search

runatlantis / atlantis

Terraform Pull Request Automation
https://www.runatlantis.io
Other
7.82k stars 1.06k forks source link

Unable to update status at url via Github App #3285

Open pomcho555 opened 1 year ago

pomcho555 commented 1 year ago

Community Note

Overview of the Issue

I set up an Atlantis bot with GitHub App. The bot does comments on my PR, but it can't update commit statuses. I allowed necessary permissions defined in the document. I think it's enough to update status.

Do I miss something?

Reproduction Steps

I deployed atlantis via the official Fargate module

module "atlantis" {
  source  = "terraform-aws-modules/atlantis/aws"
  version = "~> 3.0"

  name = "atlantis"

  # VPC
  cidr            = "10.20.0.0/16"
  azs             = ["us-west-2a", "us-west-2b", "us-west-2c"]
  private_subnets = ["10.20.1.0/24", "10.20.2.0/24", "10.20.3.0/24"]
  public_subnets  = ["10.20.101.0/24", "10.20.102.0/24", "10.20.103.0/24"]

  # DNS (without trailing dot)
  route53_zone_name = "atlantis.example.com"

  # Atlantis
  atlantis_github_app_id  = "xxxxxx"
  atlantis_github_app_key = data.local_file.secret_key.content
  atlantis_repo_allowlist = ["github.com/omajinaiHouse/*"]

  atlantis_github_webhook_secret = "xxxxxxx"
}

Added permissions for my Github App

Logs

Logs ``` { "level": "error", "ts": "2023-03-31T05:26:24.851Z", "caller": "vcs/instrumented_client.go:210", "msg": "Unable to update status at url: , error: POST https://api.github.com/repos/omajinaiHouse/test-atlantis/statuses/xxxxxxxxx: 403 Resource not accessible by integration []", "json": { "repository": "omajinaiHouse/test-atlantis", "pull-num": "1" } ```

Environment details

As I mentioned above, I used default configuration in the module.

Additional Context

I also have the same issue going through roll my own using EC2 and systemd. I think this issue isn't inside the terraform module.

Furthermore, I made test bench for the investigation as public repository, you can see actual behavior of that bot with you browsing the pr.

https://github.com/omajinaiHouse/test-atlantis/pull/1

ovceev commented 1 year ago

I have the same situation

I noticed that when Atlantis is trying to update statuses, it tries to hit https://api.github.com/repos/org/repo/statuses/master, I assume it wants to update commit statuses here, so it has read write permissions on it, but I'm still getting 403 Resource not accessible by integration, does not sound like a lack of permissions

github api docs say that /repos/{owner}/{repo}/statuses/{sha} is the endpoint for updating statuses, but atlantis is trying to hit /repos/{owner}/{repo}/statuses/{branch} maybe that's the root cause of this?

I opened a thread in the community about this issue, JFYI

nitrocode commented 1 year ago

This is where the github function updates the status which uses the pull.HeadCommit as the ref.

https://github.com/runatlantis/atlantis/blob/67686e71a242837716fe62150b1ce605648e11fb/server/events/vcs/github_client.go#L556-L575

Here is the client.Repositories.CreateStatus function header in the upstream library

https://github.com/google/go-github/blob/c96ba417f7b022bee92bc04d831e89fd9fc70edc/github/repos_statuses.go#L74-L88

If we need to use the branch

https://github.com/runatlantis/atlantis/blob/67686e71a242837716fe62150b1ce605648e11fb/server/events/models/models.go#L155-L168

We can use pull.HeadBranch instead. Perhaps we need logic to check if its a non github app and use the HeadCommit and if its using the github app use the HeadBranch? Or perhaps the latter works for both?

It would be ideal to have a pull request with adequate unit tests and a validation from the author (and/or others) who has checked in both scenarios end to end test.

GenPage commented 1 year ago

@pomcho555 @ovceev Are you still having issues with the latest release? We reverted a feature in #3321 that was causing errors like 403 Resource not accessible by integration []

pomcho555 commented 1 year ago

@GenPage Thanks for the fix. I upgraded Atlantis up to 0.24.2. However, I still got this error.

pomcho555 commented 1 year ago

Apart from this bug, I suggest this function has a feature which print a debug log of the github api request so that we could easily debug the actual request payload unless it shows up sensitive info.

ovceev commented 1 year ago

0.25.0 the issue still persists :(

403 Resource not accessible by integration []
jamengual commented 1 year ago

has anyone added Org read access and try it ?

On Thu, Sept 14, 2023, 6:14 a.m. Ilia Kovalev @.***> wrote:

0.25.0 the issue still persists :(

403 Resource not accessible by integration []

— Reply to this email directly, view it on GitHub https://github.com/runatlantis/atlantis/issues/3285#issuecomment-1719429959, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAQ3ERFNTBF5WBUQUB74T6DX2L7K5ANCNFSM6AAAAAAWOHDJAQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

ovceev commented 1 year ago

set these permissions and still got the error :( CleanShot 2023-09-18 at 20 42 02@2x

ovceev commented 1 year ago

Update: after one day we see some progress here Looks like enabling org read access fixes the issue Will continue monitoring CleanShot 2023-09-19 at 20 48 10@2x

ovceev commented 1 year ago
jamengual commented 1 year ago

now does this match the docs ?

On Tue, Sept 19, 2023, 4:50 p.m. Ilia Kovalev @.***> wrote:

  • pre-workflow hooks are working (we were prevented from using them because of the error)
  • 0 update status PR errors the issue is gone for me, thank you so much guys

— Reply to this email directly, view it on GitHub https://github.com/runatlantis/atlantis/issues/3285#issuecomment-1726689858, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAQ3ERAGOUU3ZFZBKKGOGHTX3IVUJANCNFSM6AAAAAAWOHDJAQ . You are receiving this because you commented.Message ID: @.***>

ovceev commented 1 year ago

Not really, the org permissions above are not listed here https://www.runatlantis.io/docs/access-credentials.html#github-app CleanShot 2023-09-20 at 11 51 23@2x