GitHub Apps fail to bypass pull requests #1248
Comments
|
Hello @jcogilvie, I had the exact same problem and managed to get my app to bypass the branch protection. First, the documentation of github on terraform states that you should pass "actor IDs" (as opposed to github REST doc that states to put slugs...). Second, actor ID is in fact node ID as you could more or less guess from the terraform doc example. You can get the node ID of your app from this REST endpoint, but for that you need a token that you can get following this doc: Authenticating as a GitHub App. Also, there is a pull requests (#1268) that add github app as data source, that would make it easier to obtain the node ID. Hope this helps |
|
@Plouc314 I was able to bypass the initial error with your help, but now I'm getting "Resource not accessible by integration" when trying to update a branch protection rule, even though my app has |
|
@jcogilvie if you are using a GitHub App to auth in your Terraform provider - then the app you are referencing in your resource will need to be public not private |
That seems like an odd requirement. Is there a documented example workflow with requirements for setting up github app auth for use with this provider? The provider docs themselves don't seem to contain that information. |
My app is private to an organization. @jcogilvie My app has read & write access to about all Repository permissions, including: Administration, Pull requests and Contents. Perhaps you are missing some permissions ? |
|
I definitely have admin, PR, and contents permissions. One potential complication is that I am auth'd to the terraform provider as a private app, and I am trying to add that same app and also another private app in our same org to the list of bypassers. App 1 and app 2 both have the same permissions. Edit: It does succeed if I try to add just the currently-authed app. So the issue is somewhere in having the auth'd app add a different (also private) app. |
The referenced App within e.g. If you try to hit the
However you'll hit the following error: 403 Resource not accessible by integration [] If the App ( My guess is it's just poorly worded to say that the App can self identify against the endpoint - but not look up other private Apps. ¯\(ツ)/¯ |
|
I think making the App public is a bug somewhere. You can add a private App to the list via the UI and it works correctly. |
Edit: hey @Plouc314 My org uses this action to fetch tokens in order to run rest API calls towards gh api. E.g. the response: {
"message": "A JSON web token could not be decoded",
"documentation_url": "https://docs.github.com/rest"
}sample workflow to use token: steps:
- name: Generate token for target repo
id: generate_token
uses: tibdex/github-app-token@v1
with:
app_id: "218414"
private_key: ${{ secrets.ghapp_pem }}
- name: fetch app info
shell: bash
env:
TOKEN: ${{ steps.generate_token.outputs.token }}
run: |
curl -i \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${TOKEN}" \
https://api.github.com/app |
|
We're currently facing the same issue. App 1 is used to run terraform provider to read/modify branch_protection rules of repo X, where private App 2 is a protection bypasser. This is clearly a bug in the provider. What's the ETA on fixing this? |
|
I am able to get Github apps to bypass pull requests while I am using PAT authentication for the Terraform provider. However, the TFPlan always states that the branch_protection resource will be changed. The changes above are already applied. Did anyone find a solution for this apart from adding an ignore_changes block? |
|
Unfortunately one GitHub App cannot query the API endpoint: https://github.com/settings/apps/:app_slug of another private App. Therefore the issue is with GitHub and not the Terraform Provider. See response from GitHub support:
|
The ignore_changes block will not work either because it's still trying to read the value of the other private github apps. It temporarily worked with a |
|
This is what worked for me: Also for repository rulesets you can use the github_app to pass the id It is not on the documentation but the github_app data source exports your App's ID. |
Unfortunately, this necessarily only works for the GitHub App with which you're running Terraform. If you attempt to use the same trick to assign any privileges to a separate GitHub App, whilst running Terraform with GitHub App credentials, it will fail. |
Terraform Version
1.0.11
Affected Resource(s)
Terraform Configuration Files
Note: I have tried it with both string slugs and integer Installation IDs to the same result.
Debug Output
https://gist.github.com/jcogilvie/1c871779fc13f53a1d8117e6ab38a1a5
Expected Behavior
The branch protection is created, correctly referencing the App(s) in question.
Actual Behavior
The build errors saying it can't find an entity with a corresponding global ID (see output).
Steps to Reproduce
terraform applyImportant Factoids
If I add the branch protection referencing the app in the UI, and change my TF to instead try to zero out the branch protection, here's the terraform "detected changes" diff:
This seems to me to indicate that if we just allow string slugs through validation in the provider, everything would work as expected. This seems to match the documentation for the API that says the "Properties of the
bypass_pull_request_allowancesobject" takes a list ofslugs.References
Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:
The text was updated successfully, but these errors were encountered: