Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Environments do not get provisioned for repositories set to internal or private #623

Open
gregnrobinson opened this issue Apr 18, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@gregnrobinson
Copy link

gregnrobinson commented Apr 18, 2024

Problem Description

 
When managing environments with safe settings, if the repository is set to public, safe settings will create all environments defined within the suborg configuration. If the repository visibility is set to private or internal, safe settings presents an error even though the provisioning of environments has been tested for all repository visibilities via the REST API.
 

What is actually happening

 
If the repositories are anything but public visibility, safe settings cannot provision the environments.
 

What is the expected behavior

 
Safe Settings should be able to manage environments on repositories that are set to private or internal visibility.
 

Error output, if available

 

Error HttpError: Resource not accessible by integration in Environments for repo. {team details...}

 

Context

 
We had initially opened #611 regarding environment provisioning but assumed the issue was due to insufficient licensing for the non-prod environments but after deploying to production, the environment provisioning would still only work for public repositories.
 
Using the REST API, we can successfully create environments for repositories even if the repository is set internal or private visibility. We are wondering why Safe settings specifically returns an error for environments that are being provisioned against internal or private repositories.
 

Create environment for a public repository

 

curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $token" \
-H "X-GitHub-Api-Version: 2022-11-28" \
[https://%3cGHES_ENDPOINT%3e/api/v3/repos/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/environments/dantestpublic]https://<GHES_ENDPOINT>/api/v3/repos/<ORG>/<repoprefix>-iam-refactoring/environments/dantestpublic \
-d '{"wait_timer": 0,"prevent_self_review": false,"reviewers": [],"deployment_branch_policy": null}'

 
response

{
"id": 3523,
"node_id": "MDExOkVudmlyb25tZW50MzUyMw==",
"name": "dantestpublic",
"url": [https://%3cGHES_ENDPOINT%3e/api/v3/repos/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/environments/dantestpublic]https://<GHES_ENDPOINT>/api/v3/repos/<ORG>/<repoprefix>-iam-refactoring/environments/dantestpublic,
"html_url": [https://%3cGHES_ENDPOINT%3e/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/deployments/activity_log?environments_filter=dantestpublic]https://<GHES_ENDPOINT>/<ORG>/<repoprefix>-iam-refactoring/deployments/activity_log?environments_filter=dantestpublic,
"created_at": "2024-04-17T18:51:04Z",
"updated_at": "2024-04-17T18:51:04Z",
"can_admins_bypass": true,
"protection_rules": [
],
"deployment_branch_policy": null
}

 
public_repo
 

Create an environment for an internal repository

 

curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $token" \
-H "X-GitHub-Api-Version: 2022-11-28" \
[https://%3cGHES_ENDPOINT%3e/api/v3/repos/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/environments/dantestinternal]https://<GHES_ENDPOINT>/api/v3/repos/<ORG>/<repoprefix>-iam-refactoring/environments/dantestinternal \
-d '{"wait_timer": 0,"prevent_self_review": false,"reviewers": [],"deployment_branch_policy": null}'

 
response

{
"id": 3524,
"node_id": "MDExOkVudmlyb25tZW50MzUyNA==",
"name": "dantestinternal",
"url": [https://%3cGHES_ENDPOINT%3e/api/v3/repos/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/environments/dantestinternal]https://<GHES_ENDPOINT>/api/v3/repos/<ORG>/<repoprefix>-iam-refactoring/environments/dantestinternal,
"html_url": [https://%3cGHES_ENDPOINT%3e/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/deployments/activity_log?environments_filter=dantestinternal]https://<GHES_ENDPOINT>/<ORG>/<repoprefix>-iam-refactoring/deployments/activity_log?environments_filter=dantestinternal,
"created_at": "2024-04-17T18:57:34Z",
"updated_at": "2024-04-17T18:57:34Z",
"can_admins_bypass": true,
"protection_rules": [
],
"deployment_branch_policy": null
}

 
internal_repo
 

Create an environment for a private repository

 

curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $token" \
-H "X-GitHub-Api-Version: 2022-11-28" \
[https://%3cGHES_ENDPOINT%3e/api/v3/repos/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/environments/dantestprivate]https://<GHES_ENDPOINT>/api/v3/repos/<ORG>/<repoprefix>-iam-refactoring/environments/dantestprivate \
-d '{"wait_timer": 0,"prevent_self_review": false,"reviewers": [],"deployment_branch_policy": null}'

 
response

{
"id": 3525,
"node_id": "MDExOkVudmlyb25tZW50MzUyNQ==",
"name": "dantestprivate",
"url": [https://%3cGHES_ENDPOINT%3e/api/v3/repos/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/environments/dantestprivate]https://<GHES_ENDPOINT>/api/v3/repos/<ORG>/<repoprefix>-iam-refactoring/environments/dantestprivate,
"html_url": [https://%3cGHES_ENDPOINT%3e/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/deployments/activity_log?environments_filter=dantestprivate]https://<GHES_ENDPOINT>/<ORG>/<repoprefix>-iam-refactoring/deployments/activity_log?environments_filter=dantestprivate,
"created_at": "2024-04-17T19:00:49Z",
"updated_at": "2024-04-17T19:00:49Z",
"can_admins_bypass": true,
"protection_rules": [
],
"deployment_branch_policy": null
}

private_repo

Environments suborg configuration

environments:
  - name: DEV
    wait_timer: 0
    prevent_self_review: false
    reviewers: []
    deployment_branch_policy:
  - name: QAT
    wait_timer: 0
    prevent_self_review: false
    reviewers: []
    deployment_branch_policy:
  - name: UAT
    wait_timer: 0
    prevent_self_review: false
    reviewers: []
    deployment_branch_policy:
  - name: PROD
    wait_timer: 0
    prevent_self_review: true
    reviewers:
      - type: Team
        id: 16193
    deployment_branch_policy:
      protected_branches: true
      custom_branch_policies: false

 

Are you using the hosted instance of probot/settings or running your own?

 
Running safe settings on AKS with ingress for webhook.
 

If running your own instance, are you using it with github.com or GitHub Enterprise?

 
GitHub Enterprise Server
 

Version of probot/settings

 
Running Probot v12.3.3 (Node.js: v16.20.2)
 

Version of GitHub Enterprise

 
GitHub Enterprise Server 3.11

@gregnrobinson gregnrobinson added the bug Something isn't working label Apr 18, 2024
@sanglt
Copy link

sanglt commented May 14, 2024

Thanks we have the same bug too and we are using GitHub SaaS.

{"level":50,"time":1715657742292,"pid":24,"hostname":"release-name-safe-settings-755548ff8b-mwg9l","name":"probot","name":"probot","msg":"Error HttpError: Resource not accessible by integration in Environments for repo: {\"owner\":\"xxxxxx\",\"repo\":\"xxxxxx\"} entries [{\"name\":\"production\",\"wait_timer\":0,\"prevent_self_review\":true,\"reviewers\":[{\"type\":\"Team\",\"id\":xxxxxx}],\"deployment_branch_policy\":null},{\"name\":\"qa\",\"wait_timer\":0,\"prevent_self_review\":false,\"reviewers\":[{\"type\":\"Team\",\"id\":xxxxxx}],\"deployment_branch_policy\":null}]"}

@sanglt
Copy link

sanglt commented Jun 10, 2024

The error is fixed after granting Actions read permission to the app. This is the requirement for using this listing endpoint.

https://docs.github.com/en/rest/deployments/environments?apiVersion=2022-11-28#list-environments

The fine-grained token must have the following permission set:
"Actions" repository permissions (read)

Brad-Abrams added a commit to RBC/github-safe-settings that referenced this issue Jun 26, 2024
Addresses issue: [Environments do not get provisioned for repositories set to internal or private github#623](github#623)

Adds documentation for permissions required for safe-settings when Environments are used

[List Environments](https://docs.github.com/en/rest/deployments/environments?apiVersion=2022-11-28#list-environments) API requires:
```
The fine-grained token must have the following permission set:

"Actions" repository permissions (read)
```

[Create an environment variable](https://docs.github.com/en/rest/actions/variables?apiVersion=2022-11-28#create-an-environment-variable) API requires:
```
The fine-grained token must have the following permission set:

"Variables" repository permissions (write) and "Environments" repository permissions (write)
```

With permissions added, issue 623 was resolved.
decyjphr pushed a commit that referenced this issue Aug 15, 2024
* decompose unit tests, patch sync for environments

* remove logging, combine loops as per review comments

* Add NopCommand, log.error, and errors

* Allow concise config for Environments

This commit combines PR [616](#616) and [646](#646)

environments.js
Add defensive code to prevent the GitHub API from being called with undefined data.

In the UI, and API an environment can be added with just an name.
  Now, safe-settings permits this as well.
In the UI, and API an environment can be added without variables.
  Now, safe-settings permits this as well.
In the UI, and API an environment can be added without deployment_protection_rules.
  Now, safe-settings permits this as well.

environments.test.js
Add a test case for the scenario when there are zero existing environments
Add a test case for an environment name change
Add a test case inspired by PR 616 which adds 7 new environments with various attributes
Move expect statements out of aftereach() as there is now variability in what is expected across test cases.
  Specifically, when there is no existing environment, that environment should NOT be queried for variables nor deployment_protection_rules

* Update documentation: Environments permissions.

Addresses issue: [Environments do not get provisioned for repositories set to internal or private #623](#623)

Adds documentation for permissions required for safe-settings when Environments are used

[List Environments](https://docs.github.com/en/rest/deployments/environments?apiVersion=2022-11-28#list-environments) API requires:
```
The fine-grained token must have the following permission set:

"Actions" repository permissions (read)
```

[Create an environment variable](https://docs.github.com/en/rest/actions/variables?apiVersion=2022-11-28#create-an-environment-variable) API requires:
```
The fine-grained token must have the following permission set:

"Variables" repository permissions (write) and "Environments" repository permissions (write)
```

With permissions added, issue 623 was resolved.
admtorgst pushed a commit to helse-sorost/safe-settings that referenced this issue Sep 14, 2024
* decompose unit tests, patch sync for environments

* remove logging, combine loops as per review comments

* Add NopCommand, log.error, and errors

* Allow concise config for Environments

This commit combines PR [616](github#616) and [646](github#646)

environments.js
Add defensive code to prevent the GitHub API from being called with undefined data.

In the UI, and API an environment can be added with just an name.
  Now, safe-settings permits this as well.
In the UI, and API an environment can be added without variables.
  Now, safe-settings permits this as well.
In the UI, and API an environment can be added without deployment_protection_rules.
  Now, safe-settings permits this as well.

environments.test.js
Add a test case for the scenario when there are zero existing environments
Add a test case for an environment name change
Add a test case inspired by PR 616 which adds 7 new environments with various attributes
Move expect statements out of aftereach() as there is now variability in what is expected across test cases.
  Specifically, when there is no existing environment, that environment should NOT be queried for variables nor deployment_protection_rules

* Update documentation: Environments permissions.

Addresses issue: [Environments do not get provisioned for repositories set to internal or private github#623](github#623)

Adds documentation for permissions required for safe-settings when Environments are used

[List Environments](https://docs.github.com/en/rest/deployments/environments?apiVersion=2022-11-28#list-environments) API requires:
```
The fine-grained token must have the following permission set:

"Actions" repository permissions (read)
```

[Create an environment variable](https://docs.github.com/en/rest/actions/variables?apiVersion=2022-11-28#create-an-environment-variable) API requires:
```
The fine-grained token must have the following permission set:

"Variables" repository permissions (write) and "Environments" repository permissions (write)
```

With permissions added, issue 623 was resolved.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants