff - uses: tibdex/github-app-token@3beb63f # v2.1.0 + uses: actions/create-github-app-token@29824e6 # v2 ``` However, the `create-github-app-token` action does only grant permissions for the current repository. Accordingly, any event (website) or creation of PR (brew) will fail as these are other repositories. To resolve this, we need to set `owner: ${{ github.repository_owner }}` to create a token [for all repositories in the current owner's installation](https://github.com/actions/create-github-app-token?tab=readme-ov-file#create-a-token-for-all-repositories-in-the-current-owners-installation) (see related [discussion](https://github.com/orgs/community/discussions/69154#discussioncomment-7191057)). --------- Signed-off-by: Frederic Wilhelm <frederic.wilhelm@sap.com> Co-authored-by: Gerald Morrison <67469729+morri-son@users.noreply.github.com>
1 parent 7c0adfc commit d15beb2

File tree

2 files changed

+3
-0
lines changed

2 files changed

+3
-0
lines changed

.github/workflows/publish-to-other-than-github.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ jobs:
3030
with: # OCMBot
3131
app-id: ${{ secrets.OCMBOT_APP_ID }}
3232
private-key: ${{ secrets.OCMBOT_PRIV_KEY }}
33+
owner: ${{ github.repository_owner }}
3334
- name: Checkout
3435
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3536
with:
@@ -137,6 +138,7 @@ jobs:
137138
with: # OCMBot
138139
app-id: ${{ secrets.OCMBOT_APP_ID }}
139140
private-key: ${{ secrets.OCMBOT_PRIV_KEY }}
141+
owner: ${{ github.repository_owner }}
140142
- name: Publish Release Event
141143
uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
142144
with:

.github/workflows/retrigger-publish-to-other.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,7 @@ jobs:
4444
with: # OCMBot
4545
app-id: ${{ secrets.OCMBOT_APP_ID }}
4646
private-key: ${{ secrets.OCMBOT_PRIV_KEY }}
47+
owner: ${{ github.repository_owner }}
4748
- name: Ensure proper version
4849
run: |
4950
curl -sSL -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ steps.generate_token.outputs.token }}" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/open-component-model/ocm/releases > releases.json

0 commit comments

Comments
 (0)