Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Auto-backport is failing: permission denied #1712

Closed
dblock opened this issue Dec 13, 2021 · 7 comments
Closed

[BUG] Auto-backport is failing: permission denied #1712

dblock opened this issue Dec 13, 2021 · 7 comments
Assignees
@VachaShah
Labels
bug Something isn't working Build Libraries & Interfaces

Comments

@dblock
Copy link
Member

dblock commented Dec 13, 2021

Describe the bug

remote: Permission to opensearch-project/OpenSearch.git denied to github-actions[bot].

To Reproduce
Steps to reproduce the behavior:

  1. Label an issue backport 1.x.
  2. See failed job.

https://github.com/opensearch-project/OpenSearch/runs/4509880595?check_suite_focus=true
@dblock dblock added bug Something isn't working untriaged labels Dec 13, 2021
@dblock
Copy link
Member Author

dblock commented Dec 13, 2021

@VachaShah Do you know how to fix this?

@VachaShah
Copy link
Collaborator

Looks like github-actions does not have permissions to create PRs.

Error

remote: Permission to opensearch-project/OpenSearch.git denied to github-actions[bot].

I will look into it.

@VachaShah VachaShah mentioned this issue Dec 20, 2021
Closed
25 tasks
@VachaShah
Copy link
Collaborator

Tried the approach where in the workflow, we fork the repo and then create a branch to backport, cherry-pick the commit and create a PR from it. But the Github actions was not able to fork a repo, got error failed to fork: HTTP 403: Resource not accessible by integration while doing so.

@setiah
Copy link
Contributor

setiah commented Dec 22, 2021

@VachaShah try with a pre-created fork (say backport/OpenSearch) to which this backport GH has access, and use the checkout@v2 action to backport, push and raise PR from this backport fork. This would also help keep the permissions of this GH restricted to the backport fork alone and track the workflow retries better.

@VachaShah
Copy link
Collaborator

@setiah Wouldn't the pre-created fork have to belong to a user?

This was referenced Jan 4, 2022
Merged
Merged
@VachaShah
Copy link
Collaborator

Update, the following things are needed to fix the permissions issue:

  1. The token needs write permissions for pull requests and content in order to create pull requests on the repos. This is fixed in PR Fixing auto backport workflow #1845.
  2. The GHA for backport creates branches (backport-<PR-number>-to-<release-branch>) to cherry-pick commits for backport. Hence, the branch permissions need to be defined for such branches. In order to better manage permissions, I have PRed the change to allow custom branch names in the GHA repo and use it in the OpenSearch repo. Details: Using custom branch name for auto backporting PRs #1862.

@VachaShah
Copy link
Collaborator

This issue is resolved and the backport workflow is able to create PRs. Example PR: #1959

This was referenced Feb 4, 2022
Merged
Merged
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@VachaShah VachaShah

Labels
bug Something isn't working Build Libraries & Interfaces
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dblock @VachaShah @anasalkouz @setiah