search

googleapis / repo-automation-bots

A collection of bots, based on probot, for performing common maintenance tasks across the open-source repos managed by Google on GitHub.
Apache License 2.0
628 stars 128 forks source link

Could owlbot re-request authentication for long-running post-processor changes? #5046

Open sofisl opened 1 year ago

sofisl commented 1 year ago

See: https://github.com/googleapis/google-cloud-node/pull/4205/checks?check_run_id=13174523254

If/when the post-processor takes ~2hrs to complete, the JWT it uses expires and it doesn't have the necessary credentials to commit back the changes. From what I recall, the JWT only lasts for 10 minutes.

RequestError [HttpError]: Bad credentials
    at /usr/src/app/node_modules/@octokit/request/dist-node/index.js:88:21
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
    at async commitPostProcessorUpdate (/usr/src/app/build/src/bin/commands/commit-post-processor-update.js:119:30) {
  status: 401,
  response: {
    url: 'https://api.github.com/repos/googleapis/google-cloud-node/pulls/4205',
    status: 401,
    headers: {
 ....
  }

Could we extend the JWT, or retry authentication if it gets this response?

https://pantheon.corp.google.com/cloud-build/builds;region=global/d8adf3d8-08d4-4413-ba19-f5af1152c48b;step=9?project=repo-automation-bots

SurferJeffAtGoogle commented 1 year ago

The github token is passed into the cloud build trigger. @bcoe, where does that github token come from?

sofisl commented 1 year ago

I thought it was done here, although I may be wrong.

SurferJeffAtGoogle commented 1 year ago

I thought it was done here, although I may be wrong.

See https://github.com/googleapis/repo-automation-bots/blob/ab276e30017b0cf8a1f67e2fb5fea7f6ab3c46d0/packages/owl-bot/cloud-build/update-pr.yaml

The token gets passed in.

Changing this will require some redesign.

SurferJeffAtGoogle commented 1 year ago

I described the issue in detail in go/chicken-timer. I'll book a meeting to discuss next week.