Error using with ssh-agent: "Checking the base repository state > ERROR: repository not found" about update-flake-lock HOT 11 CLOSED

Ahhh hold-up: when I go to my PAT settings it looks like the token is still "pending" and hasn't yet been used. I'll check in with our org admin to see if it needs to be approved or something first.

from update-flake-lock.

Oooo, thanks for digging in and having a look!

Fwiw, pint.nix is actually the repo that the action is running on. For the other CI stuff it hasn't yet been necessary to add a key to provide access to itself, but maybe update-flake-lock works a little differently and does require this.

I'll give it a go and report back!

from update-flake-lock.

Wow. That actually did the trick.

Thank you!

from update-flake-lock.

I don't see anything obvious that would be causing your issue.

However, I have one hunch -- the error message appears to happen when we're delegating to the peter-evans/create-pull-request action, around where it's trying to push the update-flake-lock commit to your repository and subsequently open a PR. If your organization/repository restricts workflow permissions by default, you may need to give the job that runs update-flake-lock explicit contents: write and pull-requests: write permissions, i.e.:

name: update-flake-lock

on:
  workflow_dispatch: # allows manual triggering
  schedule:
    - cron: '0 0 * * *' # runs nightly at 00:00 UTC

jobs:
  # Updates the pint-src flake input and open a PR with the updated flake.lock.
  lockfile:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
      - uses: webfactory/[email protected]
        with:
          ssh-private-key: |
              ${{ secrets.SSH_KEY_BASE }}
              ${{ secrets.SSH_KEY_PINT }}
      - uses: DeterminateSystems/nix-installer-action@v10
      - uses: DeterminateSystems/update-flake-lock@main
        with:
          inputs: pint-src

If that doesn't work, their documentation also calls out the need to make sure the repo allows GitHub Actions to create PRs in the first place (https://github.com/peter-evans/create-pull-request?tab=readme-ov-file#workflow-permissions) by changing the setting at "Actions > General > Workflow permissions".

Would you mind trying that out and let me know how it goes?

from update-flake-lock.

Thank you for the quick response!

Just letting you know that so far I have tried adding permissions: to the job as above, however it looks like this is not enough and the same error is occurring.

I'm organising with the team to get the "Workflow Permissions" setting changed and I'll report back whether or not this helps!

from update-flake-lock.

Turns out our setting was organisation-wide (i.e. Org > Settings > Actions > Workflow Permissions).

Unfortunately, changing it from read-only to "Read and Write" doesn't seem to have fixed the issue - the same error is occurring.

Here is the full log for the updated action, this time with debug output enabled:

workflow-log-2.txt

from update-flake-lock.

Hmmmm, interesting. Could you try setting the token argument on the update-flake-lock action to a GitHub PAT with the repo scope and see if that lets it continue?

from update-flake-lock.

I

1. created a fine-grained PAT with access to the repo with read/write permissions for both "Content" and "Pull Requests"
2. added it as a secret to the repository
3. updated the workflow's update-flake-lock action with the token argument set to the new PAT token secret

alas, still running into the same error 🥴

The updated workflow log:

workflow-log-3.txt

🤔

from update-flake-lock.

Finally got access and confirmed the PAT is available, though it appears that it still isn't getting used, and the workflow appears to still be running into the same "Checking the base repository state" issue 🤔

workflow-log-4.txt

from update-flake-lock.

AHA! I think I see the issue now!

As the SSH keys are deploy keys, I was looking at how the ssh-agent action expects you to set them up, and I noticed that they require a special comment on the key -- as you already did.

HOWEVER, you're trying to push to essential-contributions/pint.nix, whereas the only deploy keys available are for essential-contributions/essential-base and essential-contributions/pint, NOT essential-contributions/pint.nix:

2024-05-07T05:09:25.6497221Z Added deploy-key mapping: Use identity '/home/runner/.ssh/key-...' for GitHub repository essential-contributions/essential-base
2024-05-07T05:09:25.6763124Z Added deploy-key mapping: Use identity '/home/runner/.ssh/key-...' for GitHub repository essential-contributions/pint

[..snip..]

2024-05-07T05:09:33.3375573Z Pull request branch target repository set to essential-contributions/pint.nix

If pint and pint.nix are separate repos, I think you'll need another deploy key specifically for pint.nix.

from update-flake-lock.

I think this issue has since been resolved -- feel free to reopen if that's not the case!

from update-flake-lock.