Action replaces GITHUB_TOKEN

This issue has been tracked since 2022-12-15.

TL;DR

Using this action (only tested using federated identity) replaces the GITHUB_TOKEN which causes downstream steps to fail which require a github identity token (e.g. updating PR labels, posting comments)

Expected behavior

A google credentials file would be created for GCP authentication and github_token would remain the same

Observed behavior

The github_token in the context is replaced (presumably with the google identity token?)

Action YAML

jobs:
  test:
    runs-on: ubuntu-latest
    if: github.event.pull_request.draft == false
    timeout-minutes: 20
    permissions:
      contents: 'read'
      id-token: 'write'
    steps:

      - name: Check out repository
        uses: actions/[email protected]
        with:
          submodules: recursive

      - name: Authenticate to Google Cloud
        id: 'auth'
        uses: 'google-github-actions/[email protected]'
        with:
          token_format: ''
          workload_identity_provider: ${{ secrets.GCP_IDENTITY_POOL }}
          service_account: ${{ secrets.GCP_CI_SERVICE_ACCOUNT }}
          create_credentials_file: true

      - name: Test # Requires gcp service account identity
        run: |
          pytest --junitxml=junit/test-results.xml

      - name: Publish Test Results # requires github identity
        uses: EnricoMi/publish-unit-test-r[email protected]
        if: always()
        with:
          junit_files: "junit/*.xml"

Log output

In the publish test results action:

Warning: Request GET /repos/<repository>/commits/53da57dd622f1e50d4aa0b630983f3a22c09566b/check-runs?per_page=100 failed with 403: Forbidden

Additional information

No response

github-actions[bot] wrote this answer on 2023-01-02
0

Hi there @quom 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

GregoireW wrote this answer on 2023-01-02
0

Hello,

After workflow has run, actions usually set a check on the originating commit.

But here, you did only set permission to read your repo and get an id_token.

  permissions:
      contents: 'read'
      id-token: 'write'

You have to ask a token with additional permission like check and/or statuses (write) permission to remove the error you face. (https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs#overview)

quom wrote this answer on 2023-01-02
0

Hi @GregoireW,

I am not sure how this ever worked before but you are correct - it was missing the additional permissions required for the publish action. After adding this works as expected.

Why the publish action worked without the checks permission setup I am not sure.

Thanks!

GregoireW wrote this answer on 2023-01-02
0

If you do not set a permission block, a default permission set exists. It is basically content read only + comment, statuses, checks write.
If you set a permission, only your permissions are selected.

More Details About Repo
Owner Name google-github-actions
Repo Name auth
Full Name google-github-actions/auth
Language TypeScript
Created Date 2021-09-16
Updated Date 2023-03-24
Star Count 573
Watcher Count 16
Fork Count 116
Issue Count 3

YOU MAY BE INTERESTED

Issue Title Created Date Updated Date

Popular Frameworks
Programming Languages

Copyright © Codesti | Contact