Closed lldelisle closed 10 months ago
Where was your GH token used in this case? I think I'm missing something.
Here:
The PAT secret is my GH token
(We did this with @bgruening because his was not working because he used a Fine-grained token and we think it is what make it failed).
I can create a new token and replace yours, and see if that works?
This would be great.
I've overhauled and merged the GitHub workflows into one in https://github.com/planemo-autoupdate/autoupdate/pull/26 , securing a bit more the use of the PAT.
Update: #26 was merged, but there are a couple of issues that I have discovered:
I will now explore this possible solution: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow
I will now explore this possible solution: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow
Turns out this doesn't help since the generated token is a fine-grained one, which (as mentioned above) cannot be used to open pull requests to repositories not owned by planemo-autoupdate.
So, I think the best solution would be to turn this into a workflow that can be added to the various tool/workflow repositories, where the owner PAT can be used without issues. Alternatively, we keep this as it is but we need to use a classic PAT of a user that have write access to all the tool/workflow repos (only @bgruening ?) and is OK with getting spammed with notifications from all PRs...
Any other suggestion welcome!
Do we need to set a single PAT? Maybe it would be better to update the workflows to add a PAT for each repo, then I could add my PAT for the repo I have write access to and someone else could complement. What do you think?
It seems to be working with my PAT (apart from iwc, not sure what's going on there), but I'd like to use a bot account instead since I get spammed with all PR comments and test failures. @bernt-matthias Do you have the credentials for the https://github.com/gxydevbot bot account? Could we use its PAT for this?
Thanks for taking care. I do not have credentials.
I've updated the repo secrets with a gxydevbot PAT, @dannon has the 2FA setup for that account should we need it in the future.
@mvdbeek Does the gxydevbot PAT have an expiration date? We are getting a strange "Bad credentials" message when checking out repos using the token: https://github.com/planemo-autoupdate/autoupdate/actions/runs/8503681208/job/23357968777#step:3:61
Hi, I am not part of tools-iuc so I cannot update pull-requests already existing. See https://github.com/planemo-autoupdate/autoupdate/actions/runs/6528864044/job/17725669903#step:6:905
2 solutions: