I'm attempting to use release-please and a github app to cut releases on a repository with protected tags. We are filtering protected tags using "*". This pattern worked fine when we were using user's PATs to deploy releases with release-please's github action, but we moved to using a Github app to be safer.
Currently, I'm getting an error in our pipelines using the release-please action and our github app, but I was also able to replicate the error locally using the app's installation token by fetching the JWT, and getting an installation token to play with to ensure it wasn't a problem with the github action.
Here are the permissions I have for the bot on the installation of the repo:
Give it all the permissions you'd think it would need
Try to use release-please to cut a release using the app's installation token (see here for how to get one)
Here's the error
locally:
release-please github-release --repo-url=defenseunicorns/delivery-aws-iac --token=$gh_token --trace
❯ Fetching release-please-config.json from branch main
❯ Fetching .release-please-manifest.json from branch main
✔ Building releases
✔ Building strategies by path
❯ .: simple
❯ Found pull request #344: 'chore(main): release 0.0.10'
✔ Building release for path: .
❯ type: simple
❯ targetBranch: main
✔ Creating 1 releases for pull #344
release-please github-release
create a GitHub release from a release PR
Options:
--help Show help [boolean]
--version Show version number [boolean]
--debug print verbose errors (use only for local
debugging). [boolean] [default: false]
--trace print extra verbose errors (use only for local
debugging). [boolean] [default: false]
--plugin load plugin named release-please-
[array] [default: []]
--token GitHub token with repo write permissions
--api-url URL to use when making API requests
[string] [default: "https://api.github.com"]
--graphql-url URL to use when making GraphQL requests
[string] [default: "https://api.github.com"]
--default-branch The branch to open release PRs against and tag
releases on
[deprecated: use --target-branch instead] [string]
--target-branch The branch to open release PRs against and tag
releases on [string]
--repo-url GitHub URL to generate release for [required]
--dry-run Prepare but do not take action
[boolean] [default: false]
--include-v-in-tags include "v" in tag versions
[boolean] [default: true]
--monorepo-tags include library name in tags and release
branches [boolean] [default: false]
--pull-request-title-pattern Title pattern to make release PR [string]
--pull-request-header Header for release PR [string]
--path release from path other than root directory
[string]
--component name of component release is being minted for
[string]
--package-name name of package release is being minted for
[string]
--release-type what type of repo is a release being created
for?
[choices: "dart", "dotnet-yoshi", "elixir", "expo", "go", "go-yoshi", "helm",
"java", "java-backport", "java-bom", "java-lts", "java-yoshi",
"java-yoshi-mono-repo", "krm-blueprint", "maven", "node", "ocaml", "php",
"php-yoshi", "python", "ruby", "ruby-yoshi", "rust", "salesforce", "sfdx",
"simple", "terraform-module"]
--config-file where can the config file be found in the
project? [default: "release-please-config.json"]
--manifest-file where can the manifest file be found in the
project?
[default: ".release-please-manifest.json"]
--draft mark release as a draft. no tag is created but
tag_name and target_commitish are associated
with the release for future tag creation upon
"un-drafting" the release.
[boolean] [default: false]
--prerelease mark release that have prerelease versions as as
a prerelease on Github[boolean] [default: false]
--label comma-separated list of labels to remove to from
release PR [default: "autorelease: pending"]
--release-label set a pull request label other than
"autorelease: tagged"
[string] [default: "autorelease: tagged"]
--snapshot-label set a java snapshot pull request label other
than "autorelease: snapshot"
[string] [default: "autorelease: snapshot"]
HttpError: Validation Failed: {"resource":"Release","code":"custom","field":"pre_receive","message":"pre_receive protected tag 'v0.0.10' check failed:\n You're not authorized to create a tag"}, {"resource":"Release","code":"custom","message":"Published releases must have a valid tag"}
at /opt/homebrew/lib/node_modules/release-please/node_modules/@octokit/request/dist-node/index.js:122:21
... 7 lines matching cause stack trace ...
at async Object.handler (/opt/homebrew/lib/node_modules/release-please/build/src/bin/release-please.js:388:36) {
status: 422,
body: {
message: 'Validation Failed',
errors: [ [Object], [Object] ],
documentation_url: 'https://docs.github.com/rest/releases/releases#create-a-release'
},
name: 'GitHubAPIError',
cause: RequestError [HttpError]: Validation Failed: {"resource":"Release","code":"custom","field":"pre_receive","message":"pre_receive protected tag 'v0.0.10' check failed:\n You're not authorized to create a tag"}, {"resource":"Release","code":"custom","message":"Published releases must have a valid tag"}
at /opt/homebrew/lib/node_modules/release-please/node_modules/@octokit/request/dist-node/index.js:122:21
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async /opt/homebrew/lib/node_modules/release-please/build/src/github.js:274:26
at async GitHub.createRelease (/opt/homebrew/lib/node_modules/release-please/build/src/github.js:1219:20)
at async Manifest.createRelease (/opt/homebrew/lib/node_modules/release-please/build/src/manifest.js:711:31)
at async Manifest.createReleasesForPullRequest (/opt/homebrew/lib/node_modules/release-please/build/src/manifest.js:674:37)
at async Promise.all (index 0)
at async Manifest.createReleases (/opt/homebrew/lib/node_modules/release-please/build/src/manifest.js:664:30)
at async Object.handler (/opt/homebrew/lib/node_modules/release-please/build/src/bin/release-please.js:388:36) {
status: 422,
response: {
url: 'https://api.github.com/repos/defenseunicorns/delivery-aws-iac/releases',
status: 422,
headers: [Object],
data: [Object]
},
request: {
method: 'POST',
url: 'https://api.github.com/repos/defenseunicorns/delivery-aws-iac/releases',
headers: [Object],
body: '{"name":"v0.0.10","tag_name":"v0.0.10","body":"## 0.0.10 (2023-09-13)\n\n\n### Miscellaneous Chores\n\ndeps: update all dependencies (#315) (ccc71d9)\ndeps: update all dependencies (#345) (41e5da0)\ndeps: update all dependencies (#349) (6144bf9)\n\n\n### Code Refactoring\n\n removal of kubectl provider (#348) (98ca153)\n\n\n### Continuous Integration\n\n fix some inputs for renovate to monitor properly (#347) (bf60547)\n refactor for shared workflows (#346) (5c4bb84)","draft":false,"prerelease":false,"target_commitish":"156308a88ae4c98ecd5fdcee9204bea6b6a44892"}', request: [Object]
}
}
}
in my [pipeline](https://github.com/defenseunicorns/delivery-aws-iac/actions/runs/6265252134/job/17015033520#step:3:81):
```log
##[debug]=> 'https://api.github.com/graphql'
##[debug]Result: 'https://api.github.com/graphql'
##[debug]Loading env
Run google-github-actions/release-please-action@v3
❯ Fetching release-please-config.json from branch main
❯ Fetching .release-please-manifest.json from branch main
✔ Building releases
✔ Building strategies by path
❯ .: simple
❯ Found pull request #344: 'chore(main): release 0.0.10'
✔ Building release for path: .
❯ type: simple
❯ targetBranch: main
✔ Creating 1 releases for pull #344
Error: release-please failed: Validation Failed: {"resource":"Release","code":"custom","field":"pre_receive","message":"pre_receive protected tag 'v0.0.10' check failed:\n You're not authorized to create a tag"}, {"resource":"Release","code":"custom","message":"Published releases must have a valid tag"}
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Run google-github-actions/release-please-action@v3
Source repo where we're experiencing the issue (at time of issue creation): https://github.com/defenseunicorns/delivery-aws-iac/tree/f84764990254ceea749651a77f5ee2d7578cdf35
I'm attempting to use release-please and a github app to cut releases on a repository with protected tags. We are filtering protected tags using
"*"
. This pattern worked fine when we were using user's PATs to deploy releases with release-please's github action, but we moved to using a Github app to be safer.Currently, I'm getting an error in our pipelines using the release-please action and our github app, but I was also able to replicate the error locally using the app's installation token by fetching the JWT, and getting an installation token to play with to ensure it wasn't a problem with the github action.
Here are the permissions I have for the bot on the installation of the repo:
I have
contents: write
set which will allow POST /repos/{owner}/{repo}/releases https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-contentsI added
Repository administration: write
permissions as dictated here: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-tag-protection-rulesEnvironment details
release-please
version: 16.0.0Steps to reproduce
Try to use release-please to cut a release using the app's installation token (see here for how to get one)
Here's the error locally:
create a GitHub release from a release PR
Options: --help Show help [boolean] --version Show version number [boolean] --debug print verbose errors (use only for local debugging). [boolean] [default: false] --trace print extra verbose errors (use only for local debugging). [boolean] [default: false] --plugin load plugin named release-please-
[array] [default: []]
--token GitHub token with repo write permissions
--api-url URL to use when making API requests
[string] [default: "https://api.github.com"]
--graphql-url URL to use when making GraphQL requests
[string] [default: "https://api.github.com"]
--default-branch The branch to open release PRs against and tag
releases on
[deprecated: use --target-branch instead] [string]
--target-branch The branch to open release PRs against and tag
releases on [string]
--repo-url GitHub URL to generate release for [required]
--dry-run Prepare but do not take action
[boolean] [default: false]
--include-v-in-tags include "v" in tag versions
[boolean] [default: true]
--monorepo-tags include library name in tags and release
branches [boolean] [default: false]
--pull-request-title-pattern Title pattern to make release PR [string]
--pull-request-header Header for release PR [string]
--path release from path other than root directory
[string]
--component name of component release is being minted for
[string]
--package-name name of package release is being minted for
[string]
--release-type what type of repo is a release being created
for?
[choices: "dart", "dotnet-yoshi", "elixir", "expo", "go", "go-yoshi", "helm",
"java", "java-backport", "java-bom", "java-lts", "java-yoshi",
"java-yoshi-mono-repo", "krm-blueprint", "maven", "node", "ocaml", "php",
"php-yoshi", "python", "ruby", "ruby-yoshi", "rust", "salesforce", "sfdx",
"simple", "terraform-module"]
--config-file where can the config file be found in the
project? [default: "release-please-config.json"]
--manifest-file where can the manifest file be found in the
project?
[default: ".release-please-manifest.json"]
--draft mark release as a draft. no tag is created but
tag_name and target_commitish are associated
with the release for future tag creation upon
"un-drafting" the release.
[boolean] [default: false]
--prerelease mark release that have prerelease versions as as
a prerelease on Github[boolean] [default: false]
--label comma-separated list of labels to remove to from
release PR [default: "autorelease: pending"]
--release-label set a pull request label other than
"autorelease: tagged"
[string] [default: "autorelease: tagged"]
--snapshot-label set a java snapshot pull request label other
than "autorelease: snapshot"
[string] [default: "autorelease: snapshot"]
HttpError: Validation Failed: {"resource":"Release","code":"custom","field":"pre_receive","message":"pre_receive protected tag 'v0.0.10' check failed:\n You're not authorized to create a tag"}, {"resource":"Release","code":"custom","message":"Published releases must have a valid tag"} at /opt/homebrew/lib/node_modules/release-please/node_modules/@octokit/request/dist-node/index.js:122:21 ... 7 lines matching cause stack trace ... at async Object.handler (/opt/homebrew/lib/node_modules/release-please/build/src/bin/release-please.js:388:36) { status: 422, body: { message: 'Validation Failed', errors: [ [Object], [Object] ], documentation_url: 'https://docs.github.com/rest/releases/releases#create-a-release' }, name: 'GitHubAPIError', cause: RequestError [HttpError]: Validation Failed: {"resource":"Release","code":"custom","field":"pre_receive","message":"pre_receive protected tag 'v0.0.10' check failed:\n You're not authorized to create a tag"}, {"resource":"Release","code":"custom","message":"Published releases must have a valid tag"} at /opt/homebrew/lib/node_modules/release-please/node_modules/@octokit/request/dist-node/index.js:122:21 at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async /opt/homebrew/lib/node_modules/release-please/build/src/github.js:274:26 at async GitHub.createRelease (/opt/homebrew/lib/node_modules/release-please/build/src/github.js:1219:20) at async Manifest.createRelease (/opt/homebrew/lib/node_modules/release-please/build/src/manifest.js:711:31) at async Manifest.createReleasesForPullRequest (/opt/homebrew/lib/node_modules/release-please/build/src/manifest.js:674:37) at async Promise.all (index 0) at async Manifest.createReleases (/opt/homebrew/lib/node_modules/release-please/build/src/manifest.js:664:30) at async Object.handler (/opt/homebrew/lib/node_modules/release-please/build/src/bin/release-please.js:388:36) { status: 422, response: { url: 'https://api.github.com/repos/defenseunicorns/delivery-aws-iac/releases', status: 422, headers: [Object], data: [Object] }, request: { method: 'POST', url: 'https://api.github.com/repos/defenseunicorns/delivery-aws-iac/releases', headers: [Object], body: '{"name":"v0.0.10","tag_name":"v0.0.10","body":"## 0.0.10 (2023-09-13)\n\n\n### Miscellaneous Chores\n\n deps: update all dependencies (#315) (ccc71d9)\n deps: update all dependencies (#345) (41e5da0)\n deps: update all dependencies (#349) (6144bf9)\n\n\n### Code Refactoring\n\n removal of kubectl provider (#348) (98ca153)\n\n\n### Continuous Integration\n\n fix some inputs for renovate to monitor properly (#347) (bf60547)\n refactor for shared workflows (#346) (5c4bb84)","draft":false,"prerelease":false,"target_commitish":"156308a88ae4c98ecd5fdcee9204bea6b6a44892"}', request: [Object] } } }
also, here's my
release-please-config.json
edit for now, I turned off Protected Tags to have our app be able to cut releases using release-please.
Thank you!