Private repos require you to set process.env.GH_ADMIN_TOKEN to fetch the latest SHA

[lucasgonze]

Hellos @mheap. Thanks for this excellent tool.

I am running it against build files in a public repo and getting an unexpected error:

Unable to find SHA for actions/checkout@v2
Private repos require you to set process.env.GH_ADMIN_TOKEN to fetch the latest SHA

These are the specific actions triggering the issue:

Unable to find SHA for actions/checkout@v2
Unable to find SHA for actions/github-script@v3
Unable to find SHA for actions/github-script@v3.1.0
Unable to find SHA for dorny/paths-filter@v2
Unable to find SHA for hmarr/debug-action@v2

My understanding is that these are not private repos and shouldn't require a token. uses: actions/checkout@main is an example in your own home page.

I can work around the issue for now, but it does complicate my team's usage of the tool so it's worth asking about.

[mheap]

Hey @lucasgonze! Thanks for the report. I've just run a test locally with actions/checkout@v2 and it seems to have worked fine.

Could you clone the repo, uncomment lines 41 and 55 in findRefOnGithub.js and run ./bin.js /path/to/workflow.yml?

(As an aside, I need to add an easier way to get debug logs)

[lucasgonze]

Done. sample.txt shows a complete log of one failed request matching the above pattern. I think the key is this bit:

RequestError [HttpError]: API rate limit exceeded for 50.242.118.169. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)

[mheap]

Yep! That'd do it. I'll add some additional handling that makes it clearer what's going on when you get rate limited.

In this case, you'll need to configure the GitHub token to increase your rate limit

[lucasgonze]

That makes total sense. I agree that a better error message would get the job done.

[mheap]

v1.6.0 just went out with a fix for the error message and better logging. Thanks for the report

[lucasgonze]

🙏 LGTM