search

jenkins-infra / helpdesk

Open your Infrastructure related issues here for the Jenkins project
https://github.com/jenkins-infra/helpdesk/issues/new/choose
17 stars 10 forks source link

Cannot release a new plugin with CD even if tokens are created and automatic PR on RPU merged #4248

Closed jonesbusy closed 2 months ago

jonesbusy commented 2 months ago

Service(s)

ci.jenkins.io

Summary

Hi,

This is the failed CD with 403 status code

https://github.com/jenkinsci/commons-math3-api-plugin/actions/runs/10469413524/job/28993165349

org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:3.1.2:deploy (default-deploy) on project commons-math3-api: Failed to deploy artifacts: Could not transfer artifact io.jenkins.plugins:commons-math3-api:pom:3.6.1-4.vdd4613817d74 from/to maven.jenkins-ci.org (https://repo.jenkins-ci.org/releases/): authorization failed for https://repo.jenkins-ci.org/releases/io/jenkins/plugins/commons-math3-api/3.6.1-4.vdd4613817d74/commons-math3-api-3.6.1-4.vdd4613817d74.pom, status: 403 Forbidden

Hosting request: https://github.com/jenkins-infra/repository-permissions-updater/issues/4041 RPU PR: https://github.com/jenkins-infra/repository-permissions-updater/pull/4042

Contains all what's needed

name: "commons-math3-api"
github: &GH "jenkinsci/commons-math3-api-plugin"
paths:
- "io/jenkins/plugins/commons-math3-api"
developers:
- "jonesbusy"
cd:
  enabled: true
issues:
  - github: *GH

The token are created on https://github.com/jenkinsci/commons-math3-api-plugin/settings/secrets/actions

tokens

Is there anything that I'm missing ?

Thanks

Reproduction steps

No response

jonesbusy commented 2 months ago

Still happen this morning when trying to restart the CD job

dduportal commented 2 months ago

I confirm the RPu job works as expected and did update the permissions on Artifactory.

I'm checking 2 different paths:

dduportal commented 2 months ago

Interesting: I can't find a permission set on Artifactory for the plugin, which most probably explains why the HTTP/403 as the token is present and used with success for authentication (otherwise the error would be HTTP/401).

I continue in this direction (as I'm not at ease with this system: need to learn code and logs :) )

dduportal commented 2 months ago

Ping @timja @daniel-beck @MarkEWaite @NotMyFault if this behavior ring a bell, I would benefit from a bit of help as I'm not really at ease with the RPU process when it comes to initializing a repository.

On Artifactory, the group generatedv2-cd-jenkinsci_commons-math3-api-plugin exists but it does not have any permissions associated.

Is the Artifactory permission set created by RPU or is it a manual bootstrap step requiring a human?

dduportal commented 2 months ago

As per https://github.com/jenkins-infra/repository-permissions-updater/blob/d431eb38a6e825d41b767fda5a70b034a9c4ea04/src/main/java/io/jenkins/infra/repository_permissions_updater/launcher/ArtifactoryPermissionsUpdater.java#L46, it should be managed by RPU

timja commented 2 months ago

There is nothing manual here

timja commented 2 months ago

We could revert https://github.com/jenkins-infra/repository-permissions-updater/pull/3938 if there's nothing clear in the logs

dduportal commented 2 months ago

We could revert jenkins-infra/repository-permissions-updater#3938 if there's nothing clear in the logs

I was searching for the RPU log in trusted.ci but it looks like it was already cleaned up by the GC. Good idea: let's revert, et reinsert it to see the result

timja commented 2 months ago

https://github.com/jenkins-infra/repository-permissions-updater/pull/4045

dduportal commented 2 months ago

jenkins-infra/repository-permissions-updater#4045

Triggered the build manually on trusted.ci: let's see

dduportal commented 2 months ago

jenkins-infra/repository-permissions-updater#4045

Triggered the build manually on trusted.ci: let's see

The permission scheme did appear after the build (using the reverted change).

@jonesbusy you should be able to trigger your release, can you confirm if it works or no?

@timja I believe the Groovy script change need to be revisited?

jonesbusy commented 2 months ago

Thanks, all working as expected now : https://github.com/jenkinsci/commons-math3-api-plugin/actions/runs/10488442979/job/29050922506

daniel-beck commented 2 months ago

On Artifactory, the group generatedv2-cd-jenkinsci_commons-math3-api-plugin exists but it does not have any permissions associated.

FWIW this should be apparent in -DdryRun.

TheMeinerLP commented 2 months ago

Hi, I just saw that something was broken by my PR. Is there any way of tracing what exactly was broken using stacktraces or messages?

Please contact me

zbynek commented 1 month ago

@TheMeinerLP are you still interested in rewriting these groovy scripts in Java? I understand GSoC is over, but Hacktoberfest is still in progress :)

In case you're wondering what the errors are, I guess the best would be to run the tool with dryRun as Daniel suggested, and compare the resulting JSONs before/after your changes.

TheMeinerLP commented 4 weeks ago

I am still interested to rewrite it :D

The json looks so far correct some apply logic is not called on the end

daniel-beck commented 2 weeks ago

FTR Artifactory admins (e.g. me) can run the tool with production-like options and then inspect what was sent to Artifactory without affecting actual granted permissions. Probably not a bad idea for the next iteration once the dry run looks good 😃

TheMeinerLP commented 2 weeks ago

No anomalies of this magnitude appeared in the dry run at that time. That was the amazing thing. I will definitely come back to the offer