Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot push to open source repo using community user bot #864

Closed
jaronoff97 opened this issue May 9, 2023 · 9 comments
Closed

Cannot push to open source repo using community user bot #864

jaronoff97 opened this issue May 9, 2023 · 9 comments
Labels
registry/dockerhub

Comments

@jaronoff97
Copy link

Troubleshooting

Behaviour

Steps to reproduce this issue

  1. Create a community organization in docker hub
  2. Add a community user
  3. create PAT for community user
  4. use example here to push image to both ghcr and docker hub
  5. Let action run on PR merge

Expected behaviour

Image should be pushed successfully to both repositories

Actual behaviour

ERROR: failed to solve: failed to push otel/autoinstrumentation-java:1.25.1: server message: insufficient_scope: authorization failed
Error: buildx failed with: ERROR: failed to solve: failed to push otel/autoinstrumentation-java:1.25.1: server message: insufficient_scope: authorization failed

Configuration

name: "Publish Java Auto-Instrumentation"

on:
  push:
    paths:
      - 'autoinstrumentation/java/**'
      - '.github/workflows/publish-autoinstrumentation-java.yaml'
    branches:
      - main
  pull_request:
    paths:
      - 'autoinstrumentation/java/**'
      - '.github/workflows/publish-autoinstrumentation-java.yaml'
  workflow_dispatch:

jobs:
  publish:
    runs-on: ubuntu-20.04

    steps:
      - uses: actions/checkout@v3

      - name: Read version
        run: echo "VERSION=$(cat autoinstrumentation/java/version.txt)" >> $GITHUB_ENV

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v4
        with:
          images: |
            otel/autoinstrumentation-java
            ghcr.io/open-telemetry/opentelemetry-operator/autoinstrumentation-java
          tags: |
            type=match,pattern=v(.*),group=1,value=v${{ env.VERSION }}
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Cache Docker layers
        uses: actions/cache@v3
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-
      - name: Log into Docker.io
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Login to GitHub Package Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push
        uses: docker/build-push-action@v4
        with:
          context: autoinstrumentation/java
          platforms: linux/amd64,linux/arm64
          push: ${{ github.event_name == 'push' }}
          build-args: version=${{ env.VERSION }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache

Logs

logs.txt
@crazy-max
Copy link
Member

crazy-max commented May 9, 2023
edited
Loading 

#14 exporting to image
#14 pushing layers 0.3s done
#14 ERROR: failed to push otel/autoinstrumentation-java:1.25.1: server message: insufficient_scope: authorization failed
------
 > exporting to image:
------
ERROR: failed to solve: failed to push otel/autoinstrumentation-java:1.25.1: server message: insufficient_scope: authorization failed

Looks like ${{ secrets.DOCKER_USERNAME }} user and/or ${{ secrets.DOCKER_PASSWORD }} token does not have enough perms to push to otel/autoinstrumentation-java. Does it work locally?

@jaronoff97
Copy link
Author

@crazy-max we've confirmed that the user has the read/write scope for the community organization and that the action is indeed using that username/password combination. These are confidential and unfortunately i do not have access to the credentials to run it locally. I was able to make a fork for my non-community organization on docker hub and it worked successfully

@codeboten
Copy link

Fwiw, the login action succeeds

@crazy-max
Copy link
Member

Fwiw, the login action succeeds

Yes auth succeeds but this user does not have enough perms to push to https://hub.docker.com/r/otel/autoinstrumentation-java.

These are confidential and unfortunately i do not have access to the credentials to run it locally.

Is someone else with the credentials able to repro locally?

non-community organization on docker hub and it worked successfully

Can you check if ${{ secrets.DOCKER_USERNAME }} is a member of the otel organization and also its affected team has read/write access to https://hub.docker.com/r/otel/autoinstrumentation-java?

@crazy-max
Copy link
Member

  1. Add a community user

That does not seem enough. I think you need first to affect this user to a team in the org and set the perms to push to the repo.

@jaronoff97
Copy link
Author

@crazy-max waiting on hearing back from a teammate about your questions, thank you for the response. Just a brief Q: any chance this could be related to #160?

@tigrannajaryan
Copy link

tigrannajaryan commented May 9, 2023
edited
Loading

Can you check if ${{ secrets.DOCKER_USERNAME }} is a member of the otel organization and also its affected team has read/write access to https://hub.docker.com/r/otel/autoinstrumentation-java?

The user is otelbot and it is a member of otel organization. The access token we use has Read & Write permissions to otel org.

The user is otelbot and it is a member of bots which does NOT have a Read & Write permission to the repo? Should it? Doesn't the org-wide permission override the repo permission?

@tigrannajaryan
Copy link

The user is otelbot and it is a member of bots which does NOT have a Read & Write permission to the repo? Should it? Doesn't the org-wide permission override the repo permission?

It appears giving the team the Read & Write permission solve the problem.

However, this looks wrong to me. If I give the user the permission directly to the entire org (via their access token permissions), shouldn't that have a precedence over what permission they have indirectly via the team they belong to?

I believe this is how it worked in the past, so something may have changed recently in how the permissions are calculated.

@crazy-max
Copy link
Member

The user is otelbot and it is a member of bots which does NOT have a Read & Write permission to the repo? Should it? Doesn't the org-wide permission override the repo permission?

It appears giving the team the Read & Write permission solve the problem.

However, this looks wrong to me. If I give the user the permission directly to the entire org (via their access token permissions), shouldn't that have a precedence over what permission they have indirectly via the team they belong to?

I believe this is how it worked in the past, so something may have changed recently in how the permissions are calculated.

Thanks for your feedback can you open an issue on https://github.com/docker/hub-feedback/issues about it please?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
registry/dockerhub
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@codeboten @crazy-max @tigrannajaryan @jaronoff97