Could not set up API to GithubActions for Danger

[pgwillia]

Describe the bug A missing token [DANGER_GITHUB_API_TOKEN] for Danger will cause our CI to fail. This is especially strange because it doesn't happen for every developer PR but does for all Dependabot PRs.

To Reproduce Steps to reproduce the behavior:

1. Wait for a dependabot PR
2. Observe failure for "pull_request" jobs.

A workaround for this is to Re-run jobs. It will often be fine after the re-run.

Expected behavior CI is continuous, error and intervention free.

Screenshots

Run bundle exec danger
  bundle exec danger
  shell: /usr/bin/bash -e {0}
  env:
    DANGER_GITHUB_API_TOKEN: 

Could not set up API to Code Review site for Danger

For your GitHub repo, you need to expose: DANGER_GITHUB_API_TOKEN
You may also need: DANGER_GITHUB_HOST, DANGER_GITHUB_API_BASE_URL, DANGER_OCTOKIT_VERIFY_SSL

Found these keys in your ENV: SELENIUM_JAR_PATH, CONDA, GITHUB_WORKSPACE, JAVA_HOME_11_X64, GITHUB_PATH, GITHUB_ACTION, JAVA_HOME, GITHUB_RUN_NUMBER, GRADLE_HOME, XDG_CONFIG_HOME, DOTNET_SKIP_FIRST_TIME_EXPERIENCE, ANT_HOME, JAVA_HOME_8_X64, HOMEBREW_PREFIX, DANGER_GITHUB_API_TOKEN, HOMEBREW_CLEANUP_PERIODIC_FULL_DAYS, BOOTSTRAP_HASKELL_NONINTERACTIVE, PWD, PIPX_BIN_DIR, DEPLOYMENT_BASEPATH, GITHUB_ACTIONS, ANDROID_NDK_LATEST_HOME, GITHUB_SHA, POWERSHELL_DISTRIBUTION_CHANNEL, DOTNET_MULTILEVEL_LOOKUP, GITHUB_REF, RUNNER_OS, HOME, GITHUB_API_URL, LANG, RUNNER_TRACKING_ID, RUNNER_TEMP, GITHUB_ENV, GITHUB_EVENT_PATH, INVOCATION_ID, GITHUB_EVENT_NAME, GITHUB_RUN_ID, ANDROID_NDK_HOME, HOMEBREW_NO_AUTO_UPDATE, GITHUB_ACTOR, NVM_DIR, ANDROID_HOME, GOROOT_1_14_X64, GITHUB_GRAPHQL_URL, ACCEPT_EULA, RUNNER_USER, USER, GITHUB_SERVER_URL, HOMEBREW_CELLAR, PIPX_HOME, GECKOWEBDRIVER, CHROMEWEBDRIVER, SHLVL, ANDROID_SDK_ROOT, VCPKG_INSTALLATION_ROOT, HOMEBREW_REPOSITORY, RUNNER_TOOL_CACHE, ImageVersion, DOTNET_NOLOGO, GRAALVM_11_ROOT, GITHUB_JOB, AZURE_EXTENSION_DIR, PERFLOG_LOCATION_SETTING, GITHUB_REPOSITORY, CHROME_BIN, ANDROID_NDK_ROOT, GITHUB_RETENTION_DAYS, JOURNAL_STREAM, RUNNER_WORKSPACE, LEIN_HOME, LEIN_JAR, GITHUB_ACTION_REPOSITORY, PATH, RUNNER_PERFLOG, GITHUB_BASE_REF, CI, SWIFT_PATH, ImageOS, GITHUB_REPOSITORY_OWNER, GITHUB_HEAD_REF, GITHUB_ACTION_REF, GITHUB_WORKFLOW, DEBIAN_FRONTEND, GOROOT_1_15_X64, AGENT_TOOLSDIRECTORY, GOROOT_1_16_X64, _, BUNDLER_ORIG_BUNDLE_BIN_PATH, BUNDLER_ORIG_BUNDLE_GEMFILE, BUNDLER_ORIG_BUNDLER_VERSION, BUNDLER_ORIG_GEM_HOME, BUNDLER_ORIG_GEM_PATH, BUNDLER_ORIG_MANPATH, BUNDLER_ORIG_PATH, BUNDLER_ORIG_RB_USER_INSTALL, BUNDLER_ORIG_RUBYLIB, BUNDLER_ORIG_RUBYOPT, BUNDLE_BIN_PATH, BUNDLE_GEMFILE, BUNDLER_VERSION, RUBYOPT, RUBYLIB, GEM_PATH, GEM_HOME, MANPATH.

Failing the build, Danger cannot run without API access.
You can see more information at https://danger.systems/guides/getting_started.html
Error: Process completed with exit code 1.

https://github.com/ualbertalib/jupiter/blob/3e2d4ae5cd3bc3b1f227b843a725dc1b34d5f10a/.github/workflows/push.yml#L37-L40

[pgwillia]

Starting March 1st, 2021 workflow runs that are triggered by Dependabot from push, pull_request, pull_request_review, or pull_request_review_comment events will be treated as if they were opened from a repository fork. This means they will receive a read-only GITHUB_TOKEN and will not have access to any secrets available in the repository. This will cause any workflows that attempt to write to the repository to fail.

This change will affect all repositories, both public and private, regardless of how they are configured, and is being made to prevent potentially compromised dependencies from capturing secrets referenced in your workflows.

If your workflow needs to have a write token or access to secrets, you can use the pull_request_target event; however, please read Keeping your GitHub Actions and workflows secure: Preventing pwn requests to better understand the risks.

For questions, visit the GitHub Actions community

https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

[pgwillia]

This is a correct behavior, not an issue. In the Checks of a PR, it will list all the jobs from the workflows run on the push event and the pull_request event based on the latest commit in the HEAD branch (source branch of the PR). Currently, we have no methods to only list the the jobs run on the pull_request event.

Because you configure your “Node CI” workflow runs on both push and pull_request , when you push commit the workflow will be triggered, and when the PR is Open , this workflow also will be triggered by the pull_request. So on the checks list of your PR, it will list two similar checks triggered by different events ( push and pull_request ).

https://github.community/t/pull-requests-trigger-duplicate-checks-for-both-push-and-pull-request/18301/2

[pgwillia]

When you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.

Workflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.

With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository. The permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information, see "Authenticating with the GITHUB_TOKEN."

Note: Workflows triggered by Dependabot pull requests are treated as though they are from a forked repository, and are also subject to these restrictions.

https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull-request-events-for-forked-repositories-1

[pgwillia]

Some things we could try to workaround this bug

• [x] use read only GITHUB_TOKEN instead of DANGER_GITHUB_API_TOKEN https://github.com/ualbertalib/jupiter/blob/3e2d4ae5cd3bc3b1f227b843a725dc1b34d5f10a/.github/workflows/push.yml#L37-L40 This is also mentioned in the danger docs.
• [ ] is on: pull_request redundant to on: push? If so then remove pull_request from the configuration. https://github.com/ualbertalib/jupiter/blob/3e2d4ae5cd3bc3b1f227b843a725dc1b34d5f10a/.github/workflows/push.yml#L2
• [ ] splitting the danger check for pull_requests into its own workflow