docker / build-push-action

GitHub Action to build and push Docker images with Buildx
https://github.com/marketplace/actions/build-and-push-docker-images
Apache License 2.0
4.36k stars 557 forks source link

Cannot push to open source repo using community user bot #864

Closed jaronoff97 closed 11 months ago

jaronoff97 commented 1 year ago

Troubleshooting

Behaviour

Steps to reproduce this issue

  1. Create a community organization in docker hub
  2. Add a community user
  3. create PAT for community user
  4. use example here to push image to both ghcr and docker hub
  5. Let action run on PR merge

Expected behaviour

Image should be pushed successfully to both repositories

Actual behaviour

ERROR: failed to solve: failed to push otel/autoinstrumentation-java:1.25.1: server message: insufficient_scope: authorization failed Error: buildx failed with: ERROR: failed to solve: failed to push otel/autoinstrumentation-java:1.25.1: server message: insufficient_scope: authorization failed

Configuration

name: "Publish Java Auto-Instrumentation"

on:
  push:
    paths:
      - 'autoinstrumentation/java/**'
      - '.github/workflows/publish-autoinstrumentation-java.yaml'
    branches:
      - main
  pull_request:
    paths:
      - 'autoinstrumentation/java/**'
      - '.github/workflows/publish-autoinstrumentation-java.yaml'
  workflow_dispatch:

jobs:
  publish:
    runs-on: ubuntu-20.04

    steps:
      - uses: actions/checkout@v3

      - name: Read version
        run: echo "VERSION=$(cat autoinstrumentation/java/version.txt)" >> $GITHUB_ENV

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v4
        with:
          images: |
            otel/autoinstrumentation-java
            ghcr.io/open-telemetry/opentelemetry-operator/autoinstrumentation-java
          tags: |
            type=match,pattern=v(.*),group=1,value=v${{ env.VERSION }}
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Cache Docker layers
        uses: actions/cache@v3
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-
      - name: Log into Docker.io
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Login to GitHub Package Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push
        uses: docker/build-push-action@v4
        with:
          context: autoinstrumentation/java
          platforms: linux/amd64,linux/arm64
          push: ${{ github.event_name == 'push' }}
          build-args: version=${{ env.VERSION }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache

Logs

logs.txt

crazy-max commented 1 year ago
#14 exporting to image
#14 pushing layers 0.3s done
#14 ERROR: failed to push otel/autoinstrumentation-java:1.25.1: server message: insufficient_scope: authorization failed
------
 > exporting to image:
------
ERROR: failed to solve: failed to push otel/autoinstrumentation-java:1.25.1: server message: insufficient_scope: authorization failed

Looks like ${{ secrets.DOCKER_USERNAME }} user and/or ${{ secrets.DOCKER_PASSWORD }} token does not have enough perms to push to otel/autoinstrumentation-java. Does it work locally?

jaronoff97 commented 1 year ago

@crazy-max we've confirmed that the user has the read/write scope for the community organization and that the action is indeed using that username/password combination. These are confidential and unfortunately i do not have access to the credentials to run it locally. I was able to make a fork for my non-community organization on docker hub and it worked successfully

codeboten commented 1 year ago

Fwiw, the login action succeeds

crazy-max commented 1 year ago

Fwiw, the login action succeeds

Yes auth succeeds but this user does not have enough perms to push to https://hub.docker.com/r/otel/autoinstrumentation-java.

These are confidential and unfortunately i do not have access to the credentials to run it locally.

Is someone else with the credentials able to repro locally?

non-community organization on docker hub and it worked successfully

Can you check if ${{ secrets.DOCKER_USERNAME }} is a member of the otel organization and also its affected team has read/write access to https://hub.docker.com/r/otel/autoinstrumentation-java?

crazy-max commented 1 year ago
  1. Add a community user

That does not seem enough. I think you need first to affect this user to a team in the org and set the perms to push to the repo.

jaronoff97 commented 1 year ago

@crazy-max waiting on hearing back from a teammate about your questions, thank you for the response. Just a brief Q: any chance this could be related to #160?

tigrannajaryan commented 1 year ago

Can you check if ${{ secrets.DOCKER_USERNAME }} is a member of the otel organization and also its affected team has read/write access to https://hub.docker.com/r/otel/autoinstrumentation-java?

The user is otelbot and it is a member of otel organization. The access token we use has Read & Write permissions to otel org.

The user is otelbot and it is a member of bots which does NOT have a Read & Write permission to the repo? Should it? Doesn't the org-wide permission override the repo permission?

tigrannajaryan commented 1 year ago

The user is otelbot and it is a member of bots which does NOT have a Read & Write permission to the repo? Should it? Doesn't the org-wide permission override the repo permission?

It appears giving the team the Read & Write permission solve the problem.

However, this looks wrong to me. If I give the user the permission directly to the entire org (via their access token permissions), shouldn't that have a precedence over what permission they have indirectly via the team they belong to?

I believe this is how it worked in the past, so something may have changed recently in how the permissions are calculated.

crazy-max commented 11 months ago

The user is otelbot and it is a member of bots which does NOT have a Read & Write permission to the repo? Should it? Doesn't the org-wide permission override the repo permission?

It appears giving the team the Read & Write permission solve the problem.

However, this looks wrong to me. If I give the user the permission directly to the entire org (via their access token permissions), shouldn't that have a precedence over what permission they have indirectly via the team they belong to?

I believe this is how it worked in the past, so something may have changed recently in how the permissions are calculated.

Thanks for your feedback can you open an issue on https://github.com/docker/hub-feedback/issues about it please?