search

github / safe-settings

ISC License
561 stars 137 forks source link

Environments do not get provisioned for repositories set to internal or private #623

Open gregnrobinson opened 2 months ago

gregnrobinson commented 2 months ago

Problem Description

  When managing environments with safe settings, if the repository is set to public, safe settings will create all environments defined within the suborg configuration. If the repository visibility is set to private or internal, safe settings presents an error even though the provisioning of environments has been tested for all repository visibilities via the REST API.  

What is actually happening

  If the repositories are anything but public visibility, safe settings cannot provision the environments.  

What is the expected behavior

  Safe Settings should be able to manage environments on repositories that are set to private or internal visibility.  

Error output, if available

 

Error HttpError: Resource not accessible by integration in Environments for repo. {team details...}

 

Context

  We had initially opened #611 regarding environment provisioning but assumed the issue was due to insufficient licensing for the non-prod environments but after deploying to production, the environment provisioning would still only work for public repositories.   Using the REST API, we can successfully create environments for repositories even if the repository is set internal or private visibility. We are wondering why Safe settings specifically returns an error for environments that are being provisioned against internal or private repositories.  

Create environment for a public repository

 

curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $token" \
-H "X-GitHub-Api-Version: 2022-11-28" \
[https://%3cGHES_ENDPOINT%3e/api/v3/repos/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/environments/dantestpublic]https://<GHES_ENDPOINT>/api/v3/repos/<ORG>/<repoprefix>-iam-refactoring/environments/dantestpublic \
-d '{"wait_timer": 0,"prevent_self_review": false,"reviewers": [],"deployment_branch_policy": null}'

  response

{
"id": 3523,
"node_id": "MDExOkVudmlyb25tZW50MzUyMw==",
"name": "dantestpublic",
"url": [https://%3cGHES_ENDPOINT%3e/api/v3/repos/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/environments/dantestpublic]https://<GHES_ENDPOINT>/api/v3/repos/<ORG>/<repoprefix>-iam-refactoring/environments/dantestpublic,
"html_url": [https://%3cGHES_ENDPOINT%3e/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/deployments/activity_log?environments_filter=dantestpublic]https://<GHES_ENDPOINT>/<ORG>/<repoprefix>-iam-refactoring/deployments/activity_log?environments_filter=dantestpublic,
"created_at": "2024-04-17T18:51:04Z",
"updated_at": "2024-04-17T18:51:04Z",
"can_admins_bypass": true,
"protection_rules": [
],
"deployment_branch_policy": null
}

  public_repo  

Create an environment for an internal repository

 

curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $token" \
-H "X-GitHub-Api-Version: 2022-11-28" \
[https://%3cGHES_ENDPOINT%3e/api/v3/repos/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/environments/dantestinternal]https://<GHES_ENDPOINT>/api/v3/repos/<ORG>/<repoprefix>-iam-refactoring/environments/dantestinternal \
-d '{"wait_timer": 0,"prevent_self_review": false,"reviewers": [],"deployment_branch_policy": null}'

  response

{
"id": 3524,
"node_id": "MDExOkVudmlyb25tZW50MzUyNA==",
"name": "dantestinternal",
"url": [https://%3cGHES_ENDPOINT%3e/api/v3/repos/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/environments/dantestinternal]https://<GHES_ENDPOINT>/api/v3/repos/<ORG>/<repoprefix>-iam-refactoring/environments/dantestinternal,
"html_url": [https://%3cGHES_ENDPOINT%3e/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/deployments/activity_log?environments_filter=dantestinternal]https://<GHES_ENDPOINT>/<ORG>/<repoprefix>-iam-refactoring/deployments/activity_log?environments_filter=dantestinternal,
"created_at": "2024-04-17T18:57:34Z",
"updated_at": "2024-04-17T18:57:34Z",
"can_admins_bypass": true,
"protection_rules": [
],
"deployment_branch_policy": null
}

  internal_repo  

Create an environment for a private repository

 

curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $token" \
-H "X-GitHub-Api-Version: 2022-11-28" \
[https://%3cGHES_ENDPOINT%3e/api/v3/repos/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/environments/dantestprivate]https://<GHES_ENDPOINT>/api/v3/repos/<ORG>/<repoprefix>-iam-refactoring/environments/dantestprivate \
-d '{"wait_timer": 0,"prevent_self_review": false,"reviewers": [],"deployment_branch_policy": null}'

  response

{
"id": 3525,
"node_id": "MDExOkVudmlyb25tZW50MzUyNQ==",
"name": "dantestprivate",
"url": [https://%3cGHES_ENDPOINT%3e/api/v3/repos/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/environments/dantestprivate]https://<GHES_ENDPOINT>/api/v3/repos/<ORG>/<repoprefix>-iam-refactoring/environments/dantestprivate,
"html_url": [https://%3cGHES_ENDPOINT%3e/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/deployments/activity_log?environments_filter=dantestprivate]https://<GHES_ENDPOINT>/<ORG>/<repoprefix>-iam-refactoring/deployments/activity_log?environments_filter=dantestprivate,
"created_at": "2024-04-17T19:00:49Z",
"updated_at": "2024-04-17T19:00:49Z",
"can_admins_bypass": true,
"protection_rules": [
],
"deployment_branch_policy": null
}

private_repo

Environments suborg configuration

environments:
  - name: DEV
    wait_timer: 0
    prevent_self_review: false
    reviewers: []
    deployment_branch_policy:
  - name: QAT
    wait_timer: 0
    prevent_self_review: false
    reviewers: []
    deployment_branch_policy:
  - name: UAT
    wait_timer: 0
    prevent_self_review: false
    reviewers: []
    deployment_branch_policy:
  - name: PROD
    wait_timer: 0
    prevent_self_review: true
    reviewers:
      - type: Team
        id: 16193
    deployment_branch_policy:
      protected_branches: true
      custom_branch_policies: false

 

Are you using the hosted instance of probot/settings or running your own?

  Running safe settings on AKS with ingress for webhook.  

If running your own instance, are you using it with github.com or GitHub Enterprise?

  GitHub Enterprise Server  

Version of probot/settings

  Running Probot v12.3.3 (Node.js: v16.20.2)  

Version of GitHub Enterprise

  GitHub Enterprise Server 3.11

sanglt commented 1 month ago

Thanks we have the same bug too and we are using GitHub SaaS.

{"level":50,"time":1715657742292,"pid":24,"hostname":"release-name-safe-settings-755548ff8b-mwg9l","name":"probot","name":"probot","msg":"Error HttpError: Resource not accessible by integration in Environments for repo: {\"owner\":\"xxxxxx\",\"repo\":\"xxxxxx\"} entries [{\"name\":\"production\",\"wait_timer\":0,\"prevent_self_review\":true,\"reviewers\":[{\"type\":\"Team\",\"id\":xxxxxx}],\"deployment_branch_policy\":null},{\"name\":\"qa\",\"wait_timer\":0,\"prevent_self_review\":false,\"reviewers\":[{\"type\":\"Team\",\"id\":xxxxxx}],\"deployment_branch_policy\":null}]"}
sanglt commented 2 weeks ago

The error is fixed after granting Actions read permission to the app. This is the requirement for using this listing endpoint.

https://docs.github.com/en/rest/deployments/environments?apiVersion=2022-11-28#list-environments

The fine-grained token must have the following permission set: "Actions" repository permissions (read)