Occasionally authenticating with github.token fails when doing git push

I’ve created a GitHub actionto help with backporting pull requests to different branches. On occasion pushing to the branch fails, I’ve found no discernable reason for this.

You can have a look at the action’s source, but here is what it does.

github.token is passed via action’s input as default value in action.yml :

inputs:
  token:
    default: ${{ github.token }}

Value for the Authorization header is derived from the INPUT_TOKEN environment variable:

local auth=$(tmp=$(echo -n x-access-token:${INPUT_TOKEN}|base64); echo -n ${tmp/$'\n'/});

When performing git push authorization header is passed in as extra header:

git -c "http.extraheader=Authorization: basic ${auth}" push --set-upstream origin ${backport_branch}

I have examples when this works, and when it fails with an error:

+ git -c 'http.extraheader=Authorization: basic ***' push --set-upstream origin backport/7541-to-1.10.x
remote: Permission to syndesisio/syndesis.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/syndesisio/syndesis.git/': The requested URL returned error: 403

By noticing that the 403 response contains the username github-actions[bot] it seems that the token was passed correctly. What am I missing?

@zregvart ,

I also tested your action in few of my repositories, but I didn’t reproduce the 403 error as you reported, this action can work fine on my side.

Typically, when the password/token is not existing or expired, the 403 error returned.

It’s very strange the 403 error occurs on the github.token. The GITHUB_TOKEN ( github.token ) indeed will expire after 60 minutes, but checking the run time of your workflow run, it’s quite a short time within an hour.

I have helped you report this ticket to the appropriate engineering team for further investigation and evaluation. If they have any progress, I will notify you in time, and sometimes the appropriate engineers may directly reply you here.

@zregvart ,

Can you check if the problem still exists when using ${{ github.token }} ?

If ${{ github.token }} still does not work, you can turn to using  ${{ secrets.GITHUB_TOKEN }}  .

NOTE:

1) The  GITHUB_TOKEN  is generated at the time of the workflow start, and the  github.token  is generated after the workflow run started.

2) The github.token is functionally equivalent to the GITHUB_TOKEN , but their token values may be not the same. Recently, the engineering team has fixed to let the token value of  github.token  be same with that of  GITHUB_TOKEN.

Hi @brightran, I’ve retried and the action has failed. I’ve also noticed that the ${{ secrets.GITHUB_TOKEN }} syntax is not recognized in action.yml , i.e. this now fails with a syntax error. For completeness this is the change I’ve made to action.yml.

@zregvart ,

No, you should try the  ${{ secrets.GITHUB_TOKEN }}  directly in the workflow when you use the action, not use it in the  action.yml  of the action.

name: Backport pull request
steps:
  - uses: syndesisio/backport-action@v1
    with:
      token: ${{ secrets.GITHUB_TOKEN }}

@brightransame issue with this change. I must be missing something else here.

@zregvart ,

Sorry for that.

I have told these details to the appropriate engineering team, they are investigating this issue. Any progress, I will notify you in time.