game-ci / steam-deploy

Github Action to deploy a game to Steam
MIT License
229 stars 65 forks source link

MFA file approach does not work #56

Closed meanbeanmachine closed 1 year ago

meanbeanmachine commented 1 year ago

For people already using this pipeline, it will probably continue to work since I don't see any new issues. However, for people new to this pipeline like me, I don't think the MFA file method works anymore. I think Valve has changed some things regarding SteamCMD and the Steam app itself. Here is my experience:

I am using PopOS which is based off Ubuntu 22.04. I run through the readme steps:

I figure this must be something with Linux, so I hop on to my Windows machine. My Windows machine has pretty much nothing on it, not even Steam. I repeat the steps:

In summary, it seems the MFA file approach for this pipeline is deprecated in its current state for new users. Valve has clearly changed something with SteamCMD, given that the config.vdf file is in a new location and a new SSFN file isn't being created at all.

meanbeanmachine commented 1 year ago

Am I misunderstanding the readme when it comes to the ssfn file? i.e. is SteamCMD supposed to create it or is it created by the actual Steam App? Either way, today I re-installed both of these things and there still is not a ssfn file on my PC, including hidden files.

davidmfinol commented 1 year ago

steamcmd should create the ssfn file after you enter the MFA code into it. If Valve has changed something about how the MFA process works, we would need to find out what the change is to accommodate for that change. Hopefully someone else may be able to find out more and share some details here.

meanbeanmachine commented 1 year ago

I tried it on Windows again this morning. SteamCMD updated itself and finally generated the ssfn file. I put all the data in github secrets and the workflow executed successfully... the first time. I tried again 15 minutes later after a push and it's saying my auth code is invalid.

I tried SteamCMD on Linux again, it updated as well, but it is still not generating the ssfn file.

Frustrated with the MFA file method, I tried the TOTP. I got my secret and put the data in github secrets. Just like the MFA method, the worflow worked the first time, but not 15 minutes later. It's now asking for my mobile code.

The whole point of this is to not have to enter these codes anymore, right? So I'm not sure what I'm doing wrong when both methods stop working after 15 minutes, presumably after the first authentication time period expires. I don't know if I should close this issue and open separate ones for Linux SSFN, MFA not working more than once, and TOTP not working more than once.

mfbrantner commented 1 year ago

I am experiencing the same issue.

I am using the MFA-Files method and a dedicated runner for GitHub Actions.

#################################
#        Test login             #
#################################

Redirecting stderr to '/github/home/Steam/logs/stderr.txt'
[  0%] Checking for available updates...
[----] Verifying installation...
Steam Console Client (c) Valve Corporation - version 1679361716
-- type 'quit' to exit --
Loading Steam API...OK
Logging in user '***' to Steam Public...FAILED (Invalid Login Auth Code)

I also get an email with a Steam Guard code during the second run.

Logging in on my local machine generates a new config.vdf. When I update STEAM_CONFIG_VDF with the new (base64 encoded) config.vdf, it works again (but only for one run).

TheOrioli commented 1 year ago

Hi, I had the same problem.

What I tried today is to execute all the login steps inside the steamcmd/steamcmd:latest container itself, and use the files from there as my secrets. So far it has been working, however only a few hours and builds have passed. Steamworks SDK has also been updated to 1.56 so that might also be the cause of the fix.

It seems that the steamcmd/steamcmd container rebuilds every few hours and is not possible to tag with a direct version, so I wonder if it might start failing once the tags update and a new container image is released.

If that happens, perhaps the solution to this will be to spin-off a more stable, properly tagged and versioned image.

simonstix commented 1 year ago

Hi, I also have the same problem. I'm using a modified version of the deploy script in Gitlab CI. I tried creating a docker image with the config.vdf and ssfn files included in the image, which didn't work either. I then tried building the image directly on the server where I have the Gitlab Runner, which worked at first. Unfortunately, either I made a different mistake or it still broke after a few hours.

I really hope somebody finds a solution to this, it would be quite sad if I got a complete CI pipeline working only to fail at the deploy step.

simonstix commented 1 year ago

I think I've found a solution to this problem. Gitlab CI has the option of using a Shell runner, it executes commands as a regular Linux user. I now have a steam-deploy runner that I've manually set up with MFA. It would be interesting what information it uses to generate the MFA files, but it seems quite strict now.

Not sure how this applies to Gihub though.

xucian commented 1 year ago

I am experiencing the same issue.

I am using the MFA-Files method and a dedicated runner for GitHub Actions.

#################################
#        Test login             #
#################################

Redirecting stderr to '/github/home/Steam/logs/stderr.txt'
[  0%] Checking for available updates...
[----] Verifying installation...
Steam Console Client (c) Valve Corporation - version 1679361716
-- type 'quit' to exit --
Loading Steam API...OK
Logging in user '***' to Steam Public...FAILED (Invalid Login Auth Code)

I also get an email with a Steam Guard code during the second run.

Logging in on my local machine generates a new config.vdf. When I update STEAM_CONFIG_VDF with the new (base64 encoded) config.vdf, it works again (but only for one run).

also getting this. any updates?

meanbeanmachine commented 1 year ago

I'm pretty sure this Action is dead in the water. If you are logging in from a new IP, the Steam API doesn't seem to care if you provide your ssfn or config files... Steam will either send you an email (MFA method) or ask for your Mobile Code (TOTP method) despite already doing these steps before.

I got my own pipeline to work doing the following:

I've been using this method since 20 March and I have never had a failure / never received a Steam Guard email. The instance is now considered a trusted source, just like me logging in with Steam on my own personal machine to play games.

GabLeRoux commented 1 year ago

Having a dedicated IP for the MFA verification is a good idea, thanks for sharing this tip!

xucian commented 1 year ago

I'm pretty sure this Action is dead in the water. If you are logging in from a new IP, the Steam API doesn't seem to care if you provide your ssfn or config files... Steam will either send you an email (MFA method) or ask for your Mobile Code (TOTP method) despite already doing these steps before.

I got my own pipeline to work doing the following:

  • setup an always-free OracleCloud instance (VM.Standard.E2.1.Micro); use Ubuntu 22.04
  • login with SteamCmd on this instance, wait for the email and use that code
  • add the instance as a self-hosted runner
  • ref my self-hosted runner in my workflow
  • pass only my username and password via secrets; no longer need the ssfn / config files
  • uploads to Steam just fine; never prompts for a code again

I've been using this method since 20 March and I have never had a failure / never received a Steam Guard email. The instance is now considered a trusted source, just like me logging in with Steam on my own personal machine to play games.

thanks for sharing! good to know. I guess using self-hosted also works fine, if it's always the same machine that uploads. however, a 'good enough' alternative would be to use a "builder account" with no 2fa on it.

just a follow-up, I also tried using the TOTP approach, got a similar failure, different message:

#################################
#     Using SteamGuard TOTP     #
#################################

#################################
#        Test login             #
#################################

Redirecting stderr to '/github/home/Steam/logs/stderr.txt'
[  0%] Checking for available updates...
[----] Verifying installation...
Steam Console Client (c) Valve Corporation - version 16[79](**[***]**)
-- type 'quit' to exit --
Loading Steam API...OK
Logging in user '***' to Steam Public...
Enter the current code from your Steam Guard Mobile Authenticator app
Two-factor code:FAILED (Account logon denied, need two-factor code)
mfbrantner commented 1 year ago

however, a 'good enough' alternative would be to use a "builder account" with no 2fa on it.

IIRC any Steam account affiliated with a Steamworks organization is required to use MFA. I just tried to disable MFA for my builder account and was greeted with this error message: Sorry, we couldn't change your Steam Guard setting.

I just tried the following:

Unfortunately, steamcmd still asks for the Steam Guard code:

Loading Steam API...OK
Logging in user '***' to Steam Public...
This computer has not been authenticated for your account using Steam Guard.
Please check your email for the message from Steam, and enter the Steam Guard
 code from that message.
You can also enter this code at any time using 'set_steam_guard_code'
 at the console.
Steam Guard code:FAILED (Account Logon Denied)
xucian commented 1 year ago

however, a 'good enough' alternative would be to use a "builder account" with no 2fa on it.

IIRC any Steam account affiliated with a Steamworks organization is required to use MFA. I just tried to disable MFA for my builder account and was greeted with this error message: Sorry, we couldn't change your Steam Guard setting.

I just tried the following:

  • Fork steam-deploy and modify it to no longer use the MFA files
  • ssh into my self-hosted runner and complete the Steam Guard authentication (using the steamcmd/steamcmd:latest Docker image)
  • run the action

Unfortunately, steamcmd still asks for the Steam Guard code:

Loading Steam API...OK
Logging in user '***' to Steam Public...
This computer has not been authenticated for your account using Steam Guard.
Please check your email for the message from Steam, and enter the Steam Guard
 code from that message.
You can also enter this code at any time using 'set_steam_guard_code'
 at the console.
Steam Guard code:FAILED (Account Logon Denied)

thanks for sharing. it's frustrating I wonder how did game devs upload their builds automatically since the beginning of time. I'm sure there's a solution to this. we're talking basic security (private/public key protocols existed for a while now..)

meanbeanmachine commented 1 year ago

ssh into my self-hosted runner and complete the Steam Guard authentication (using the steamcmd/steamcmd:latest Docker image)

I didn't try it with Docker, I just straight up installed SteamCMD and dependencies on the instance. IDK if that matters, not sure how Docker would interfere, idk enough about Docker to say.

Make sure your IP address isn't changing; otherwise idk what else to suggest.

TheOrioli commented 1 year ago

Hey y'all just reposting in case it got lost in the conversation. This action works perfectly for me, and has been since my last comment. The only thing I did was generate the required files inside the steamcmd/steamcmd:latest container used by the action, on my personal machine. Would be good to see if this is replicable or if there is something special in my builder account settings.

filiphsps commented 1 year ago

Yeah; I'm also experience this. Unlike one previous poster it has only worked ones and now it fails even when I regenerate the config/tokens. So might be some form of new backend logic.. luckily its only like 99.9% of the industry that uses some form of CI so it's not like valve broke it for a lot of people /s.

EDIT: I also contacted steamworks support to ask 'em image

filiphsps commented 1 year ago

Got a response from the support. Looks like they update how authentication works.

IMG_0859

meanbeanmachine commented 1 year ago

have your system/image look the same, it should work

You should ask if that includes IP, that's the only way I got it to work: same system w/ same IP. Maybe reference this thread while you're at it.

filiphsps commented 1 year ago

have your system/image look the same, it should work

You should ask if that includes IP, that's the only way I got it to work: same system w/ same IP. Maybe reference this thread while you're at it.

I did link to this issue in the initial inquiry, I also mentioned that it’s running in a GitHub action (eg non-permanent ips)

xucian commented 1 year ago

ok, so based on that, their documentation is up to date. the part:

If you are using steamcmd from a machine or VM that gets re-imaged frequently, you should include the config file in your image so you won't be prompted for a Steam Guard every time. The the config file is located in \config\config.vdf.

tried it, doesn't work. I'm using the steamcmd official docker image with the twist that I'm also replacing the config.vdf file. I'm using a single VM for this (but would like to use any, really), so created a container with the steamcmd image, generated the vdf file, extracted it and built my custom steamcmd image. doesn't work. then, I extracted it and base64'd it, stored it as a secret in GH Actions, then decoding and writing it after the steamcmd container creation (I assumed maybe steamcmd is overwriting it and thus I cannot include it in the pre-built image). doesn't work - "This computer has not been authenticated for your account using Steam Guard"

filiphsps commented 1 year ago

Good news, looks like they found the regression and a workaround for it!

IMG_0876

mfbrantner commented 1 year ago

Good news, looks like they found the regression and a workaround for it!

This seems like it works for me.

I forked the action and have it only supply the username and the config.vdf file when logging in.

I ran the action about a dozen times and SteamGuard has not locked me out yet. Previously, it would ask for MFA on the second run.

Thank you @filiphsps, as well as Jon & Jason from Steam Support!

ifthenmike commented 1 year ago

They mention that you need to preserve config.vdf between runs, as it may be modified. Is that possible with GitHub Actions?

filiphsps commented 1 year ago

They mention that you need to preserve config.vdf between runs, as it may be modified. Is that possible with GitHub Actions?

https://github.com/game-ci/steam-deploy#configvdf-ssfnfilename-and-ssfnfilecontents

ifthenmike commented 1 year ago

They mention that you need to preserve config.vdf between runs, as it may be modified. Is that possible with GitHub Actions?

https://github.com/game-ci/steam-deploy#configvdf-ssfnfilename-and-ssfnfilecontents

Thank you, but I don't see anything in that link which explains how modifications are persisted between runs. I checked through the source for steam-deploy and did not see any mechanism that might allow for this yet. I am assuming this has not yet been implemented.

I bring this up because the response from Valve seems to indicate that steamcmd may modify the supplied config.vdf, and these modifications need to be persisted in order to ensure future uses of steamcmd function properly. This is mentioned directly in the public documentation here, step 6: https://partner.steamgames.com/doc/sdk/uploading#automating_steampipe

xucian commented 1 year ago

it doesn't seem ideal. I wonder how would this play out when it needs to be machine-agnostic. if config.vdf is changed on a machine, does it invalidate all other config.vdf files on other machines (as they'd start from the same 'seed' config.vdf)?

webbertakken commented 1 year ago

There seems to be some speculation in the last few comments. The original post does in fact not say whether config.vdf is changed between runs or not. It only says it needs to persist between runs (correct me if I'm wrong).

There's also a big difference between it being changed once, or (potentially) on every run.

In order to make design decisions we need more information and either

ifthenmike commented 1 year ago

I think the text of the documentation is fairly clear:

Be sure that the config file stored in \config\config.vdf is saved and preserved between runs, as this file may be updated after a successful login

Emphasis is theirs.

However, I do agree that getting a direct comment from Valve on this would be helpful, if we can get such a comment.

rdlaitila commented 1 year ago

Providing a PR #57 that applies the known workarounds in this issue. I've been testing on my fork for a few days and it appears stable. Hope others can help validate.

pmduda commented 1 year ago

Providing a PR #57 that applies the known workarounds in this issue. I've been testing on my fork for a few days and it appears stable. Hope others can help validate.

Just used your fork to set up completely new pipeline and it works fine. Thanks!

davidmfinol commented 1 year ago

Merged and promoted to v3.

Remaining actions:

  1. Fix the main.yml workflow at https://github.com/game-ci/steam-deploy/blob/v3.0.0/.github/workflows/main.yml
  2. Remove the mention of ssfn files from the action.yml file at https://github.com/game-ci/steam-deploy/blob/main/action.yml#L11
  3. Use v3 instead of v2 on the README.md. I also think the instructions for setting STEAM_CONFIG_VDF could be improved.
  4. Update the game.ci docs web page at https://game.ci/docs/github/deployment/steam
davidmfinol commented 1 year ago

PRs to close this issue: https://github.com/game-ci/steam-deploy/pull/58 https://github.com/game-ci/documentation/pull/395

webbertakken commented 1 year ago

Both approved and merged

webbertakken commented 1 year ago

Related conversation after this was merged. Some (or all?) people are experiencing having to regenerate the 2FA.

Discussion is on our discord: https://discord.com/channels/710946343828455455/1131954718269255861 (first join our discord before clicking the link, or Discord will cache permissions denied)