Private orb repos result in an orb-tools/review failure even if an ssh key is added to the repo

CircleCI-Public / orb-tools-orb

Various tools for authoring and publishing CircleCI orbs

https://circleci.com/orbs/registry/orb/circleci/orb-tools

MIT License

51 stars 74 forks source link

Private orb repos result in an orb-tools/review failure even if an ssh key is added to the repo #158

Closed jrabek closed 1 year ago

jrabek commented 2 years ago

Orb version:

orb-tools: circleci/orb-tools@11.1 shellcheck: circleci/shellcheck@3.1

What happened:

Private orb repos result in an orb-tools/review failure

RC006: Source URL should be valid

(in test file review.bats, line 83)
  `exit 1' failed

Source URL: "<Our private repo>" is not reachable.
Check the Source URL for this orb.

display:
  home_url: "<Our private repo>"
  source_url: "<Our private repo>"

Expected behavior:

When a ssh key is added to the orb that can access the private repos, the source and home url checks should not fail.

fred-hdqc commented 1 year ago

Any update on this bug?

sigurdspond commented 1 year ago

We have the same issue.

nikitajz commented 1 year ago

It's definitely a bug since private orb is expected to work with a private repo. A bit from what I noticed from source code. It uses simple curl command: https://github.com/CircleCI-Public/orb-tools-orb/blob/d4952e98c060b7a570cac6b51e4ad4bc886fa64f/src/scripts/review.bats#L74-L86 though to access private repo this way, github requires Authorization token: https://docs.github.com/en/rest/repos/contents#get-contents

Hence, using curl might not be a best option since it requires setting a token explicitly or at least it should be clear from the docs. Hopefully this saves a bit of time.

KyleTryon commented 1 year ago

Hello folks, I believe this is not a bug, but we are more than willing to make changes to provide a more seamless experience. The goal of this test (RC006) is to ensure the URL provided is accessible. This may not be true for private orbs, because it is very likely that your source link is private, which is absolutely fair but expected behavior.

In this event, I believe that you can assume that this test case does not apply (does not provide benefit) and can be safely ignored. To ignore a test you can add it to the exclusions list. https://circleci.com/developer/orbs/orb/circleci/orb-tools#jobs-review

Example:

      - orb-tools/review:
+        exclude: RC006
          filters:
            tags:
              only: /.*/

The next question then maybe is:

Should this test be disabled by default for private orbs, and how?

I am opening a new issue for overall private orb support I will link here momentarily. The exclusion example above should resolve the issue for anyone currently affected.

KyleTryon commented 1 year ago

Hello all, To help condense the conversation around private orbs I have opened a new issue here for discussion so we can find a unified solution: https://github.com/CircleCI-Public/orb-tools-orb/issues/179

I will be closing this issue for now to keep the conversation in one location. We will open one or more PRs based on the conversation in this thread.