"Error: Input required and not supplied: github-token"

[peterbe]

All of a sudden I've been getting this error.

/action/node_modules/@actions/core/lib/core.js:94
        throw new Error(`Input required and not supplied: ${name}`);
              ^

Error: Input required and not supplied: github-token
    at Object.getInput (/action/node_modules/@actions/core/lib/core.js:94:15)
    at file:///action/index.js:28:15
    at ModuleJob.run (node:internal/modules/esm/module_job:154:23)
    at async Loader.import (node:internal/modules/esm/loader:166:24)
    at async Object.loadESM (node:internal/process/esm_loader:68:5)

E.g. https://github.com/mdn/content/pull/2964/checks?check_run_id=2066177430

I haven't touched my personal access tokens. And auto-merge hasn't been upgraded on the project in 3 months. It just stopped working today all of a sudden. Sample PR: https://github.com/mdn/content/pull/2964

I don't know if it's a bug or user-error. Or a problem with GitHub Actions changing under our feet.

I did try generating a new access token (using the public_repo scope) to see if that would make it work. But arguably, it's a long shot because the error says the token isn't supplied.

[peterbe]

It's on multiple of my repos. Here too https://github.com/mdn/yari/pull/3161

[peterbe]

Here are the workflows:

• https://github.com/mdn/yari/blob/main/.github/workflows/auto-merge.yml
• https://github.com/mdn/content/blob/main/.github/workflows/auto-merge.yml

[mercuriete]

yeah... it happens to me as well... (multiple repositories) so it happens for multiple users...

The more interesting thing... is when you retry the job... it works fine. I can't share my logs because those are from private organizations.

Thanks for your work.

PS: This starts to happen this morning so I am very confused because the latest release was a month ago. PS2: It happens to me on multiple plugins all about GitHub not injecting the secrets. I think is a general GitHub actions issue and this repo is not the culprit.

[ahmadnassri]

as @mercuriete indicated, there has been no changes to the released code since Feb 2... (and thoese were in no-way logical behaviour changes, just github repo cleanup)

I wonder if this is somehow related to the forced log-out event from yesterday https://github.blog/2021-03-08-github-security-update-a-bug-related-to-handling-of-authenticated-sessions/

if you have access to your token, can you attempt testing it's validity:

curl -v -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/user

[ahmadnassri]

I checked the examples linekd, and ran the action on a number of my own private and public repos ... it's continues to be functional and the examples linked are correctly configured ...

can you attempt to run the action again, and if it works, then it's definitly a github actions fluke! (there's been MANY flukes recently, that I have personally observed)

[ahmadnassri]

confirmed!

I found the same issue on private repos in a different org ... all the overnight dependabot PRs failed with the same error ...

upon hitting "re-run jobs" ... they worked fine, same token, same config.

[ahmadnassri]

and it wasn't just THIS action ... seems like EVERY Personal Access Token wasn't being read properly, here's an example of a job that relies on a different PAT for usage with Github Package Registry:

upon re-running the job that also worked fine.

so ... a global hiccup of all Personal Access Tokens (or all secrets) across Github!

[mercuriete]

@ahmadnassri it happenet to me for multiple organization for multiple different plugins for multiple differents tokens....

I filled a customer support ticket... but I dont know if they will answer me.

[ahmadnassri]

@mercuriete I saw it in one org so far, I'm digging through the others I have ... but so far, every one I found, I hit "re-run" and it works fine ... have you tried to re-run the yet?

it seems definitly connected to their security incident blog post (linked above)... yet there is no mention of impact on tokens at all ...

[mercuriete]

yes, when I did retry it works but sometimes it doesn't work... it is random. So I am waiting for confirmation from GitHub customer support.

thanks for your confirmation. and thanks for your work.

[ahmadnassri]

no worries, let us know if you learn of anything interesting from them

[peterbe]

So pressing "Re-run jobs" will retry? Or do you have to @dependabot recreate. I've tried both. Still not working. I'll try again tomorrow.

[mercuriete]

"Re-run jobs" works for me but in a random way.

[mercuriete]

they answer me with something unrelated with my bug, but I want to share it with you because I didn't know it.

We recently made changes to dependabot which means they will receive a read-only GITHUB_TOKEN and will not have access to any secrets available in the repository.

https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

@peterbe I hope this is your issue.

[mercuriete]

@ahmadnassri yeah I have this issue. this is my yaml:

name: auto-merge

on:
  pull_request:

jobs:
  auto-merge:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: ahmadnassri/action-dependabot-auto-merge@v2.3
        with:
          github-token: ${{ secrets.token }}
          target: minor

I am passing a PAT to github-token but now if dependabot triggers an action this token is not injected. Can you provide an alternative to that? I am disabling action-dependabot-auto-merge on all my repos.

thanks for your help.

Edit: I will try changing it to:

on:
  pull_request_target:

[mercuriete]

@ahmadnassri

If I change from pull_request to pull_request_target this happens:

Error: action triggered outside of a pull_request

Please reopen this ticket until we have an alternative.

[mercuriete]

change to pull_request_target only works on GITHUB_TOKEN but not for personal access token.

[ahmadnassri]

I am passing a PAT to github-token but now if dependabot triggers an action this token is not injected.

oof, yeah .. not sure what to do about that ... this is just actions + secret permission stuff ...

change here to allow pull_request_target: https://github.com/ahmadnassri/action-dependabot-auto-merge/commit/2aef6bbf0c786ba7411c31913536c255f97d9323

[mercuriete]

I'm very sorry to make you to implement pull_request_target. but it doesn't work either. Thanks for your effort. I will try to use another approach on: workflow_run: ... explained here: https://securitylab.github.com/research/github-actions-preventing-pwn-requests

[mercuriete]

I tried the on: workflow_run approach to try to comment the PR with the following string @dependabot merge and not using this plugin but I found out the following:

1. you cant comment on a PR using GITHUB_TOKEN.
2. secrets are not available. (maybe I did something wrong here)

So as I see that I don't have any other alternative I am not using this plugin anymore until someone brings an alternative.

[jryom]

It's possible to get the action working using pull_request_target and a personal access token with repo access. This is just very insecure as tokens cannot be scoped to individual repos.

My bad, I must have hit re-run on the job since I had a successful run. Even with pull_request_target the secrets are not accessible unless triggered manually. Guess it's back to Dependabot v1 or Renovate for now.

[fredli74]

It's possible to get the action working using pull_request_target and a personal access token with repo access. This is just very insecure as tokens cannot be scoped to individual repos.

In what way is this insecure? Isn't it only the ahmadnassri/action-dependabot-auto-merge@v2.3 script that gets access to this token? Which was always the case?

[mercuriete]

@jryom as stated before... on: pull_request_target only give you a github_token. all secrets remain empty.

Please tell us if you could do it.

[ahmadnassri]

you cant comment on a PR using GITHUB_TOKEN

you most certainly can... I've done this in many other custom workflows ...

perhaps you can share the full workflow sequence you've got going?

is the repo public or private?

I got this action working fine on hundreds of repos ...

aside from the glitch in github's own secrets which is the topic of this thread, everything is working fine

[mercuriete]

the repository is private and even that... if you comment but you don't have write access (push permissions)... dependabot tells you the PR won't be merged because the user doesn't have permissions. So using a PAT is mandatory because GITHUB_TOKEN doesn't have enough scopes.

This behavior is intended to avoid external users forcing a merge without the consent of the owners of the repo (write access).

[ahmadnassri]

yes, a PAT has always been needed as per the README

so the follow up question, what is stopping you from using a PAT?

[mercuriete]

because a PAT is a secret and you cant inject secrets because now is empty on PR made by dependabot what is this thread about.

[mercuriete]

I mean.... it works if you trigger manually... but the intention of this automation is to be automated not triggered by humans.

[ahmadnassri]

I'm moving this discussion to https://github.com/ahmadnassri/action-dependabot-auto-merge/issues/60 which details full context.

[aleksaToljic]

It worked fine for me once I added the same github-token for checkout as well:

- uses: actions/checkout@v2
   with:
     token: ${{ secrets.GH_TOKEN }}

[marc-mabe]

I run into the same issue on a private repo. But after some time I realized the token needs to added to the Depandabot section instead of Actions section which make it work for me.

[mauriciabad]

I created a PR https://github.com/ahmadnassri/action-dependabot-auto-merge/pull/163 to improve the readme explanation about creating the token.

[AndyHoang]

Hi, the master branch and latest tag 2.6.6 README file doesn't have this guideline of #163 any more, the removed commit here, Im not sure if this is on purpose, So I open this issue again.

By follow the guideline in #163 I successfully avoid the action error.

Creating a secret inside action section does not work. Not sure if this a general knowledge after some changes of github setting. Hope this could help if anyone stumble on.