search

MovingBlocks / TerasologyLauncher

Terasology Launcher is the official launcher for the open source game Terasology.
http://terasology.org/
Apache License 2.0
154 stars 76 forks source link

Fix push validation workflow #694

Open jdrueckert opened 1 year ago

jdrueckert commented 1 year ago

What's the Problem?

On https://github.com/MovingBlocks/TerasologyLauncher/pull/691, it became apparent, that our push validation GitHub workflow seemingly doesn't work on PRs from forks. In particular, the check-run-reporter stage fails with the following error:

Requesting signed urls
  Error: Request ID: undefined
  Error: Response Headers: {
    'content-type': 'application/json',
    'content-length': '144',
    connection: 'close',
    date: 'Thu, 06 Apr 2023 12:27:57 GMT',
    'x-amzn-requestid': 'e523bd5e-ed56-4bc3-86d1-68772bda0d94',
    'x-amzn-errortype': 'AccessDeniedException',
    'x-amz-apigw-id': 'C9IePEo7IAMFfXA=',
    'x-amzn-trace-id': 'Root=1-642ebac1-62a3afb95a204d8c51947e21',
    'x-cache': 'Error from cloudfront',
    via: '1.1 d835a04e842d9117fd810e7c8479dad4.cloudfront.net (CloudFront)',
    'x-amz-cf-pop': 'IAD55-P2',
    'x-amz-cf-id': 'YuH_bcN-elxfiggIWGQUvLRdUDIK13Rsz2KPm6Sp3zUN-LRxIZjtig=='
  }
  Error: Response Body: {
    message: 'Authorization header appears to be malformed. The Basic auth schema requires a username and a password separated by a colon.'
  }
  Error: Request URL: /api/v1/submissions/upload
Error: Error: Request failed with status code 403
Error: Check Run Reporter returned a 403
Error: Error: Request failed with status code 403
    at createError (/home/runner/work/_actions/check-run-reporter/action/v2.11.1/node_modules/axios/lib/core/createError.js:16:1)
    at settle (/home/runner/work/_actions/check-run-reporter/action/v2.11.1/node_modules/axios/lib/core/settle.js:17:1)
    at IncomingMessage.handleStreamEnd (/home/runner/work/_actions/check-run-reporter/action/v2.11.1/node_modules/axios/lib/adapters/http.js:293:1)
    at IncomingMessage.emit (events.js:326:22)
    at endReadableNT (_stream_readable.js:1241:12)
    at processTicksAndRejections (internal/process/task_queues.js:84:21)

On creating a pull request with the same changes directly on the original repo (as opposed to from a fork), the stage completes successfully. For example, see PRs #692 (from fork) and #693 (from orig repo).

The check-run-reporter action seems to be unable to properly set the authorization header required for uploading the report.

How can we solve it?

From my point of view, we have three options to solve this:

  1. Create an issue on the check-run-reporter action repo and wait for it to be fixed. Then update to the new version including the fix.
  2. Investigate the issue in the check-run-reporter action repo ourselves and provide a fix. Wait for it to be merged and update to the new version including the fix.
  3. Change our current GitHub action to utilize a different sub-action to upload test reports or in other ways make them accessible.
jdrueckert commented 1 year ago

I created an issue on the check-run-reporter action repo and hope that the maintainer(s) will respond and help. Otherwise, I'll try to investigate in a time-boxed manner myself as soon as I find some time. If it takes too much effort / time, I'd try to divert to another action instead.

Anybody who is willing to help, please go ahead and comment on any insights you gain or open a PR with changes to our current workflow or the check-run-reporter action.

jdrueckert commented 1 year ago

Seems it might not so much be an issue with the action but rather with secrets not being passed to workflows triggered on PRs from forks... see "Actions secrets and variables" page notes: image

Note especially: Anyone with collaborator access to this repository can use these secrets and variables for actions. They are not passed to workflows that are triggered by a pull request from a fork.