Issue updating tools-iuc with my GH token

[lldelisle]

Hi, I am not part of tools-iuc so I cannot update pull-requests already existing. See https://github.com/planemo-autoupdate/autoupdate/actions/runs/6528864044/job/17725669903#step:6:905

2 solutions:

• one that has access to all autoupdate repos set up a Personnal Access Tockens classic
• you give me access to tools-iuc

[nsoranzo]

Where was your GH token used in this case? I think I'm missing something.

[lldelisle]

Here:

[lldelisle]

The PAT secret is my GH token

[lldelisle]

(We did this with @bgruening because his was not working because he used a Fine-grained token and we think it is what make it failed).

[nsoranzo]

I can create a new token and replace yours, and see if that works?

[lldelisle]

This would be great.

[nsoranzo]

I've overhauled and merged the GitHub workflows into one in https://github.com/planemo-autoupdate/autoupdate/pull/26 , securing a bit more the use of the PAT.

[nsoranzo]

Update: #26 was merged, but there are a couple of issues that I have discovered:

• Opening pull requests to repositories not owned by a user/organization requires a classic personal access token (PAT), a fine-grained PAT doesn't work.
• planemo-autoupdate was converted by @bgruening to an organization (I think some time ago), but a GitHub organization cannot have its own PATs (neither classic nor fine-grained), only users
• It's not possible to convert an organization back into a personal account

I will now explore this possible solution: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow

[nsoranzo]

I will now explore this possible solution: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow

Turns out this doesn't help since the generated token is a fine-grained one, which (as mentioned above) cannot be used to open pull requests to repositories not owned by planemo-autoupdate.

So, I think the best solution would be to turn this into a workflow that can be added to the various tool/workflow repositories, where the owner PAT can be used without issues. Alternatively, we keep this as it is but we need to use a classic PAT of a user that have write access to all the tool/workflow repos (only @bgruening ?) and is OK with getting spammed with notifications from all PRs...

Any other suggestion welcome!

[lldelisle]

Do we need to set a single PAT? Maybe it would be better to update the workflows to add a PAT for each repo, then I could add my PAT for the repo I have write access to and someone else could complement. What do you think?

[nsoranzo]

It seems to be working with my PAT (apart from iwc, not sure what's going on there), but I'd like to use a bot account instead since I get spammed with all PR comments and test failures. @bernt-matthias Do you have the credentials for the https://github.com/gxydevbot bot account? Could we use its PAT for this?

[bernt-matthias]

Thanks for taking care. I do not have credentials.

[mvdbeek]

I've updated the repo secrets with a gxydevbot PAT, @dannon has the 2FA setup for that account should we need it in the future.

[nsoranzo]

@mvdbeek Does the gxydevbot PAT have an expiration date? We are getting a strange "Bad credentials" message when checking out repos using the token: https://github.com/planemo-autoupdate/autoupdate/actions/runs/8503681208/job/23357968777#step:3:61