search

opensafely-core / research-template-docker

This provides the devcontainer Docker image used by repos created from the OpenSAFELY research template.
Other
0 stars 0 forks source link

Stata actions don't work unless license key in env var #27

Closed Jongmassey closed 1 month ago

Jongmassey commented 1 month ago

User reports error when running stata actions

I can replicate with the same repo and the clean_covid_matching_2017 action.

If I set the stata license env var per the docs this action runs correctly to completion.

This function seemingly pulls in the Stata licence file. It first tries a clone using the HTTP address for the repo, then if that fails then it tries ssh.

A git clone using HTTP:

git clone https://github.com/opensafely/server-instructions.git
Cloning into 'server-instructions'...
remote: Write access to repository not granted.
fatal: unable to access 'https://github.com/opensafely/server-instructions.git/': The requested URL returned error: 403

using ssh initially fails as there's no ssh client installed. apt installing one then running git clone with the ssh address gives

git clone git@github.com:opensafely/server-instructions.git
Cloning into 'server-instructions'...
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I'm not particularly au fait with this process and how the authentication works for this.

As for within the codespace, the git credential.helper setting is set to /.codespaces/bin/gitcredential_github.sh which contains

#!/bin/sh
echo protocol=https
echo host=github.com
echo path=
echo username=PersonalAccessToken
echo password=$GITHUB_TOKEN

$GITHUB_TOKEN is populated with a value, but I don't know what github user it corresponds to. There's clearly some magic behind the scenes here that I don't yet understand.

Jongmassey commented 1 month ago

It could be that that PAT is a fine grained PAT with permissions only to the repo in which the codespace is created

Jongmassey commented 1 month ago

via @bloodearnest https://docs.github.com/en/codespaces/managing-your-codespaces/managing-repository-access-for-your-codespaces#authorizing-requested-permissions

It seems we need to add https://github.com/opensafely/server-instructions to the right bit of the devcontainer.json and the autogenerated PAT will have the read permissions required to clone the repo and thereby get the license key