search

FirebaseExtended / action-hosting-deploy

Automatically deploy shareable previews for your Firebase Hosting sites
https://firebase.google.com/docs/hosting/github-integration
Apache License 2.0
695 stars 202 forks source link

[BUG] can't use repoToken input. Permission issues. #263

Closed FernandoArteaga closed 1 year ago

FernandoArteaga commented 1 year ago

Action config

Using the following configuration, which is basically the same as the example provided at the Readme, I get an authorization error.

If I comment out the input repoToken no error is presented. I tried to run the workflow on: pull_request_target but nothing happens, the workflow doesn't get triggered

- name: "Deploy to preview channel"
  uses: FirebaseExtended/action-hosting-deploy@v0
  with:
    repoToken: "${{ secrets.GITHUB_TOKEN }}"
    firebaseServiceAccount: "${{ secrets.FIREBASE_SERVICE_ACCOUNT }}"
    expires: 1d
    projectId: my-project

Error message

Run FirebaseExtended/action-hosting-deploy@v0
  with:
    repoToken: ***
    firebaseServiceAccount: ***

    expires: 1d
    projectId: doodo-dev
    entryPoint: .
    firebaseToolsVersion: latest
/home/runner/work/_actions/FirebaseExtended/action-hosting-deploy/v0/bin/action.min.js:3759
                const error = new RequestError(message, status, ***
                              ^

RequestError [HttpError]: Resource not accessible by integration
    at /home/runner/work/_actions/FirebaseExtended/action-hosting-deploy/v0/bin/action.min.js:3759:31
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async createCheck (/home/runner/work/_actions/FirebaseExtended/action-hosting-deploy/v0/bin/action.min.js:5680:17)
    at async run (/home/runner/work/_actions/FirebaseExtended/action-hosting-deploy/v0/bin/action.min.js:11435:14) ***
  status: 403,
  headers: ***
    'access-control-allow-origin': '*',
    'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
    connection: 'close',
    'content-encoding': 'gzip',
    'content-security-policy': "default-src 'none'",
    'content-type': 'application/json; charset=utf-8',
    date: 'Tue, 31 Jan [2](https://github.com/Goats-Tech/doodo-web-ui/actions/runs/4050545110/jobs/6968035208#step:4:2)02[3](https://github.com/Goats-Tech/doodo-web-ui/actions/runs/4050545110/jobs/6968035208#step:4:3) 03:[4](https://github.com/Goats-Tech/doodo-web-ui/actions/runs/4050545110/jobs/6968035208#step:4:4)4:4[5](https://github.com/Goats-Tech/doodo-web-ui/actions/runs/4050545110/jobs/6968035208#step:4:5) GMT',
    'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
    server: 'GitHub.com',
    'strict-transport-security': 'max-age=3153[6](https://github.com/Goats-Tech/doodo-web-ui/actions/runs/4050545110/jobs/6968035208#step:4:6)000; includeSubdomains; preload',
    'transfer-encoding': 'chunked',
    vary: 'Accept-Encoding, Accept, X-Requested-With',
    'x-content-type-options': 'nosniff',
    'x-frame-options': 'deny',
    'x-github-api-version-selected': '2022-11-28',
    'x-github-media-type': 'github.v3; format=json',
    'x-github-request-id': 'D4C3:2112:6E96AC:[7](https://github.com/Goats-Tech/doodo-web-ui/actions/runs/4050545110/jobs/6968035208#step:4:7)1A[8](https://github.com/Goats-Tech/doodo-web-ui/actions/runs/4050545110/jobs/6968035208#step:4:8)24:63D88EAD',
    'x-ratelimit-limit': '1000',
    'x-ratelimit-remaining': '[9](https://github.com/Goats-Tech/doodo-web-ui/actions/runs/4050545110/jobs/6968035208#step:4:9)95',
    'x-ratelimit-reset': '1675140238',
    'x-ratelimit-resource': 'core',
    'x-ratelimit-used': '5',
    'x-xss-protection': '0'
  ***,
  request: ***
    method: 'POST',
    url: 'https://api.github.com/repos/Goats-Tech/doodo-web-ui/check-runs',
    headers: ***
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'octokit-core.js/3.2.4 Node.js/16.16.0 (linux; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    ***,
    body: '***"name":"Deploy Preview","head_sha":"027c93e9eff5ba8cb011f6ae8cf0673d1e7ed9[10](https://github.com/Goats-Tech/doodo-web-ui/actions/runs/4050545110/jobs/6968035208#step:4:11)","status":"in_progress"***',
    request: ***
      agent: Agent ***
        _events: [Object: null prototype] ***
          free: [Function (anonymous)],
          newListener: [Function: maybeEnableKeylog]
        ***,
        _eventsCount: 2,
        _maxListeners: undefined,
        defaultPort: 443,
        protocol: 'https:',
        options: [Object: null prototype] *** path: null ***,
        requests: [Object: null prototype] ***,
        sockets: [Object: null prototype] ***,
        freeSockets: [Object: null prototype] ***,
        keepAliveMsecs: 1000,
        keepAlive: false,
        maxSockets: Infinity,
        maxFreeSockets: [25](https://github.com/Goats-Tech/doodo-web-ui/actions/runs/4050545110/jobs/6968035208#step:4:26)6,
        scheduling: 'lifo',
        maxTotalSockets: Infinity,
        totalSocketCount: 0,
        maxCachedSessions: 100,
        _sessionCache: ***
          map: ***
            'api.github.com:4[43](https://github.com/Goats-Tech/doodo-web-ui/actions/runs/4050545110/jobs/6968035208#step:4:44):::::::::::::::::::::': [Buffer [Uint8Array]]
          ***,
          list: [ 'api.github.com:[44](https://github.com/Goats-Tech/doodo-web-ui/actions/runs/4050545110/jobs/6968035208#step:4:45)3:::::::::::::::::::::' ]
        ***,
        [Symbol(kCapture)]: false
      ***,
      hook: [Function: bound bound register]
    ***
  ***,
  documentation_url: 'https://docs.github.com/rest/reference/checks#create-a-check-run'
***
ltdouthit commented 1 year ago

This solution worked for me

https://github.com/FirebaseExtended/action-hosting-deploy/issues/108#issuecomment-885215418

FernandoArteaga commented 1 year ago

This solution worked for me

#108 (comment)

Thank you for the hint, I could make it work by adding the right permissions to the job:

permissions:
  contents: read
  checks: write
  pull-requests: write

Full job detail:

  deploy:
    name: "Deploy to Firebase"
    runs-on: ubuntu-latest
    needs: build
    permissions:
      contents: read
      checks: write
      pull-requests: write
    steps:
      - uses: actions/checkout@v3

      - name: "Build app"
        run: "npm ci && npm build"

      - name: "Deploy to preview channel"
        uses: FirebaseExtended/action-hosting-deploy@v0
        with:
          repoToken: "${{ secrets.GITHUB_TOKEN }}"
          firebaseServiceAccount: "${{ secrets.FIREBASE_SERVICE_ACCOUNT }}"
          expires: 1d
          projectId: my-project