Closed sachaarbonel closed 3 years ago
Thanks for submitting this. I have never tested it for a private repo as hadn't had the need... Would you be willing to take a deeper look and potentially submit a PR? It would be most welcome!
To test you could run the fetch shell script separately and add some logging to figure out what's going on: https://github.com/dsaltares/fetch-gh-release-asset/blob/master/fetch_github_asset.sh.
Yeah sure ! Is the secrets.GITHUB_TOKEN
the same as personal access token ?
@sachaarbonel
Yeah sure ! Is the
secrets.GITHUB_TOKEN
the same as personal access token ?
Correct. I am happy to change the way we authenticate though if it makes it work for both private and public repos.
Reporting some progress: I'm getting a 404 on the first curl request, I suspect that's because my org is renamed so I'm investigating this.
Ok, I found out what was going on. It turns out the default secrets.GITHUB_TOKEN doesn't have enough permissions, the owner(me) has to make a personal access token with at least the scope org:hook
to be able to list release assets. And then reference it as a GitHub secret and then access it
Thanks for the explanation @sachaarbonel and for investigating the issue!
I was testing this out today and, from what I can tell, the default GITHUB_TOKEN
secret is able to list the releases and download assets.
Here's my workflow:
name: Test default GitHub token scope
on:
push:
branches:
- tmp/test-gh-token-scope
jobs:
test:
runs-on: ubuntu-20.04
steps:
- name: test
run: |
curl \
--url https://api.github.com/repos/${{ github.repository }}/releases/tags/v1.0.0 \
--header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
--header 'content-type: application/json'
# This asset ID was hard-coded just as a proof of concept
- name: test download
run: |
curl \
-J \
-L \
--url https://api.github.com/repos/${{ github.repository }}/releases/assets/31496287 \
--header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
--header "Accept: application/octet-stream" \
-o ./test.zip
- name: list
run: ls -alh ./test.zip
And the workflow run:
I'm wondering if maybe the issue is how you're passing the token here? https://github.com/dsaltares/fetch-gh-release-asset/blob/7efc464cc8b520a51e69391e37626fa2fe07f776/fetch_github_asset.sh#L30
Maybe instead you need to use the authorization: Bearer
style I'm using above. I found that example in the GH Actions docs: https://docs.github.com/en/actions/reference/authentication-in-a-workflow#example-calling-the-rest-api
Interesting, thanks. Is your test from a private repo as well?
Yep - this was in a private repo.
@blimmer would you be able to test and send a PR for your proposal?
I ended up here because I am looking for this feature. My repo is only private for the moment while everything is a mess :-) This means I prefer a solution where I don't need to change anything and can treat a private repo as public and vice versa. If I understood the problem correctly this PR should solve the issue.
Should be fixed now! Thanks everyone.
If someone has a sec, the README could use an update too: https://github.com/dsaltares/fetch-gh-release-asset#token
Looks like https://github.com/dsaltares/fetch-gh-release-asset/pull/17 caused https://github.com/dsaltares/fetch-gh-release-asset/pull/20. I reverted the changes, meaning this is still a valid issue.
This is weired because this definitly works:
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: test
run: |
curl \
--url https://api.github.com/repos/${{ github.repository }}/releases/tags/0.0.1 \
--header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
--header 'content-type: application/json'
- name: test download
run: |
curl \
-J \
-L \
--url https://api.github.com/repos/${{ github.repository }}/releases/assets/31985096 \
--header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
--header "Accept: application/octet-stream" \
-o ./test.tgz
I opened #18 because my github actions stopped working after #17. I can confirm that with the revert it started working again. That being said, probably i just had to change something to my actions, but i dont really know what. Was there any changes needed?
I want to report that for me this action still doesn't work for private repositories.
However the solution proposed by @sachaarbonel solves the problem for me:
Ok, I found out what was going on. It turns out the default secrets.GITHUB_TOKEN doesn't have enough permissions, the owner(me) has to make a personal access token with at least the scope org:hook to be able to list release assets. And then reference it as a GitHub secret and then access it
Hi @dsaltares thanks for developing this, does it work for private org repos, or am I missing something? I keep getting this error in my workflow
jq: error (at <stdin>:1): Cannot iterate over null (null) Could not find asset id
Here is my config