search

palantir / policy-bot

A GitHub App that enforces approval policies on pull requests
Apache License 2.0
755 stars 103 forks source link

Trouble loading policy from repo #605

Open yuandrew opened 1 year ago

yuandrew commented 1 year ago

Hi, I'm trying to setup this bot for my repository, but I'm running into auth issues when the bot tries to access the github API. I believe I've set the proper permissions, following the steps in the README. The bot is currently running locally, using ngrok to forward the endpoints to the github bot. I've run out of ideas as how to further troubleshoot what permissions could be missing. Any advice or help would be greatly appreciated! 

failed to read file: GET https://api.github.com/repos/{owner}/{repo}/contents/.policy.yml?ref=main: 403 Resource not accessible by integration []\ngithub.com/palantir/go-githubapp/appconfig.getFileContents\n\t/home/anyuan/policy-bot/vendor/github.com/palantir/go-githubapp/appconfig/appconfig.go:281\ngithub.com/palantir/go-githubapp/appconfig.(*Loader).LoadConfig\n\t/home/anyuan/policy-bot/vendor/github.com/palantir/go-githubapp/appconfig/appconfig.go:126\ngithub.com/palantir/policy-bot/server/handler.(*ConfigFetcher).ConfigForRepositoryBranch\n\t/home/anyuan/policy-bot/server/handler/fetcher.go:41\ngithub.com/palantir/policy-bot/server/handler.(*Base).NewEvalContext\n\t/home/anyuan/policy-bot/server/handler/base.go:81\ngithub.com/palantir/policy-bot/server/handler.(*Base).Evaluate\n\t/home/anyuan/policy-bot/server/handler/base.go:96\ngithub.com/palantir/policy-bot/server/handler.(*PullRequest).Handle\n\t/home/anyuan/policy-bot/server/handler/pull_request.go:59\ngithub.com/palantir/go-githubapp/githubapp.Dispatch.Execute\n\t/home/anyuan/policy-bot/vendor/github.com/palantir/go-githubapp/githubapp/scheduler.go:55\ngithub.com/palantir/go-githubapp/githubapp.(*scheduler).safeExecute\n\t/home/anyuan/policy-bot/vendor/github.com/palantir/go-githubapp/githubapp/scheduler.go:183\ngithub.com/palantir/go-githubapp/githubapp.QueueAsyncScheduler.func1\n\t/home/anyuan/policy-bot/vendor/github.com/palantir/go-githubapp/githubapp/scheduler.go:257\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1598
yuandrew commented 1 year ago

Figured out the issue, the repo I'm trying to run the bot on is a private repo.

Is there guidance in the docs for private repositories? Is there a workaround for the bot to support private repos? I see there's a "Private repositories" section in the README table of contents, but the actual section seems to be missing in the README https://github.com/palantir/policy-bot#private-repositories

bluekeyes commented 1 year ago

Policy Bot should work fine with private repositories. Two things to check:

  1. You've given the app all of the permissions from the README, particularly the "Repository contents" permission
  2. You've installed the application on the repository you are testing with. GitHub apps only have their permissions on repositories where they are installed and by default are not installed on any repositories.

I'll track down what happened to the section in the README. My guess is that it was highlighting a limitation with remote policy files: if your repository references a policy file in another repository, that target repository must be public (but your repository can be private.)