Comments (11)
Ahhh hold-up: when I go to my PAT settings it looks like the token is still "pending" and hasn't yet been used. I'll check in with our org admin to see if it needs to be approved or something first.
from update-flake-lock.
Oooo, thanks for digging in and having a look!
Fwiw, pint.nix
is actually the repo that the action is running on. For the other CI stuff it hasn't yet been necessary to add a key to provide access to itself, but maybe update-flake-lock
works a little differently and does require this.
I'll give it a go and report back!
from update-flake-lock.
Wow. That actually did the trick.
Thank you!
from update-flake-lock.
I don't see anything obvious that would be causing your issue.
However, I have one hunch -- the error message appears to happen when we're delegating to the peter-evans/create-pull-request
action, around where it's trying to push the update-flake-lock commit to your repository and subsequently open a PR. If your organization/repository restricts workflow permissions by default, you may need to give the job that runs update-flake-lock explicit contents: write
and pull-requests: write
permissions, i.e.:
name: update-flake-lock
on:
workflow_dispatch: # allows manual triggering
schedule:
- cron: '0 0 * * *' # runs nightly at 00:00 UTC
jobs:
# Updates the pint-src flake input and open a PR with the updated flake.lock.
lockfile:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v4
- uses: webfactory/[email protected]
with:
ssh-private-key: |
${{ secrets.SSH_KEY_BASE }}
${{ secrets.SSH_KEY_PINT }}
- uses: DeterminateSystems/nix-installer-action@v10
- uses: DeterminateSystems/update-flake-lock@main
with:
inputs: pint-src
If that doesn't work, their documentation also calls out the need to make sure the repo allows GitHub Actions to create PRs in the first place (https://github.com/peter-evans/create-pull-request?tab=readme-ov-file#workflow-permissions) by changing the setting at "Actions > General > Workflow permissions".
Would you mind trying that out and let me know how it goes?
from update-flake-lock.
Thank you for the quick response!
Just letting you know that so far I have tried adding permissions:
to the job as above, however it looks like this is not enough and the same error is occurring.
I'm organising with the team to get the "Workflow Permissions" setting changed and I'll report back whether or not this helps!
from update-flake-lock.
Turns out our setting was organisation-wide (i.e. Org > Settings > Actions > Workflow Permissions).
Unfortunately, changing it from read-only to "Read and Write" doesn't seem to have fixed the issue - the same error is occurring.
Here is the full log for the updated action, this time with debug output enabled:
from update-flake-lock.
Hmmmm, interesting. Could you try setting the token
argument on the update-flake-lock
action to a GitHub PAT with the repo
scope and see if that lets it continue?
from update-flake-lock.
I
- created a fine-grained PAT with access to the repo with read/write permissions for both "Content" and "Pull Requests"
- added it as a secret to the repository
- updated the workflow's
update-flake-lock
action with thetoken
argument set to the new PAT token secret
alas, still running into the same error 🥴
The updated workflow log:
🤔
from update-flake-lock.
Finally got access and confirmed the PAT is available, though it appears that it still isn't getting used, and the workflow appears to still be running into the same "Checking the base repository state" issue 🤔
from update-flake-lock.
AHA! I think I see the issue now!
As the SSH keys are deploy keys, I was looking at how the ssh-agent
action expects you to set them up, and I noticed that they require a special comment on the key -- as you already did.
HOWEVER, you're trying to push to essential-contributions/pint.nix
, whereas the only deploy keys available are for essential-contributions/essential-base
and essential-contributions/pint
, NOT essential-contributions/pint.nix
:
2024-05-07T05:09:25.6497221Z Added deploy-key mapping: Use identity '/home/runner/.ssh/key-...' for GitHub repository essential-contributions/essential-base
2024-05-07T05:09:25.6763124Z Added deploy-key mapping: Use identity '/home/runner/.ssh/key-...' for GitHub repository essential-contributions/pint
[..snip..]
2024-05-07T05:09:33.3375573Z Pull request branch target repository set to essential-contributions/pint.nix
If pint
and pint.nix
are separate repos, I think you'll need another deploy key specifically for pint.nix
.
from update-flake-lock.
I think this issue has since been resolved -- feel free to reopen if that's not the case!
from update-flake-lock.
Related Issues (20)
- Update private flake input HOT 2
- Updating lock files at non-standard locations (devenv.lock) HOT 2
- Include upstream git log in PR description, possibly even filtered? HOT 1
- Separate PRs for inputs HOT 2
- There's no way to know whether an update happened HOT 1
- Custom options to `nix flake` command HOT 2
- Permission denied on git push HOT 1
- Suggest closing and opening to run Github Actions on PR
- README is confusing about running on PRs HOT 1
- Feature request: updating multiple flakes in the same repo in the same PR HOT 2
- Experiencing workflow run failures HOT 6
- Automatic merging of PR? HOT 2
- allow running commands after update
- `DamianReeves/write-file-action` depends on `node16` HOT 3
- Action fails with "cannot read properties of undefined" HOT 3
- Markdown job summary
- Missing pull-request-number output HOT 9
- INPUT__INTERNAL-STRICT-MODE not set for @actions/core HOT 2
- PR body uses hardcoded branch name
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from update-flake-lock.