Setup action v0.2.1 failing on GitHub Enterprise Server #10
Comments
|
Alternatively fetching the |
|
Since recently, we have a similar problem on our GHES, also with the checkout step. In our case, the default branch cannot be determined by the checkout action, I believe because it is operating on github.com URLs. |
|
Hello @palloberg @m-breitbach But i investigated this issue and looks like we always need to use Can you test these changes with
We probably don't need to add input for |
|
Hi @DmitriyLewen. Thanks for looking into this.
For GHES the checkout action is using the hostname of the local GHE server ("the same instance that the workflow is running from unless specified" is what the docs there say), so doing as you did in your fork and hard-coding it to
When running on GHES the token created for the workflow is not valid on github.com. So a valid github.com token must be passed to the workflow in that case. If that is not set the default As long as that parameter is optional and defaults to Typically adding this to inputs:
githubcom-token:
description: >
Access token for reading from github.com when the action is running on GitHub Enterprise Server (GHES).
https://github.com/actions/create-github-app-token can be used to obtain such a token. The token only need to
be scoped with read access to public repositories.
default: ${{ github.token }}Then pass that input to The A user of GHES can then utilize https://github.com/actions/create-github-app-token to create a token for github.com and pass that to
That's true. Using |
|
@palloberg thanks for this information! |
|
Tested the |
If I may, I'd like to bring attention back to this comment. The checkout step is currently the only thing (that I could find) that requires a token, and it's only checking out a single file. Could we not just directly reference that shell script and avoid this entirely? I ask because my organization strongly discourages any use of github.com in favor of our own GHES instance, and therefore we don't have a good way to acquire a PAT needed for pulling from github.com. |
|
Hello @fletch3555 Unfortunately, there is no universal way to solve the problems for all users. We used this way in trivy-action: But users started reporting that their runners do not have curl, sudo, wget, etc. (see aquasecurity/trivy-action#403). |
|
@DmitriyLewen could it be done like other setup jobs then? For example, actions/setup-python does it as a nodejs action rather than a composite action. It fetches/runs a setup.sh script just like you are here but via nodejs code and therefore not requiring curl/wget/etc, and also not requiring sudo (though that's more about what's in the script, and I haven't looked at that closely). Alternatively, this used to be a docker-based action several versions ago. Switching back to that would also solve this as you would have full control over the environment. Though, I'm sure there was some reason for switching away from it. ETA - The only reason sudo is needed is because you're forcing it to install to a privileged directory ( |
We can't use
I created #15. But I don't have time to work on it now. If you have time - you can create a PR and we will consider it. |
|
I have stumbled upon this issue and I am here superconfused. Why on earth does a person running self-hosted GHES require a token from github.com to fetch data from the public github.com repository? It complicates an already complicated composition of moving parts and I am now looking for more predictable and robust ways to run trivy as part of the CI workflow unless there is a solid rationale on making simple things complex... |
Unfortunately, this is limitation of |
A decision was made under aquasecurity#10 to make setup-trivy work out of the box for GHES users who had _not_ mirrored aquasecurity/trivy to their GHES instance and who were using GitHub Connect for fetching actions from github.com However, a number of GHES deployments are airgapped and have taken the opposite approach, do not use GitHub Connect and instead use the actions-sync process to mirror allowed actions into the GHES instance. https://github.com/actions/actions-sync For those, it is helpful to allow the github-server-url to be overridden as an input to setup-trivy so that the actions/checkout does use the GHES instance as the source
Hi.
When running on a self hosted GitHub Enterprise Server (GHES) the new version of
setup-trivyis failing because it's using the checkout action without allowing thetokenandgithub-server-urlto be overridden. In that case it tries to check outcontrib/install.shfromaquasecurity/trivyon the local GHES instead of from https://github.com/aquasecurity/trivy.Updating
setup-trivy(and thetrivy-action) with optional parameters fortokenandgithub-server-urland passing those toactions/checkoutwould probably make it compatible with GHES as well (although more config would be needed for users of the action on GHES).The text was updated successfully, but these errors were encountered: