Error fetching artifacts - Bad Credentials

[lukaswoellhaf]

Hello first of thank you for this implementation - looks very promising :)

I'm currently trying to integrate the go-coverage-report inside a GHES pipeline. When trying to execute the go-coverage-report action step I get following error while fetching the artifact:

gh run download 8033121 --name=code-coverage --dir=/tmp/gh-run-download-8033121
  error fetching artifacts: HTTP 401: Bad credentials (https://api.github.com/repos/<redacted-org-name>/core/actions/runs/8033121/artifacts?per_page=100)
  Try authenticating with:  gh auth login
  Error: Process completed with exit code 1.

Im successfully checking out the repo and provide the necessary permission for the job, but it still seems to fail in scripts/github-action.sh:

...
start_group "Download code coverage results from current run"
gh run download "$GITHUB_RUN_ID" --name="$COVERAGE_ARTIFACT_NAME" --dir="/tmp/gh-run-download-$GITHUB_RUN_ID"
mv "/tmp/gh-run-download-$GITHUB_RUN_ID/$COVERAGE_FILE_NAME" $NEW_COVERAGE_PATH
rm -r "/tmp/gh-run-download-$GITHUB_RUN_ID"
end_group
...

Question: Is this Github Action compatible with GHES out of the box or do I need to provide another Github base url to the action, to sucessfully authenticate?

Here is my complete GitHub action:

name: go-coverage-report

on:
  workflow_dispatch:
  pull_request:
    types: [opened, reopened, synchronize]
  push:
    branches:
      - 'production'

jobs:
  backend-tests:
    name: "Backend Tests"
    runs-on: [large]
    timeout-minutes: 30
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{secrets.GITHUB_TOKEN}}
      - name: Login to harbor
        uses: docker/login-action@v3
        with: 
          registry: <redacted-url>
          username: ${{secrets.HARBOR_ROBO_USER}}
          password: ${{secrets.HARBOR_SECRET}}
      - name: Test
        working-directory: ./services/service-one
        run: make test-with-coverage
        continue-on-error: true
      - name: Archive code coverage results
        uses: actions/upload-artifact@v3
        with:
          name: code-coverage
          path: ./services/service-one/coverage.txt
  code_coverage:
    name: "Code coverage report"
    if: github.event_name == 'pull_request'
    runs-on: [large]
    timeout-minutes: 30
    needs: backend-tests
    permissions:
      pull-requests: write
      actions: read
      contents: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{secrets.GITHUB_TOKEN}}
      - name: Download code coverage results
        uses: fgrosse/go-coverage-report@v1.0.2
        with:
          coverage-artifact-name: "code-coverage"
          coverage-file-name: "coverage.txt"

[fgrosse]

I have never tried this action on GHES but I would assume that it should just work if other actions also just work out of the box. The only known issue at this point is, that pull requests from forks are not supported in general but this would be unrelated to GHES.

To debug authentication issues you can check which permissions the used GitHub token actually has by expanding the "Set up job" step and then click on GITHUB_TOKEN Permissions:

According to the API documentation, the token needs "Actions" repository permissions (read).

[fgrosse]

Hey @lukaswoellhaf , were you able to solve your issue?

[lukaswoellhaf]

Hey @fgrosse sorry, totally forgot this issue was still open. Unfortunately I could not solve the issue. I have all the permissions on the GITHUB_TOKEN provided in the screenshot, including the repository-projects read access which should be enabled by default: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token.

I decided for another solution in the meantime. I will close this issue for now.