Transifex push is failing in `files_antivirus` and `files_paperhive` app

[SagarGi]

Description

https://drone.owncloud.com/owncloud/translation-sync/3217/12/12 https://drone.owncloud.com/owncloud/translation-sync/3217/16/12

latest: Pulling from plugins/git-action
Digest: sha256:c6d438ccc784399e724a25a1a42c8bc263fce8d63b1c8a13db43fdaa7cea1b13
Status: Image is up to date for plugins/git-action:latest
+ git push origin master:master
Warning: Permanently added 'github.com' (ED25519) to the list of known hosts.
remote: error: GH006: Protected branch update failed for refs/heads/master.        
remote: error: Changes must be made through a pull request. 2 of 2 required status checks are expected.        
To github.com:owncloud/files_antivirus.git
 ! [remote rejected] master -> master (protected branch hook declined)
error: failed to push some refs to 'github.com:owncloud/files_antivirus.git'
exit status 1

Seems to be failing because the branch are protected. May be some secrets issue.

[SagarGi]

hi @xoxys, can you have a look into it.

[saw-jan]

Now failing with more repos: core, external, files_primary_s3, firstrunwizard https://drone.owncloud.com/owncloud/translation-sync/3239/1/12

[phil-davis]

core might just be a timing thing - it looks like there was a merge to core at about the same time as transkation-sync was trying to pull and push.

[phil-davis]

@xoxys ping ^

[DeepDiver1975]

From what I can tell all repos are failing where changes need to be pushed.

As a result the whole setup is broken?

I see secrets for github_user and github_token disabled in the drone settings. Related? 🤷

[DeepDiver1975]

Ah. File picker works ....

[phil-davis]

I think that access for some GitHub group/user is required, and @xoxys sorts that out as we find repos with the access missing. I forget the detail now, but I don't have privs to make the changes anyway. I would have to dig around in old issues to find the explanation and solution.

It would be useful if the solution is applied to all the oC10 app repos. Having a new one fail every few weeks is annoying.

[DeepDiver1975]

Ci team needs admin rights on each repo. Will take care ....

[xoxys]

Ci team needs admin rights on each repo. Will take care ....

Why have we spent years to harden settings across systems? No, it needs write access... Adding admin rights again everywhere is not the solution, but I'll leave this up to you.

The error messages in the CI logs are pretty clear.

core

error: failed to push some refs to 'github.com:owncloud/core.git'
hint: Updates were rejected because the remote contains work that you do
hint: not have locally. This is usually caused by another repository pushing
hint: to the same ref.

Solution: As you have mentioned already, that's a timing issue. If another PR got merged in the meantime, the translation-sync PR needs rebasing first. Can be done manually or will happen automatically on the next CI run.

files_paperhive

remote: error: GH006: Protected branch update failed for refs/heads/master.        
remote: error: Required status check "continuous-integration/drone/pr" is expected.        
To github.com:owncloud/files_paperhive.git
 ! [remote rejected] master -> master (protected branch hook declined)

Solution: Move "Required status check" from Branchers -> Branch Proptection Rules to Rules -> Rulesets and exclude the ci team. You can find a full example at https://github.com/owncloud/brute_force_protection/settings/rules/128355

files_primary_s3

Warning: Permanently added 'github.com' (ED25519) to the list of known hosts.
remote: error: GH006: Protected branch update failed for refs/heads/master.        
remote: error: Changes must be made through a pull request. 2 of 2 required status checks are expected.        

Solution: Edit the Branch Proptection Rules and enable Allow specified actors to bypass required pull requests for the ci team.

It would be useful if the solution is applied to all the oC10 app repos. Having a new one fail every few weeks is annoying.

Feel free to check all 243 repos, as I have not found a good way to automate it I've done this by hand at the time errors occurs.

[phil-davis]

Note: I can't view https://github.com/owncloud/brute_force_protection/settings That's fine. It's not appropriate for me to have the access to view or change repo settings.

[DeepDiver1975]

Solution: Edit the Branch Proptection Rules and enable Allow specified actors to bypass required pull requests for the ci team.

did that on the first time of course - me not being stupid ... simply does not work :shrug:

on working repos ci team has admin rights :shrug:

[xoxys]

Successful TX push on calendar without admin rights...

https://github.com/owncloud/calendar/commit/e495e82a0a030fefdcd30c5c48945b4ea470d4a7

I have fixed this on a lot of repos and never set admin rights. Whoever did that has done it wrong. The admin rights were removed globally, adding them per repo again is the opposite of what was intended to be achieved.

[DeepDiver1975]

just moved the rights back to write. let's see how this all moves ahead ...

all tx sync green again - let's close this for now.

@phil-davis @SagarGi feel free to reopen ...