search

googleapis / release-please

generate release PRs based on the conventionalcommits.org spec
https://www.conventionalcommits.org
Apache License 2.0
4.49k stars 336 forks source link

Unable to create release using release-please with Github app and Protected tags setting configured #2084

Open zack-is-cool opened 10 months ago

zack-is-cool commented 10 months ago

Source repo where we're experiencing the issue (at time of issue creation): https://github.com/defenseunicorns/delivery-aws-iac/tree/f84764990254ceea749651a77f5ee2d7578cdf35

I'm attempting to use release-please and a github app to cut releases on a repository with protected tags. We are filtering protected tags using "*". This pattern worked fine when we were using user's PATs to deploy releases with release-please's github action, but we moved to using a Github app to be safer.

Currently, I'm getting an error in our pipelines using the release-please action and our github app, but I was also able to replicate the error locally using the app's installation token by fetching the JWT, and getting an installation token to play with to ensure it wasn't a problem with the github action.

Here are the permissions I have for the bot on the installation of the repo:

permissions: {
  actions: 'write',
  administration: 'write',
  checks: 'write',
  contents: 'write',
  deployments: 'write',
  issues: 'write',
  metadata: 'read',
  packages: 'write',
  pages: 'write',
  pull_requests: 'write',
  repository_projects: 'write',
  statuses: 'write'
},

I have contents: write set which will allow POST /repos/{owner}/{repo}/releases https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-contents

I added Repository administration: write permissions as dictated here: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-tag-protection-rules

Environment details

Steps to reproduce

  1. Set up a repo with tag protection to filter "*"
  2. Create a github app
  3. Give it all the permissions you'd think it would need

  4. Try to use release-please to cut a release using the app's installation token (see here for how to get one)

    Here's the error locally:

    
release-please github-release --repo-url=defenseunicorns/delivery-aws-iac --token=$gh_token --trace

❯ Fetching release-please-config.json from branch main
❯ Fetching .release-please-manifest.json from branch main
✔ Building releases
✔ Building strategies by path
❯ .: simple
❯ Found pull request #344: 'chore(main): release 0.0.10'
✔ Building release for path: .
❯ type: simple
❯ targetBranch: main
✔ Creating 1 releases for pull #344
release-please github-release

create a GitHub release from a release PR

Options: --help Show help [boolean] --version Show version number [boolean] --debug print verbose errors (use only for local debugging). [boolean] [default: false] --trace print extra verbose errors (use only for local debugging). [boolean] [default: false] --plugin load plugin named release-please- [array] [default: []] --token GitHub token with repo write permissions --api-url URL to use when making API requests [string] [default: "https://api.github.com"] --graphql-url URL to use when making GraphQL requests [string] [default: "https://api.github.com"] --default-branch The branch to open release PRs against and tag releases on [deprecated: use --target-branch instead] [string] --target-branch The branch to open release PRs against and tag releases on [string] --repo-url GitHub URL to generate release for [required] --dry-run Prepare but do not take action [boolean] [default: false] --include-v-in-tags include "v" in tag versions [boolean] [default: true] --monorepo-tags include library name in tags and release branches [boolean] [default: false] --pull-request-title-pattern Title pattern to make release PR [string] --pull-request-header Header for release PR [string] --path release from path other than root directory [string] --component name of component release is being minted for [string] --package-name name of package release is being minted for [string] --release-type what type of repo is a release being created for? [choices: "dart", "dotnet-yoshi", "elixir", "expo", "go", "go-yoshi", "helm", "java", "java-backport", "java-bom", "java-lts", "java-yoshi", "java-yoshi-mono-repo", "krm-blueprint", "maven", "node", "ocaml", "php", "php-yoshi", "python", "ruby", "ruby-yoshi", "rust", "salesforce", "sfdx", "simple", "terraform-module"] --config-file where can the config file be found in the project? [default: "release-please-config.json"] --manifest-file where can the manifest file be found in the project? [default: ".release-please-manifest.json"] --draft mark release as a draft. no tag is created but tag_name and target_commitish are associated with the release for future tag creation upon "un-drafting" the release. [boolean] [default: false] --prerelease mark release that have prerelease versions as as a prerelease on Github[boolean] [default: false] --label comma-separated list of labels to remove to from release PR [default: "autorelease: pending"] --release-label set a pull request label other than "autorelease: tagged" [string] [default: "autorelease: tagged"] --snapshot-label set a java snapshot pull request label other than "autorelease: snapshot" [string] [default: "autorelease: snapshot"]

HttpError: Validation Failed: {"resource":"Release","code":"custom","field":"pre_receive","message":"pre_receive protected tag 'v0.0.10' check failed:\n You're not authorized to create a tag"}, {"resource":"Release","code":"custom","message":"Published releases must have a valid tag"} at /opt/homebrew/lib/node_modules/release-please/node_modules/@octokit/request/dist-node/index.js:122:21 ... 7 lines matching cause stack trace ... at async Object.handler (/opt/homebrew/lib/node_modules/release-please/build/src/bin/release-please.js:388:36) { status: 422, body: { message: 'Validation Failed', errors: [ [Object], [Object] ], documentation_url: 'https://docs.github.com/rest/releases/releases#create-a-release' }, name: 'GitHubAPIError', cause: RequestError [HttpError]: Validation Failed: {"resource":"Release","code":"custom","field":"pre_receive","message":"pre_receive protected tag 'v0.0.10' check failed:\n You're not authorized to create a tag"}, {"resource":"Release","code":"custom","message":"Published releases must have a valid tag"} at /opt/homebrew/lib/node_modules/release-please/node_modules/@octokit/request/dist-node/index.js:122:21 at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async /opt/homebrew/lib/node_modules/release-please/build/src/github.js:274:26 at async GitHub.createRelease (/opt/homebrew/lib/node_modules/release-please/build/src/github.js:1219:20) at async Manifest.createRelease (/opt/homebrew/lib/node_modules/release-please/build/src/manifest.js:711:31) at async Manifest.createReleasesForPullRequest (/opt/homebrew/lib/node_modules/release-please/build/src/manifest.js:674:37) at async Promise.all (index 0) at async Manifest.createReleases (/opt/homebrew/lib/node_modules/release-please/build/src/manifest.js:664:30) at async Object.handler (/opt/homebrew/lib/node_modules/release-please/build/src/bin/release-please.js:388:36) { status: 422, response: { url: 'https://api.github.com/repos/defenseunicorns/delivery-aws-iac/releases', status: 422, headers: [Object], data: [Object] }, request: { method: 'POST', url: 'https://api.github.com/repos/defenseunicorns/delivery-aws-iac/releases', headers: [Object], body: '{"name":"v0.0.10","tag_name":"v0.0.10","body":"## 0.0.10 (2023-09-13)\n\n\n### Miscellaneous Chores\n\n deps: update all dependencies (#315) (ccc71d9)\n deps: update all dependencies (#345) (41e5da0)\n deps: update all dependencies (#349) (6144bf9)\n\n\n### Code Refactoring\n\n removal of kubectl provider (#348) (98ca153)\n\n\n### Continuous Integration\n\n fix some inputs for renovate to monitor properly (#347) (bf60547)\n refactor for shared workflows (#346) (5c4bb84)","draft":false,"prerelease":false,"target_commitish":"156308a88ae4c98ecd5fdcee9204bea6b6a44892"}', request: [Object] } } }


 in my [pipeline](https://github.com/defenseunicorns/delivery-aws-iac/actions/runs/6265252134/job/17015033520#step:3:81):

 ```log
 ##[debug]=> 'https://api.github.com/graphql'
##[debug]Result: 'https://api.github.com/graphql'
##[debug]Loading env
Run google-github-actions/release-please-action@v3
❯ Fetching release-please-config.json from branch main
❯ Fetching .release-please-manifest.json from branch main
✔ Building releases
✔ Building strategies by path
❯ .: simple
❯ Found pull request #344: 'chore(main): release 0.0.10'
✔ Building release for path: .
❯ type: simple
❯ targetBranch: main
✔ Creating 1 releases for pull #344
Error: release-please failed: Validation Failed: {"resource":"Release","code":"custom","field":"pre_receive","message":"pre_receive protected tag 'v0.0.10' check failed:\n  You're not authorized to create a tag"}, {"resource":"Release","code":"custom","message":"Published releases must have a valid tag"}
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Run google-github-actions/release-please-action@v3

also, here's my release-please-config.json

{
  "packages": {
    ".": {
      "bump-minor-pre-major": true,
      "bump-patch-for-minor-pre-major": true,
      "changelog-host": "https://github.com",
      "changelog-path": "CHANGELOG.md",
      "changelog-sections": [
        { "type": "feat", "section": "Features" },
        { "type": "feature", "section": "Features" },
        { "type": "fix", "section": "Bug Fixes" },
        { "type": "perf", "section": "Performance Improvements" },
        { "type": "revert", "section": "Reverts" },
        { "type": "docs", "section": "Documentation" },
        { "type": "style", "section": "Styles" },
        { "type": "chore", "section": "Miscellaneous Chores" },
        { "type": "refactor", "section": "Code Refactoring" },
        { "type": "test", "section": "Tests" },
        { "type": "build", "section": "Build System" },
        { "type": "ci", "section": "Continuous Integration" }
      ],
      "changelog-type": "default",
      "draft": false,
      "draft-pull-request": false,
      "include-component-in-tag": false,
      "include-v-in-tag": true,
      "prerelease": false,
      "pull-request-header": ":robot: I have created a release *beep* *boop*",
      "pull-request-title-pattern": "chore${scope}: release${component} ${version}",
      "release-type": "simple",
      "separate-pull-requests": false,
      "skip-github-release": false,
      "versioning": "default"
    }
  }
}

edit for now, I turned off Protected Tags to have our app be able to cut releases using release-please.

Thank you!

miguelappleton commented 4 months ago

Any updates on this?