search

jupyterlab / frontends-team-compass

A repository for team interaction, syncing, and handling meeting notes across the JupyterLab ecosystem.
https://jupyterlab-team-compass.readthedocs.io/en/latest/
BSD 3-Clause "New" or "Revised" License
59 stars 30 forks source link

How to handle the GitHub token for the Jupyter Releaser? #190

Closed jtpio closed 6 months ago

jtpio commented 1 year ago

Problem

Today I hit the following issue when trying to make a new release of JupyterLab: 

+ python -m jupyter_releaser.actions.prep_release
Getting GitHub connection for jupyterlab/jupyterlab
Getting permission level for jtpio
HTTP Error 401: Unauthorized
====Error Body====
{
  "message": "Bad credentials",
  "documentation_url": "https://docs.github.com/rest"
}

Traceback (most recent call last):
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/runpy.py", line 196, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/jupyter_releaser/actions/prep_release.py", line 9, in <module>
    setup(False)
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/jupyter_releaser/actions/common.py", line 19, in setup
    return prepare_environment(fetch_draft_release=fetch_draft_release)
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/jupyter_releaser/util.py", line 615, in prepare_environment
    raise RuntimeError(
RuntimeError: Could not get user permission level, assuming user was not admin!

This prevented me from using the releaser bot for making the release. I don't have access to the bot account or the Jupyter shared 1Password, so it was not possible for me to update the token and resume the release from the repo.

Fortunately it is still possible to use a fork of the releaser to make the release. This worked as a workaround but for transparency and consistency it would be great to always make releases from the JupyterLab repo.

Proposed Solution

There has been some discussion about how to handle the GitHub token in https://github.com/jupyterlab/jupyterlab/pull/14176#issuecomment-1521234022.

It would be good to have some process in place to:

Additional context

This is also documented in https://github.com/jupyterlab/jupyterlab/issues/14431.

Failed releaser run: https://github.com/jupyterlab/jupyterlab/actions/runs/4794399088/jobs/8527738241

cc @jupyterlab/release for awareness

fcollonval commented 1 year ago

Thanks for opening this @jtpio

I think the proposal of Steve to give access to the password vault to SSC members is a good way to smooth the issue.

blink1073 commented 1 year ago

I opened https://github.com/jupyter-server/jupyter_releaser/issues/505 to track a method to avoid using this token altogether.

jtpio commented 1 year ago

@blink1073 @fcollonval looks like I'm getting the same issue again today when trying to make a new JupyterLab release:

https://github.com/jupyterlab/jupyterlab/actions/runs/6485418200/job/17611833242

image

I supposed this is because the ADMIN_GITHUB_TOKEN has expired, as it's been 3 months since it was last updated?

image

jtpio commented 1 year ago

Would generating a fine-grained token with "JupyterLab" as the owner work, instead of generating a token for the bot account? (https://github.com/jupyterlab-bot)

image

jtpio commented 1 year ago

Looks like we would indeed need a new token as per the discussion linked above: https://github.com/jupyterlab/jupyterlab/pull/14176#issuecomment-1521234022

krassowski commented 1 year ago

I'm on it. I see that secretes for jupyterlab_server, lumino, maintainer-tools and pytest-check-links were updated yesterday but jupyterlab seems to have been missed.

I will regenerate the token, and update it in all four repositories after testing that it works with JupyterLab.

blink1073 commented 1 year ago

I updated the other ones yesterday, I missed this one. @krassowski it would be good to see if a fine-grained token works if you want to try that. If not, I'll use the one from the vault.

krassowski commented 1 year ago

Sorry, already regenerated. I see what you mean, will update it. Thanks for all the work in the background on making it a smooth experience!

krassowski commented 10 months ago

@blink1073 it looks like the October token for JupyterLab has expired (I was not able to proceed with release and it was just over 3 months since it was regernerated); were you planning on updating the tokens this week?

blink1073 commented 10 months ago

Sigh, I missed that one, now updated. I'm working on making this self-service, hopefully before the next deadline...

jtpio commented 6 months ago

Looks like we can close this issue, as JupyterLab now uses a GitHub app instead of a release bot.

Information about the GitHub app is located in the Jupyter 1Password. But we don't need to refresh the tokens anymore with this approach.

Thanks @blink1073 for fixing this in https://github.com/jupyter-server/jupyter_releaser/pull/557 !