Docs don't mention installing the application about github-action HOT 21 CLOSED

It's not mandatory to install any app, so I'm not sure what you're referring to

To elaborate, as I understand @ben-foxmoore is trying to use the recently added GitHub App example to authenticate the self-hosted Renovate instance. You indeed don't have to use that method and could use a PAT or your account or a bot account in your organisation for authentication.

from github-action.

I think the GraphQL was a red herring - me misunderstanding the log files.

Yes, that looks exactly the same as the errors I'm seeing - I've made my logs public as well so you can see the latest here. For completeness, my permissions are like this now:

Bold indicates difference from @jdbruijn's App permissions.

from github-action.

Ah, yes, I needed to give Read-only access to Administration - this was one of the differences between my configuration and @jdbruijn's.

For the username, after looking at the contents from the REST API, the username needs to be set to NAME_OF_APP[bot] - the [bot] at the end is critical to it matching correctly.

After both of these changes, Renovate seems to be running correctly! Thanks for the help in this thread. I'll try to contribute some updated documentation for the main README.

An aside, but I think that Github does actually allow branch protection for public repos even with free accounts now

from github-action.

It's not mandatory to install any app, so I'm not sure what you're referring to

from github-action.

@ben-foxmoore I've never used the GitHub Apps either, but had a try to get the steps down for you. I've got it working now in my jdbruijn/renovate-test repo. You indeed need to install the GitHub App in your account. The configuration below worked for me, but I didn't try a different user so not sure whether it needs to be the user that has installed the app or not. Please see that repository for the configuration, and note that the configuration is just for the self-hosted Renovate instance. The repo you're updating, jdbruijn/homebrew-caboodle in my case, still needs to have its own Renovate configuration.

Hope this helps, let me know if you have any issues or questions! I'll try to clarify the docs for this example now I've actually used it myself 😉

const branchName = 'github-renovate';

module.exports = {
    branchPrefix: `${branchName}/`,
    dependencyDashboardTitle: 'Dependency Dashboard self-hosted',
    gitAuthor: 'Renovate Bot <[email protected]>',
    onboarding: true,
    onboardingBranch: `${branchName}/configure`,
    platform: 'github',
    dryRun: false,
    username: 'jdbruijn',
    repositories: [
        'jdbruijn/homebrew-caboodle',
    ],
};

from github-action.

It's not mandatory to install any app, so I'm not sure what you're referring to

To elaborate, as I understand @ben-foxmoore is trying to use the recently added GitHub App example to authenticate the self-hosted Renovate instance. You indeed don't have to use that method and could use a PAT or your account or a bot account in your organisation for authentication.

@rarkins Sorry for not explaining myself very well. It's exactly as @jdbruijn described - I was trying to use the GitHub App option as the README mentions this gives you more discrete control over the actions the Bot can perform.

from github-action.

@ben-foxmoore Did you manage to get it working?

from github-action.

@ben-foxmoore I've never used the GitHub Apps either, but had a try to get the steps down for you. I've got it working now in my jdbruijn/renovate-test repo. You indeed need to install the GitHub App in your account. The configuration below worked for me, but I didn't try a different user so not sure whether it needs to be the user that has installed the app or not. Please see that repository for the configuration, and note that the configuration is just for the self-hosted Renovate instance. The repo you're updating, jdbruijn/homebrew-caboodle in my case, still needs to have its own Renovate configuration.

Hope this helps, let me know if you have any issues or questions! I'll try to clarify the docs for this example now I've actually used it myself 😉

const branchName = 'github-renovate';

module.exports = {
    branchPrefix: `${branchName}/`,
    dependencyDashboardTitle: 'Dependency Dashboard self-hosted',
    gitAuthor: 'Renovate Bot <[email protected]>',
    onboarding: true,
    onboardingBranch: `${branchName}/configure`,
    platform: 'github',
    dryRun: false,
    username: 'jdbruijn',
    repositories: [
        'jdbruijn/homebrew-caboodle',
    ],
};

This is exactly the situation I was trying to get working yesterday (at least, I think it is!) Two accounts on my personal account - one for the Bot configuration and Cron-scheduled Action, and one for the software I wanted the Bot to "renovate". The GitHub App I created was also on my personal account, so no organizations involved at this point.

I was trying to get this basic setup working first, before then extending it to our organization, but maybe that was a mistake. Regardless, I really appreciate the effort you've gone to explain a working setup. I'll give that a go later this weekend. Thanks @jdbruijn !

from github-action.

I've made good progress thanks to @jdbruijn's recommended setup. I think what made the difference was using renovatebot/[email protected] instead of v21.30.0. I had knowingly left it at that older version thinking that was a good first job for the bot to resolve (as a test), but stupidly hadn't considered that this actually might be the cause of my problems. I've also switched to using the renovate-config.json for the Bot config.

This worked and triggered the creation of the Onboarding PR, however once merged, the Workflow failed again. Looking at the logs, it was trying to update my Workflow as some of the Actions were out-of-date. I'm aware that there are various permission issues related to this, so I checked in my Apps settings, and noticed that the permission for Workflows was on No Access. I updated it to Read & Write:

After this change, the PRs are created properly. Would it make sense to add this to the documentation in the main README? As I understand it, self-hosted bots using the PAT don't have this issue, so it might be useful to mention specifically in the App section.

Unfortunately, I'm still having a few issues related to GraphQL and with Renovate seemingly attempting to create PRs that already exist. Still digging into that..

from github-action.

Good to see you're making progress!

The required permissions strongly depend on the use case, e.g. what is updated, how is it updated (PR/branch merge), target branch protection rules, etc. On that regard, it'd be great to have a list of required app permissions for some standard configurations, like merging via PR, using branch protection rules and updating GitHub Action workflows.

Unfortunately, I'm still having a few issues related to GraphQL and with Renovate seemingly attempting to create PRs that already exist. Still digging into that..

I'm not sure about the GraphQL issues, but I've seen the issue with the PR's creation as well and just did a little bit of digging. This log from my run shows the specific issue. Mine was on a POST https://api.github.com/repos/jdbruijn/homebrew-caboodle/pulls" request, and I'm sure the app has the right permissions, namely Permission on "pull requests". And the pull requests indeed exists jdbruijn/homebrew-caboodle#6. In my case the issue might be that Renovate seems to think the PR doesn't exist, although it is also checking for PR edits, so I'm not sure what it thinks about the PR. @rarkins @viceice Could this be a bug in Renovate possibly?

Response code 422 (Unprocessable Entity)"
...
             "errors": [
               {
                 "resource": "PullRequest",
                 "code": "custom",
                 "message": "A pull request already exists for jdbruijn:github-renovate/convict-5.x."
               }
             ],

from github-action.

Oh, BTW my permissions ATM. Only other than No access listed.

from github-action.

Oh, one thing I've just noticed is that your Workflow still runs to completion and is marked as successful. I guess you've not done anything special to achieve that? At the end of my log, I see this error message:

 INFO: Renovate is exiting with a non-zero code due to the following logged errors
       "loggerErrors": [
         {
           "name": "renovate",
           "level": 50,
           "logContext": "c5yDNLlSs",
           "repository": "ben-foxmoore/renovate-bot",
           "gqlRes": null,
           "msg": "Error fetching GraphQL nodes"
         }
       ]

Maybe the GraphQL is a real second, separate issue..

from github-action.

If you're seeing A pull request already exists then it's most likely because the PR was created by a different app or user account than is currently running. When Renovate checks for a PR existing it only looks for ones it created itself, using its username as a lookup.

from github-action.

If you're seeing A pull request already exists then it's most likely because the PR was created by a different app or user account than is currently running. When Renovate checks for a PR existing it only looks for ones it created itself, using its username as a lookup.

That actually makes a lot of sense, thanks for elaborating! I'll try if I'm allowed to use username: 'renovate', in my Renovate configuration file or the app authentication is linked to the app-creator user.

from github-action.

I've just tried changing the username to match the name I gave the bot, and while I think it resolves the issue of not finding the PR, it creates an alternative issue:

"response": {
  "statusCode": 403,
  "statusMessage": "Forbidden",
  "body": {
    "message": "Resource not accessible by integration",
    "documentation_url": "https://docs.github.com/rest/reference/repos#get-branch-protection"
  },

Full log here

I've verified via cURL that this seems to be directly related to authorizing via an App token (retrieved using hamelsmu/app-token which we're using in the Workflow):

[ben@thoth ~]$ curl   -H "Accept: application/vnd.github.v3+json"  https://api.github.com/repos/ben-foxmoore/renovate-bot/branches/main/protection
{
  "message": "Not Found",
  "documentation_url": "https://docs.github.com/rest/reference/repos#get-branch-protection"
}
[ben@thoth ~]$ curl   -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $VALID_APP_TOKEN"  https://api.github.com/repos/ben-foxmoore/renovate-bot/branches/main/protection
{
  "message": "Resource not accessible by integration",
  "documentation_url": "https://docs.github.com/rest/reference/repos#get-branch-protection"
}

In the first case, without authorization, we get the expected value - a 404 because I haven't enabled any protection - but with the App auth, we get a 403. I wonder if this is just something on Github's side that can't be fixed?

from github-action.

Is the problem that you haven't granted the app all the permissions it needs, or that you're using a feee account where GitHub doesn't allow branch protection?

from github-action.

An aside, but I think that Github does actually allow branch protection for public repos even with free accounts now

Yes, for public repos only.

from github-action.

I'm trying to take the next step of using autodiscover to enable the bot for all repositories that the App has been given access to. If you'd prefer, we can split this into separate issues, but it's all related to the topic of using a Github App instead of a User account.

After switching from explicitly listing repositories that the bot should check to autodiscover: true, the following error message appears:

   ...
   "url": "https://api.github.com/user/repos?per_page=100",
   "username": "",
   "password": "",
   "method": "GET",
   "http2": false
 },
 "response": {
   "statusCode": 403,
   "statusMessage": "Forbidden",
   "body": {
     "message": "Resource not accessible by integration",
     "documentation_url": "https://docs.github.com/rest/reference/repos#list-repositories-for-the-authenticated-user"
   },
   ...

This error message makes sense - the /user/repos API retrieves the list of repos available to the authenticated user. As I understand it, the token which is retrieved via the Github App is not a PAT, so the bot isn't an "authenticated user" at this point.

I was hoping that there would be a way for the bot to discover the list of repositories which the App has been given access to:

The API to retrieve this list appears to be /installation/repositories but obviously this isn't applicable to the regular way of running renovatebot via a PAT. @rarkins would you be open to support for this making it into renovatebot? If it were to remain outside, I guess I could dynamically fill the renovate-config.js based on the output of the /installation/repositories call.

from github-action.

This has strayed too far off-topic. Let's keep topics separated as well as in the right repos. Anything about discovering repos when using an app token is part of the main repo, not here.

from github-action.

Understood - will close this, and sort out a PR for the username and permission changes that I needed.

from github-action.

Understood - will close this, and sort out a PR for the username and permission changes that I needed.

Thank you very much for your investigation!
These settings did the trick for me

  "username": "name-of-my-app[bot]",
  "gitAuthor": "name-of-my-app <$BOT_ID+name-of-my-app[bot]@users.noreply.github.com>",

To get $BOT_ID for the email:

  curl https://api.github.com/users/name-of-my-app%5Bbot%5D -H "Authorization: Bearer $TOKEN"

from github-action.