Doesn't seem to work for private org

[sachaarbonel]

Hi @dsaltares thanks for developing this, does it work for private org repos, or am I missing something? I keep getting this error in my workflow jq: error (at <stdin>:1): Cannot iterate over null (null) Could not find asset id Here is my config

- uses: dsaltares/fetch-gh-release-asset@master
      with:
        repo: "myorg/myrepo"
        version: "latest"
        file: "content.db.zip"
        token: ${{ secrets.GITHUB_TOKEN }}

[dsaltares]

Thanks for submitting this. I have never tested it for a private repo as hadn't had the need... Would you be willing to take a deeper look and potentially submit a PR? It would be most welcome!

To test you could run the fetch shell script separately and add some logging to figure out what's going on: https://github.com/dsaltares/fetch-gh-release-asset/blob/master/fetch_github_asset.sh.

[sachaarbonel]

Yeah sure ! Is the secrets.GITHUB_TOKEN the same as personal access token ?

[dsaltares]

@sachaarbonel

Yeah sure ! Is the secrets.GITHUB_TOKEN the same as personal access token ?

Correct. I am happy to change the way we authenticate though if it makes it work for both private and public repos.

[sachaarbonel]

Reporting some progress: I'm getting a 404 on the first curl request, I suspect that's because my org is renamed so I'm investigating this.

[sachaarbonel]

Ok, I found out what was going on. It turns out the default secrets.GITHUB_TOKEN doesn't have enough permissions, the owner(me) has to make a personal access token with at least the scope org:hook to be able to list release assets. And then reference it as a GitHub secret and then access it

[dsaltares]

Thanks for the explanation @sachaarbonel and for investigating the issue!

[blimmer]

I was testing this out today and, from what I can tell, the default GITHUB_TOKEN secret is able to list the releases and download assets.

Here's my workflow:

name: Test default GitHub token scope
on:
  push:
    branches:
      - tmp/test-gh-token-scope

jobs:
  test:
    runs-on: ubuntu-20.04
    steps:
      - name: test
        run: |
          curl \
          --url https://api.github.com/repos/${{ github.repository }}/releases/tags/v1.0.0 \
          --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
          --header 'content-type: application/json'

      # This asset ID was hard-coded just as a proof of concept
      - name: test download
        run: |
          curl \
          -J \
          -L \
          --url https://api.github.com/repos/${{ github.repository }}/releases/assets/31496287 \
          --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
          --header "Accept: application/octet-stream" \
          -o ./test.zip

      - name: list
        run: ls -alh ./test.zip

And the workflow run:

I'm wondering if maybe the issue is how you're passing the token here? https://github.com/dsaltares/fetch-gh-release-asset/blob/7efc464cc8b520a51e69391e37626fa2fe07f776/fetch_github_asset.sh#L30

Maybe instead you need to use the authorization: Bearer style I'm using above. I found that example in the GH Actions docs: https://docs.github.com/en/actions/reference/authentication-in-a-workflow#example-calling-the-rest-api

[dsaltares]

Interesting, thanks. Is your test from a private repo as well?

[blimmer]

Yep - this was in a private repo.

[dsaltares]

@blimmer would you be able to test and send a PR for your proposal?

[KIC]

I ended up here because I am looking for this feature. My repo is only private for the moment while everything is a mess :-) This means I prefer a solution where I don't need to change anything and can treat a private repo as public and vice versa. If I understood the problem correctly this PR should solve the issue.

17

[dsaltares]

Should be fixed now! Thanks everyone.

[blimmer]

If someone has a sec, the README could use an update too: https://github.com/dsaltares/fetch-gh-release-asset#token

[dsaltares]

Looks like https://github.com/dsaltares/fetch-gh-release-asset/pull/17 caused https://github.com/dsaltares/fetch-gh-release-asset/pull/20. I reverted the changes, meaning this is still a valid issue.

[KIC]

This is weired because this definitly works:

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: test
        run: |
          curl \
          --url https://api.github.com/repos/${{ github.repository }}/releases/tags/0.0.1 \
          --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
          --header 'content-type: application/json'
      - name: test download
        run: |
          curl \
          -J \
          -L \
          --url https://api.github.com/repos/${{ github.repository }}/releases/assets/31985096 \
          --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
          --header "Accept: application/octet-stream" \
          -o ./test.tgz

[azagaya]

I opened #18 because my github actions stopped working after #17. I can confirm that with the revert it started working again. That being said, probably i just had to change something to my actions, but i dont really know what. Was there any changes needed?

[dsaltares]

Closed by https://github.com/dsaltares/fetch-gh-release-asset/pull/22.

[matshou]

I want to report that for me this action still doesn't work for private repositories.

However the solution proposed by @sachaarbonel solves the problem for me:

Ok, I found out what was going on. It turns out the default secrets.GITHUB_TOKEN doesn't have enough permissions, the owner(me) has to make a personal access token with at least the scope org:hook to be able to list release assets. And then reference it as a GitHub secret and then access it