💡 Feature proposal

Use-cases

In our destination repo, we want to have certain files that are only contained in it and not overwritten when pushed to. Specifically we have different github actions in the destination repo vs the SoT repo and don't want them overwritten.

Attempted solutions

I have already added pr_exludes to the github action config and it does not seem to be working. The other solution would be to just use our completely custom copy.bara.sky file, but that removes a lot of the magic of this code that is very nice.

Proposal

add destination_files = glob(PR_INCLUDE, exclude = PR_EXCLUDE), to the push workflow

🪲 Bug report

Summary

Cannot use ecc keys

Expected behavior

Ecc keys should work for ssh keys

Actual behavior

Action failed.

Steps to reproduce the problem

Instead of a RSA key, set a ecc ssh key.

Environment

• Version:

Possible fix

Rename the ssh key extension.

🪲 Bug report

Summary

set-output will be deprecated. In order to fix this problem, @actions/core needs to be updated actions/toolkit#1218
https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

Expected behavior

Actual behavior

Steps to reproduce the problem

Environment

• Version: 1.2.2

Possible fix

10cc4ad

Hi! Thanks for working on this project.
Recently there's a critical bugfix in Copybara upstream and it'd be great if olivr/copybara image picks it up. It seems the image building action has been paused due to lack of activity.
https://github.com/Olivr/copybara-action/actions/workflows/copybara-docker.yml

Could you manually roll out a new docker build?
Thanks in advance!

Hello!

I hope you are doing well!

We are a security research team. Our tool automatically detected a vulnerability in this repository. We want to disclose it responsibly. GitHub has a feature called Private vulnerability reporting, which enables security research to privately disclose a vulnerability. Unfortunately, it is not enabled for this repository.

Can you enable it, so that we can report it?

Thanks in advance!

PS: you can read about how to enable private vulnerability reporting here: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository

💡 Feature proposal

When provided an access_token, use it for all git operations in additions to github operations. This way a single PAT manages all operations related to copybara. This feature is somewhat described here utilizing github credentials google/copybara#101

Use-cases

I want to copy files from one private repo to another private repo. A github PAT is created with access to both repos, but I do not have a ssh private key for either repo.

Example

action would configure git credentials with the PAT. Copybara would then perform operations utilizing the github pat in the credentials helper.

🪲 Bug report

Summary

GitHub changes their SSH RSA host key - https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

The old host key is hard coded here -

This action now fails because it cannot connect via SSH

Please make sure you have the correct access rights
and the repository exists.

Expected behavior

It runs

Actual behavior

The GitHub action fails with:

docker.io/olivr/copybara:latest
/usr/bin/docker run -v /home/runner/work/core/core:/usr/src/app -v /home/runner/.ssh/id_rsa:/root/.ssh/id_rsa -v /home/runner/.ssh/known_hosts:/root/.ssh/known_hosts -v /home/runner/copy.bara.sky:/root/copy.bara.sky -v /home/runner/.gitconfig:/root/.gitconfig -v /home/runner/.git-credentials:/root/.git-credentials -e COPYBARA_CONFIG=/root/copy.bara.sky -e COPYBARA_WORKFLOW=push -e COPYBARA_OPTIONS olivr/copybara copybara
Mar 27, 2023 9:09:30 AM com.google.copybara.Main configureLog
INFO: Setting up LogManager
Copybara source mover (Version: Unknown version)
0327 09:09:30.825 TASK: Cleaning output directory
0327 09:09:30.838 TASK: Running migrate
0327 09:09:30.840 TASK: Loading config /root/copy.bara.sky
0327 09:09:30.991 TASK: Validating configuration
0327 09:09:30.994 TASK: Getting last revision: Resolving origin reference
0327 09:09:30.995 TASK: Git Origin: Initializing local repo
0327 09:09:33.839 TASK: Git Destination: Fetching: [email protected]:sourcery-ai/sourcery-rules.git refs/heads/main
0327 09:09:33.915 ERROR: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for github.com has changed,
and the key for the corresponding IP address 140.[82](https://github.com/sourcery-ai/core/actions/runs/4523471705/jobs/7979921608#step:3:83).112.3
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /root/.ssh/known_hosts:1
  remove with:
  ssh-keygen -f "/root/.ssh/known_hosts" -R "github.com"
RSA host key for github.com has changed and you have requested strict checking.
Host key verification failed.
fatal: Could not read from remote repository.

Steps to reproduce the problem

Environment

• Version:

Possible fix

Change the githubKnownHost to the new value found here

Hello!

I hope you are doing well!

We are a security research team. Our tool automatically detected a vulnerability in this repository. We want to disclose it responsibly. GitHub has a feature called Private vulnerability reporting, which enables security research to privately disclose a vulnerability. Unfortunately, it is not enabled for this repository.

Can you enable it, so that we can report it?

Thanks in advance!

PS: you can read about how to enable private vulnerability reporting here: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository

🪲 Bug report

Summary

Copybara stops its process with error 'Cannot find reference 'refs/copybara_fetch/main' even running the copybara-action after GitHub checkout action (actions/checkout@v3). Tuning on the actions debug flag and download the generated copy.bara.sky file and running the same push operation locally with cloning the origin repo worked fine. The issue only happens run the copybara though the copybara-action.

Expected behavior

Copybara runs push operation successfully

Actual behavior

Copybara stops push operation with the error

Steps to reproduce the problem

Prerequisites:
source: our private monorepo on GitHub (default branch is main)
target: our private sub repository GitHub (default branch is main)

1. Add Github Actions file with the folloging config

name: test
on:
  pull_request:
    ... 
  push:
    branches:
      - main
    paths:
      - <our monorepo subdir to be copied to target>
jobs:
  sync:
    name: Sync
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: Olivr/[email protected]
        with:
          ssh_key: ${{ secrets.SSH_KEY }}
          access_token: ${{ secrets.GH_TOKEN }}
          sot_repo: <our private monorepo>
          destination_repo: <our private sub-repo>
          push_include: "<our monorepo subdir to be copied to target>"
          pr_move: |
            ||<our monorepo subdir to be copied to target>
          copybara_options: --force --init-history

2. make PR topic -> main and merge
3. Run actions triggered by push to main

Environment

• Github Actions
• Running action on ubuntu-latest

• Version:
  v1.2.3

Possible fix

• Using custom config and specify remote source of truth instead of local SOT resolves the issue so I suspect something happens
  on using local SOT.

core.workflow(
    name = "push",
    origin = git.github_origin(
        url = "[email protected]:<sot_repo_name>.git",
        ref = "main",
    ),
    destination = git.destination(
        url = "[email protected]:<target_repo_name>.git",
        fetch = "main",
        push = "main",
    ),
    origin_files = glob(["<path>/**"]),
    destination_files = glob(["**"]),
    authoring = authoring.pass_thru("github-actions<[email protected]>"),
    transformations = [
    ],
)

As Github is case-insensitive regarding repository names (eg: you can both poll https://github.com/Olivr/copybara-action or https://github.com/olivr/copybara-action), we can easily make a mistake regarding the current repo name (the one in the URL) and the real one (as returned by the github context).