openedx / openedx-atlas

An Open edX CLI tool for moving translation files from openedx-translations
GNU Affero General Public License v3.0
3 stars 7 forks source link

openedx `SEMANTIC_RELEASE_GITHUB_TOKEN` secret lacks permissions to publish a release on GitHub #33

Open OmarIthawi opened 1 year ago

OmarIthawi commented 1 year ago

Description

This repo uses the release.yml GitHub workflow which runs the semantic-release npm package to publish GitHub releases and uploads the atlas binary to it.

The npx semantic-release fails on this repo when the secrets.SEMANTIC_RELEASE_GITHUB_TOKEN is being used and the GitHub API returns a 404 error, which is sometimes another way to say permission error.

Here's the failed job attempt https://github.com/openedx/openedx-atlas/actions/runs/5786749334/attempts/1 with a 404 error

RequestError [HttpError]: Not Found
    at /home/runner/.npm/_npx/d32d92066bae6c10/node_modules/@octokit/request/dist-node/index.js:112:21
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async requestWithGraphqlErrorHandling (/home/runner/.npm/_npx/d32d92066bae6c10/node_modules/@octokit/plugin-retry/dist-node/index.js:71:20)
    at async Job.doExecute (/home/runner/.npm/_npx/d32d92066bae6c10/node_modules/bottleneck/light.js:405:18) {
  status: 404,
  response: {
    url: 'https://api.github.com/repos/openedx/openedx-atlas/releases',
    status: 404,

Current workaround

Because this affects the wider @openedx GitHub repository @brian-smith-tcril and I chose not to edit the SEMANTIC_RELEASE_GITHUB_TOKEN.

We opted to use the github.token on the release.yml workflow instead. However, the github.token could be a bit less secure since it grants wider permissions as far as I know:

The release process now works well and upload the binary successfully: https://github.com/openedx/openedx-atlas/releases/tag/v0.2.0

The updated workflow looks like the following:

https://github.com/openedx/openedx-atlas/blob/18eb0cc995c4059f704eb0cf2b61fa6ca15f345c/.github/workflows/release.yml#L16-L18

Suggested fix

Update the @openedx organization-wide secret to include permissions to manage the releases, upload artifacts, etc -- I don't really know what how to fix it because I don't have access to see what's in the SEMANTIC_RELEASE_GITHUB_TOKEN permissions list.