search

ahmadnassri / action-dependabot-auto-merge

Automatically merge Dependabot PRs when version comparison is within range
MIT License
342 stars 48 forks source link

TypeError: Cannot read properties of undefined (reading 'createReview') #166

Open maciejmakowski opened 1 year ago

maciejmakowski commented 1 year ago

I am still in the process of further investigating what could have changed, but I thought I am going to post here in case anyone else has an idea.

As far as we know, nothing changed in the configuration of the token itself or the secret, but suddenly (around 12-24h ago) the setup that we had successfully working for months started failing with:

dependency type: production
security critical: false
config: production:semver:patch
production:semver:patch detected, will auto-merge
Error: Cannot read properties of undefined (reading 'createReview')
TypeError: Cannot read properties of undefined (reading 'createReview')
    at approve ([file:///action/lib/api.js:2:23](https://github.com/ahmadnassri/action-dependabot-auto-merge/blob/master/action/lib/api.js#L2))
    at default (file:///action/lib/index.js:31:11)
    at file:///action/index.js:[53](https://github.com/1debit/dependabot-test/actions/runs/3527941119/jobs/5919738455#step:4:54):7
    at ModuleJob.run (node:internal/modules/esm/module_job:194:25)

The line in question is this:

  await octokit.pulls.createReview({

Which appears to mean that octokit.pulls is undefined, but also that it does not appear to be a permission issue as such with the token since it got that far.

At first I thought that something might have changed on the latest 2.6.1 release from earlier today, but I confirmed that the issue is also still happening with 2.6.0 which as I said before we've been using fine for months.

I am also sending this to Github support, but I was wondering whether anyone else has seen this and if yes, whether they found a solution for it.

Thanks in advance.

calteran commented 1 year ago

I'm also seeing this in my projects, again, without changes on my side.


Run ahmadnassri/action-dependabot-auto-merge@v2
  with:
    github-token: ***
    target: minor
    config: .github/auto-merge.yml
    command: merge
    botName: dependabot
    approve: true
/usr/bin/docker run --name ghcrioahmadnassriactiondependabotautomergev2_55639b --label 290506 --workdir /github/workspace --rm -e "INPUT_GITHUB-TOKEN" -e "INPUT_TARGET" -e "INPUT_CONFIG" -e "INPUT_COMMAND" -e "INPUT_BOTNAME" -e "INPUT_APPROVE" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/phoenix/phoenix":"/github/workspace" ghcr.io/ahmadnassri/action-dependabot-auto-merge:v2
using workflow's "target": 
- match:
    dependency_type: all
    update_type: semver:minor

title: "Bump cypress from 11.1.0 to 11.2.0"
depName: cypress
from: 11.1.0
to: 11.2.0
dependency type: development
security critical: false
config: all:semver:minor
all:semver:minor detected, will auto-merge
Error: Cannot read properties of undefined (reading 'createReview')
TypeError: Cannot read properties of undefined (reading 'createReview')
    at approve (file:///action/lib/api.js:2:23)
    at default (file:///action/lib/index.js:31:11)
    at file:///action/index.js:53:7
    at ModuleJob.run (node:internal/modules/esm/module_job:194:25)
mauriciabad commented 1 year ago

Same here

MarcelScheeler commented 1 year ago

I can confirm the problem.

char0n commented 1 year ago

I can confirm as well. I've tried downgrading down to 2.5.x, with no effect. Still seeing the error.

boboldehampsink commented 1 year ago

Same here

sdk1990 commented 1 year ago

Another one here.

char0n commented 1 year ago

For anybody looking for a solution for this problem.

Here is how my workflow looked before (using this action):

name: Merge me!

on:
  pull_request_target:

jobs:
  merge-me:
    name: Merge me!
    if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
      - name: Merge me!
        uses: ahmadnassri/action-dependabot-auto-merge@v2
        with:
          target: minor
          github-token: ${{ secrets.SWAGGER_BOT_GITHUB_TOKEN }}
          command: squash and merge

Here is the replacement workflow which works exactly the same:

name: Merge me!

on:
  pull_request_target:

jobs:
  merge-me:
    name: Merge me!
    runs-on: ubuntu-latest
    # Checking the actor will prevent your Action run failing on non-Dependabot
    # PRs but also ensures that it only does work for Dependabot PRs.
    if: github.actor == 'dependabot[bot]'
    steps:
      # This first step will fail if there's no metadata and so the approval
      # will not occur.
      - name: Dependabot metadata
        id: dependabot-metadata
        uses: dependabot/fetch-metadata@v1.1.1
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      # Finally, tell dependabot to merge the PR if all checks are successful
      - name: Instruct dependabot to squash & merge
        if: ${{ steps.dependabot-metadata.outputs.update-type != 'version-update:semver-major' }}
        uses: mshick/add-pr-comment@v2
        with:
          repo-token: ${{ secrets.SWAGGER_BOT_GITHUB_TOKEN }}
          allow-repeats: true
          message: |
            @dependabot squash and merge
        env:
          GITHUB_TOKEN: ${{ secrets.SWAGGER_BOT_GITHUB_TOKEN }}
eliashaeussler commented 1 year ago

Nice, thanks for sharing @char0n! :+1:

leezumstein commented 1 year ago

Fairly certain you need to use octokit.rest.<api method> now with the latest version, why it's throwing an undefined error.

I can open a PR in a bit to update this.

maciejmakowski commented 1 year ago

Thank you for the quick turnaround on this @leezumstein and @ahmadnassri! I updated to 2.6.2 and things started working for us again. 🚀

I'm still trying to understand though how this broke without any visible changes? Or was Octokit somehow updated at the time when it broke without it being visible in the code changes in this repo?

I don't see any new releases of Octokit here either (or is that not the package this GH action is using?): https://github.com/octokit/octokit.js/releases

leezumstein commented 1 year ago

Thank you for the quick turnaround on this @leezumstein and @ahmadnassri! I updated to 2.6.2 and things started working for us again. 🚀

I'm still trying to understand though how this broke without any visible changes? Or was Octokit somehow updated at the time when it broke without it being visible in the code changes in this repo?

I don't see any new releases of Octokit here either (or is that not the package this GH action is using?): https://github.com/octokit/octokit.js/releases

I believe this action still ends up pulling the updated docker image irregardless of which version of the action you're targeting.

Dependencies we're updated with the recent docker image push which caused the breaking change.

maciejmakowski commented 1 year ago

Can you please clarify @leezumstein: What is the Docker image you are referring to? Is it this one? https://github.com/ahmadnassri/action-dependabot-auto-merge/pkgs/container/action-dependabot-auto-merge

I believe that's governed by this Dockerfile: https://github.com/ahmadnassri/action-dependabot-auto-merge/blob/master/Dockerfile

With that, shouldn't the octokit dependencies be governed by what's in the package-lock.json?

There was only one change to dependencies in this repo when things broke (https://github.com/ahmadnassri/action-dependabot-auto-merge/pull/162) and that didn't appear to touch on anything Github action or Octokit related.

I don't see at all when the change to have to use octokit.rest. was introduced, but I have to admit I don't really know where I should be looking for this: https://github.com/octokit/octokit.js/releases https://github.com/octokit/core.js/releases https://github.com/octokit/rest.js/releases

As far as I can see, it should have been octokit.rest. for a long time, and so it's even more of a conundrum for me what changed and why this broke two days ago.

Again, just trying to understand what happened here for future reference and also as a learning experience for me.

mknepprath commented 1 year ago

I updated to 2.6.2 and things started working for us again. 🚀

Same, thanks!

maciejmakowski commented 1 year ago

@mknepprath looking at your PR (https://github.com/mknepprath/mknepprath-next/pull/976), you probably want to go back to @2 now again, otherwise you'll get stuck on 2.6.2 or will have to continue to update it manually, unlike with @2 where you get update automatically.

Alternatively, you can also set up Dependabot to update your Github Actions too.