Open RmStorm opened 5 years ago
I think there is some room for improvement here but maybe I should just get better at understanding error messages. Feel free to close this issue if you think the error handling is currently adequate.
I just went down this rabbit hole, thought the repository has changed
error was related to lint-staged..
I just hadn't granted enough permissions for renovate to create a new branch on the repo.
I think this can be summarized as: if Renovate lacks sufficient privilege to write to the repo, we should report that as the error instead of "repository changed".
Next step is to work out how we can detect this. In @RmStorm's case the error is quite perplexing: remote: Repository not found
does not sound like your typical "you can read but not write" error. @elwynelwyn what stack trace were you getting?
So I'm running Renovate via this AzureDevOps task: https://marketplace.visualstudio.com/items?itemName=jyc.vsts-extensions-renovate-me
These are all the logs I'm able to see (I think?):
home/vsts/.yarn/bin/renovate MyOrg/MyRepo --platform azure --endpoint https://myorg.visualstudio.com/ --token ***
INFO: Using default gitAuthor: Renovate Bot <bot@renovateapp.com>
INFO: Renovating repository (repository=MyOrg/MyRepo)
INFO: Initialising git repository into /tmp/renovate/repos/azure/MyOrg/MyRepo (repository=MyOrg/MyRepo)
INFO: git clone completed (repository=MyOrg/MyRepo)
"cloneSeconds": 1.4
INFO: Setting git author (repository=MyOrg/MyRepo)
"gitAuthor": {"name": "Renovate Bot", "email": "bot@renovateapp.com"}
INFO: Repo is not onboarded (repository=MyOrg/MyRepo)
INFO: Found npm package files (repository=MyOrg/MyRepo)
INFO: Found nuget package files (repository=MyOrg/MyRepo)
INFO: Need to create onboarding PR (repository=MyOrg/MyRepo)
INFO: Creating onboarding branch (repository=MyOrg/MyRepo)
INFO: Repository has changed during renovation - aborting (repository=MyOrg/MyRepo)
INFO: Finished repository (repository=MyOrg/MyRepo)
Can you set LOG_LEVEL=debug in env?
See attached
2019-09-02T23:16:17.2797928Z DEBUG: 2 file(s) to commit (repository=MyOrg/MyRepo, dependencies=@types/node, branch=renovate/npm/node-12.x)
2019-09-02T23:16:17.2799568Z DEBUG: Committing files to branch renovate/npm/node-12.x (repository=MyOrg/MyRepo, dependencies=@types/node, branch=renovate/npm/node-12.x)
2019-09-02T23:16:17.8553423Z DEBUG: Error commiting files (repository=MyOrg/MyRepo, dependencies=@types/node, branch=renovate/npm/node-12.x)
2019-09-02T23:16:17.8554285Z "err": {
2019-09-02T23:16:17.8555196Z "message": "To https://**redacted**@myorg.visualstudio.com/MyOrg/_git/MyRepo'\n",
2019-09-02T23:16:17.8555937Z "stack": "Error: To https://**redacted**@myorg.visualstudio.com/MyOrg/_git/MyRepo'\n\n at /home/vsts/.config/yarn/global/node_modules/simple-git/promise.js:62:29\n at Git.<anonymous> (/home/vsts/.config/yarn/global/node_modules/simple-git/src/git.js:954:21)\n at Function.Git.fail (/home/vsts/.config/yarn/global/node_modules/simple-git/src/git.js:1488:18)\n at fail (/home/vsts/.config/yarn/global/node_modules/simple-git/src/git.js:1446:20)\n at /home/vsts/.config/yarn/global/node_modules/simple-git/src/git.js:1455:16\n at process._tickCallback (internal/process/next_tick.js:68:7)"
2019-09-02T23:16:17.8556036Z }
The git
layer can only really test write access by attempting to push a commit to the server. Unfortunately in the above the message is not clearly a permissions one, so the best we could do is a message like "Are you sure you have write permissions?".
Perhaps the better solution is to test write permissions during initRepo
(which would vary per-platform).
Are you sure you have write permissions?
That would have helped me out a lot! Even surfacing the Error commiting files
message would be useful.
Summary of action to take:
initRepo
that detects if the current token has write permissions. Error/abort if notThinking of breaking this issue into multiple PR. Possible solutions for GitHub:
Adding a check here if permission.push
is false by checking this object
"permissions": {
"admin": false,
"push": false,
"pull": true
}
@souravdasslg beware that GitHub had and probably still has a bug where apps (eg the gusted WhiteSource Renovate) report no push permissions even though they have them. Ie this feature was not reliable when I attempted to use it last year.
I ran into this error using the Github App, but in my case it was because I had previously created a branch in my repo called renovate
.
It seems that GitHub won't allow namespaced branches like renovate/package-name1.x
to be created when a branch with the namespace name (ie renovate
) already exists.
Deleting the renovate
branch resolved it for me. Hope that helps someone.
@rarkins I will take this one
Is it the same as #9593 ?
Is it the same as #9593 ?
Seems so to me. 🤷♂️
There's also an additional issue saying that a token shouldn't be necessary for a dry run. Can you combine it?
@rarkins do you mean for Azure platform?
No, on general. Renovate quits of no token is specified but when doing a dry run that shouldn't be necessary
@rarkins that is what I found for github https://docs.github.com/en/rest/reference/repos#collaborators, I don't see way to check write permissions without token. Correct me, if I am wrong.
That's correct. You can't write without a token. But I think you are misunderstanding.
Ah, now I got it. But it looks like separate issue, because it throws an error without token even in dry-run
mode for now.
It's separate but likely requires common code changes
BTW GitHub app tokens can't detect their write permissions so this also needs to somehow be disabled in such cases
So, I am going to solve this issue in the next way:
hasWritePermissions(params: PlatformParams): Promise<boolean>;
method to each platformhasWritePermissions
method inside initPlatform
PlatformParams
interface by dryRun
propertydryRun
equals true
hasWritePermissions
will return true without checking existing token
, otherwise will check token
and make api call specific for each platformI'm not sure it makes sense at a platform level because write permissions are generally going to be per-repo. I think better to do the logic in initRepo() instead, if dryRun===false
Yeah, make sense, but the issue, that initPlatform
step throw an error even in dryMode when we don't provide token
. Should I move this validation logic from initPlatform
to initRepo
?
I don't think that's a good idea because it could throw 100s of errors instead of one? Better that dryRun is passed to initPlatform
perhaps?
I just found that GitHub's GraphQL requires authentication to run at all, so "no token if in dry run mode" seems not possible for GitHub. I have marked the previous conversation as Hidden-Resolved.
What would you like Renovate to be able to do? Improved error handling/messaging on branch/PR creation.
Describe the solution you'd like I would like these two lines to give a better description of what is going wrong when something goes wrong.
repository-changed
is not so clear especially when the issue is actually a permission issue and the repository didn't change at all. https://github.com/renovatebot/renovate/blob/0f19abd3443e3732ee02fa1659589b77660ce609/lib/platform/git/storage.ts#L429-L430 I'm not sure what would be a better way to do this. Maybe the functioncommitFilesToBranch
can just have one or two extra debugging statements? Or it can throw a different error thanrepository-changed
, something likecommit-to-branch-failed
.Describe alternatives you've considered Make this PR to simple-git and ask them to throw a clearer error.
Additional context I setup a self hosted version of renovatebot by following the instructions here. Because I wanted to be careful with permissions I gave the bot read access to the repositories and thought would be enough. I though so because the read only permissions explicitly includes the ability to make PR's.
However since renovatebot does not only make PR's but also the branches from which to make the PR's it obviously requires write access. So that was a silly mistake.
The consequence from the mistake was quite confusing. Instead of some clear error I got:
INFO: Repository has changed during renovation - aborting
Than I enabled debuging and I got an error from simple-git:Apparently
Git.<anonymous>
was causing my problem. That didn't help a lot.I think it would also be nice to clarify in the self-hosting readme that the user account needs write access.
Another solution would be to have the branches created on a forked repository stored in the user account used by renovatebot. However that is a large architectural change to renovatebot which I don't think will be remotely feasible.