Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failing to get installation id on self-hosted runner on github enterprise #183

Open
slarwise opened this issue Nov 4, 2024 · 1 comment

Comments

@slarwise
Copy link

slarwise commented Nov 4, 2024

When using actions/create-github-app-token@v1 on a self-hosted runner on github enterprise, the action fails to get the installation id. Doing the manual steps with curl works, following the docs here.

Do you know if there is a difference between the manual way and the one using this action? The github enterprise server is running version v3.14.2.

on:
  pull_request:
    branches:
      - main
  workflow_dispatch: {}
jobs:
  get-app-token-with-action:
    runs-on: self-hosted
    steps:
      - uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.DEBUG_APP_ID }}
          private-key: ${{ secrets.DEBUG_APP_PRIVATE_KEY }}
          owner: myorg
  get-app-token-manually:
    runs-on: self-hosted
    steps:
      - run: |
          # https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app#example-using-bash-to-generate-a-jwt
          set -o pipefail

          app_id="${{ secrets.DEBUG_APP_ID }}"
          pem="${{ secrets.DEBUG_APP_PRIVATE_KEY }}"

          now=$(date +%s)
          iat=$((${now} - 60))  # Issues 60 seconds in the past
          exp=$((${now} + 600)) # Expires 10 minutes in the future

          b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }

          header_json='{
              "typ":"JWT",
              "alg":"RS256"
          }'
          header=$(echo -n "${header_json}" | b64enc)

          payload_json="{
              \"iat\":${iat},
              \"exp\":${exp},
              \"iss\":\"${app_id}\"
          }"
          payload=$(echo -n "${payload_json}" | b64enc)

          header_payload="${header}"."${payload}"
          signature=$(
              openssl dgst -sha256 -sign <(echo -n "${pem}") \
                  <(echo -n "${header_payload}") | b64enc
          )

          jwt="${header_payload}"."${signature}"

          # https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app#generating-an-installation-access-token
          installation_id="$(curl https://github.myorg.com/api/v3/orgs/myorg/installation --oauth2-bearer "$jwt" | jq -r .id)"
          curl --request POST \
              --url "https://github.myorg.com/api/v3/app/installations/${installation_id}/access_tokens" \
              --oauth2-bearer "$jwt" \
              --header "Accept: application/vnd.github+json" \
              --header "X-GitHub-Api-Version: 2022-11-28"              

Output of get-app-token-with-action:

repositories not set, creating token for all repositories for given owner "myorg"
Failed to create token for "myorg" (attempt 1): Request was cancelled.
Failed to create token for "myorg" (attempt 2): Request was cancelled.
Failed to create token for "myorg" (attempt 3): Request was cancelled.
Failed to create token for "myorg" (attempt 4): Request was cancelled.
RequestError [HttpError]: Request was cancelled.
    at fetchWrapper (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:37063:26)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async hook4 (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39476:18)
    at async getTokenFromOwner (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39769:20)
    at async RetryOperation._fn (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39667:24) {
  status: 500,
  request: {
    method: 'GET',
    url: 'https://github.myorg.com/api/v3/orgs/myorg/installation',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'actions/create-github-app-token',
      authorization: 'bearer [REDACTED]'
    },
    request: {
      fetch: [Function: proxyFetch],
      hook: [Function: bound hook4] AsyncFunction
    }
  },
  response: undefined,
  cause: TypeError: fetch failed
      at fetch (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:36589:17)
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
      at async fetchWrapper (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:37037:21)
      at async hook4 (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39476:18)
      at async getTokenFromOwner (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39769:20)
      at async RetryOperation._fn (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39667:24) {
Error: use]: DOMException [Error]: Request was cancelled.
        at new DOMException (node:internal/per_context/domexception:53:5)
        at makeAppropriateNetworkError (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:30488:182)
        at httpNetworkFetch (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:32166:18)
        at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
        at async httpNetworkOrCacheFetch (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:32042:33)
        at async httpFetch (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:31877:37)
        at async /runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:31643:20
        at async mainFetch (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:31633:20) {
      cause: [RequestAbortedError]
    }
  },
  attemptNumber: 4,
  retriesLeft: 0
}

Output of get-app-token-manually:

Run # https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app#example-using-bash-to-generate-a-jwt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  1862  100  1862    0     0  20688      0 --:--:-- --:--:-- --:--:-- 20688
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   207  100   207    0     0   2029      0 --:--:-- --:--:-- --:--:--  2009
100   207  100   207    0     0   2009      0 --:--:-- --:--:-- --:--:--  2009
{
  "token": "***",
  "expires_at": "2024-***-04T13:50:37Z",
  "permissions": {
    "contents": "read",
    "metadata": "read"
  },
  "repository_selection": "selected"
}
@bacterik
Copy link

bacterik commented Jan 8, 2025

This is an issue, since the version 1.8.0, how the proxy function is implemented. After some debugging, we had to revert to 1.7.0 for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants