Some requests to GHE are ignoring site configuration values documented to disable requests to code hosts

[mike-r-mclaughlin]

• Sourcegraph version: 5.2.1
• Reported by: https://github.com/sourcegraph/accounts/issues/6716

Details

Follow Disabling requests to code hosts to disable all requests to GHE. If there are repositories that are not accessible, you will see errors like this in the repo-updater log:

{"SeverityText":"ERROR","Timestamp":1709120061200289151,"InstrumentationScope":"repo-updater.UpdateScheduler.RunUpdateLoop","Caller":"repos/scheduler.go:191","Function":"github.com/sourcegraph/sourcegraph/internal/repos.(*UpdateScheduler).runUpdateLoop.func1","Body":"error updating repo","Resource":{"service.name":"repo-updater","service.version":"5.2.1","service.instance.id":"fd2b0393e88e"},"Attributes":{"err":"repo git.exmple.com/org1/repo1:: failed to fetch repo \"git.examle.com/org1/repo1\": exit status 128 - output: \"remote: Repository not found.\\nfatal: repository 'https://git.example.com/org1/repo1/' not found\\n\"","uri":"git.example.com/org1/repo1"}}

and

{"SeverityText":"WARN","Timestamp":1709120061632231040,"InstrumentationScope":"repo-updater.PermsSyncer.syncRepoPerms","Caller":"authz/perms_syncer.go:140","Function":"github.com/sourcegraph/sourcegraph/cmd/repo-updater/internal/authz.(*PermsSyncer).syncRepoPerms","Body":"ignoreUnauthorizedAPIError","Resource":{"service.name":"repo-updater","service.version":"5.2.1","service.instance.id":"fd2b0393e88e"},"Attributes":{"repo":{"ID":285579,"name":"git.example.com/org2/repo2","private":true},"error":"list users for repo: request to https://git.example.com/api/v3/repos/org2/repo2/collaborators?page=1&per_page=100 returned status 404: Not Found","suggestion":"GitHub access token user may only have read access to the repository, but needs write for permissions"}}

We tried restarting repo-updater and the log messages continue.

[eseliger]

This might be documented a bit confusingly (suggestions welcome)

GitMaxCodehostRequestsPerSecond description: Maximum number of remote code host git operations (e.g. clone or ls-remote) to be run per second per gitserver. Default is -1, which is unlimited.

but what this flag does it limits Git activity, not code host API access. So this will apply to git clones and fetches.

What you are looking for is probably the rateLimit field under the code host config.

[mike-r-mclaughlin]

OK. But, the linked doc says this:

It may be the case that you'd like to temporarily disable all git and API requests from Sourcegraph to a code host.

Maybe we should update that doc (once we get to the bottom of this) so it's more clear how to stop ALL traffic in cases like this