Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Accessing draft releases is not possible in GitHub runners using gh release list #9076

Closed
juanjjaramillo opened this issue May 13, 2024 · 5 comments
Labels
bug Something isn't working gh-release relating to the gh release command

Comments

@juanjjaramillo
Copy link

juanjjaramillo commented May 13, 2024

Describe the bug

The output of gh release list does not list draft releases when run on GitHub runners.

Steps to reproduce the behavior

On a GitHub runner, run the following command on a workflow:

gh release list

Expected vs actual behavior

Expected output

Here is the output when command is run on MacOS Sonoma 14.4.1 on an Apple M1 Max chip:

$ gh --version 
gh version 2.49.1 (2024-05-08)
https://github.com/cli/cli/releases/tag/v2.49.1

$ gh release list
TITLE                      TYPE    TAG NAME                   PUBLISHED       
v0.1.0                     Draft   v0.1.0                     about 2 days ago
k8s-agents-operator-0.0.0  Latest  k8s-agents-operator-0.0.0  about 2 days ago

Actual output

GitHub runner environment:

Current runner version: '2.316.1'
Operating System
  Ubuntu
  [2](https://github.com/newrelic/k8s-agents-operator/actions/runs/9062498302/job/24896492553#step:1:2)2.04.4
  LTS
Runner Image
  Image: ubuntu-22.04
  Version: 20240422.1.0
  Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240422.1/images/ubuntu/Ubuntu2204-Readme.md
  Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240422.1
Runner Image Provisioner
  2.0.[3](https://github.com/newrelic/k8s-agents-operator/actions/runs/9062498302/job/24896492553#step:1:3)69.1
GITHUB_TOKEN Permissions
  Contents: write
  Metadata: read
Secret source: Actions
Prepare workflow directory
Prepare all required actions
Getting action download info
Download action repository 'actions/checkout@[4](https://github.com/newrelic/k8s-agents-operator/actions/runs/9062498302/job/24896492553#step:1:4)4c2b7a8a4ea60a981eaca3cf939b[5](https://github.com/newrelic/k8s-agents-operator/actions/runs/9062498302/job/24896492553#step:1:5)f4305c123b' (SHA:44c2b7a8a4ea[6](https://github.com/newrelic/k8s-agents-operator/actions/runs/9062498302/job/24896492553#step:1:7)0a981eaca3cf939b5f4305c123b)

Actual output:

Run echo "$( gh release list )"
  echo "$( gh release list )"
  shell: /usr/bin/bash -e {0}
  env:
    GITHUB_TOKEN: ***
k8s-agents-operator-0.0.0	Latest	k8s-agents-operator-0.0.0	2024-05-10T22:52:56Z
@juanjjaramillo juanjjaramillo added the bug Something isn't working label May 13, 2024
@cliAutomation cliAutomation added the needs-triage needs to be reviewed label May 13, 2024
@juanjjaramillo juanjjaramillo changed the title Accessing draft releases is not possible in GitHub runners Accessing draft releases is not possible in GitHub runners using gh release list May 13, 2024
@andyfeller
Copy link
Contributor

@juanjjaramillo : sorry to hear about the inconsistent experience; let's see if we can get to the bottom of what is going on! 👍

Are there any limitations to the Release REST API endpoints being used?

The code in question is based around pulling this data from GraphQL:

func fetchReleases(httpClient *http.Client, repo ghrepo.Interface, limit int, excludeDrafts bool, excludePreReleases bool, order string) ([]Release, error) {
type responseData struct {
Repository struct {
Releases struct {
Nodes []Release
PageInfo struct {
HasNextPage bool
EndCursor string
}
} `graphql:"releases(first: $perPage, orderBy: {field: CREATED_AT, direction: $direction}, after: $endCursor)"`
} `graphql:"repository(owner: $owner, name: $name)"`
}

Looking at the Repository GraphQL object documentation, it doesn't state any limitations. However, the "List releases" REST endpoint sheds some light on whats going on:

Information about published releases are available to everyone. Only users with push access will receive listings for draft releases.

@juanjjaramillo: What happens if you give the runner the ability to write releases?

@andyfeller andyfeller added gh-release relating to the gh release command and removed needs-triage needs to be reviewed labels May 16, 2024
@juanjjaramillo
Copy link
Author

juanjjaramillo commented May 16, 2024

Thank you @andyfeller for taking a look at the issue. Right now these are the current permissions we have:

GITHUB_TOKEN Permissions
  Contents: write
  Metadata: read

I thought that giving Contents: write is the correct permission for creating releases, please let me know if I have to add additional permissions to the token.

@juanjjaramillo
Copy link
Author

@andyfeller please let me know what to do next. As I mentioned above, I think we already have the needed permissions and the problem is still happening

@andyfeller
Copy link
Contributor

@andyfeller please let me know what to do next. As I mentioned above, I think we already have the needed permissions and the problem is still happening

@juanjjaramillo : thank you for your patience! 🙇 let's see if we can double check a few details

  1. contents permission is being granted to the automatic GITHUB_TOKEN for the job in question
  2. secrets.GITHUB_TOKEN is being used to set environment variable for the job or step in question
  3. gh release list is being called in a local repository cloned via actions/checkout and this is the same repository containing the draft releases
  4. when GH_DEBUG=api environment variable is set, the get draft releases API call specifies X-Oauth-Scopes with contents

When I take the following workflow and run it on a GitHub-managed runner, it shows me the v1.7.15-draft draft release:

name: List releases
on:
  workflow_dispatch:
jobs:
  list:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4
      - env:
          GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: |
          GH_DEBUG=api gh release list

resulting in:

Run GH_DEBUG=api gh release list
[git remote -v]
[git config --get-regexp ^remote\..*\.gh-resolved$]
* Request at 2024-0[6](https://github.com/tinyfists/gh-nonsense-internal/actions/runs/9357421608/job/25757095175#step:3:7)-03 21:20:48.208951162 +0000 UTC m=+0.121[7](https://github.com/tinyfists/gh-nonsense-internal/actions/runs/9357421608/job/25757095175#step:3:8)22069
* Request to https://api.github.com/graphql
> POST /graphql HTTP/1.1
> Host: api.github.com
> Accept: application/vnd.github.merge-info-preview+json, application/vnd.github.nebula-preview
> Authorization: token ████████████████████
> Content-Length: 4[8](https://github.com/tinyfists/gh-nonsense-internal/actions/runs/9357421608/job/25757095175#step:3:9)2
> Content-Type: application/json
> Graphql-Features: merge_queue
> Time-Zone: Etc/UTC
> User-Agent: GitHub CLI 2.4[9](https://github.com/tinyfists/gh-nonsense-internal/actions/runs/9357421608/job/25757095175#step:3:10).2

GraphQL query:
query RepositoryReleaseList($direction:OrderDirection!$endCursor:String$name:String!$owner:String!$perPage:Int!){repository(owner: $owner, name: $name){releases(first: $perPage, orderBy: {field: CREATED_AT, direction: $direction}, after: $endCursor){nodes{name,tagName,isDraft,isLatest,isPrerelease,createdAt,publishedAt},pageInfo{hasNextPage,endCursor}}}}
GraphQL variables: {"direction":"DESC","endCursor":null,"name":"gh-nonsense-internal","owner":"tinyfists","perPage":30}

< HTTP/2.0 200 OK
< Access-Control-Allow-Origin: *
< Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset
< Content-Security-Policy: default-src 'none'
< Content-Type: application/json; charset=utf-8
< Date: Mon, 03 Jun 2024 21:20:48 GMT
< Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
< Server: GitHub.com
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< Vary: Accept-Encoding, Accept, X-Requested-With
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-Github-Media-Type: github.v4; param=merge-info-preview.nebula-preview; format=json
< X-Github-Request-Id: EC41:19B7C:1174BDFE:1E07F52D:665E33B0
< X-Ratelimit-Limit: 5000
< X-Ratelimit-Remaining: 5000
< X-Ratelimit-Reset: 1717453248
< X-Ratelimit-Resource: graphql
< X-Ratelimit-Used: 1
< X-Xss-Protection: 0

{
  "data": {
    "repository": {
      "releases": {
        "nodes": [
          {
            "name": "v1.9.0-beta",
            "tagName": "v1.9.0-beta",
            "isDraft": false,
v1.9.0-beta	Latest	v1.9.0-beta	2024-03-06T12:40:33Z
            "isLatest": true,
v1.8.7-beta		v1.8.7-beta	2024-02-29T14:51:05Z
            "isPrerelease": false,
            "createdAt": "2024-03-06T01:13:55Z",
            "publishedAt": "2024-03-06T12:40:33Z"
v1.8.6-beta		v1.8.6-beta	2024-02-27T12:53:13Z
          },
          {
v1.8.5-beta		v1.8.5-beta	2024-02-26T22:40:20Z
            "name": "v1.8.7-beta",
v1.8.4-beta		v1.8.4-beta	2024-02-26T22:30:32Z
v1.8.3-beta		v1.8.3-beta	2024-02-26T22:04:[10](https://github.com/tinyfists/gh-nonsense-internal/actions/runs/9357421608/job/25757095175#step:3:11)Z
            "tagName": "v1.8.7-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-27T13:06:55Z",
            "publishedAt": "2024-02-29T14:51:05Z"
          },
          {
            "name": "v1.8.6-beta",
            "tagName": "v1.8.6-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-27T12:46:25Z",
            "publishedAt": "2024-02-27T12:53:13Z"
          },
          {
            "name": "v1.8.5-beta",
            "tagName": "v1.8.5-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-26T22:38:59Z",
            "publishedAt": "2024-02-26T22:40:20Z"
          },
          {
            "name": "v1.8.4-beta",
            "tagName": "v1.8.4-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-26T22:28:50Z",
            "publishedAt": "2024-02-26T22:30:32Z"
          },
          {
            "name": "v1.8.3-beta",
            "tagName": "v1.8.3-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-26T22:00:44Z",
            "publishedAt": "2024-02-26T22:04:10Z"
          },
          {
            "name": "v1.8.2-beta",
            "tagName": "v1.8.2-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-26T19:38:23Z",
            "publishedAt": "2024-02-26T19:42:57Z"
          },
          {
            "name": "v1.8.1-beta",
            "tagName": "v1.8.1-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-26T19:38:23Z",
            "publishedAt": "2024-02-26T19:40:31Z"
          },
          {
            "name": "v1.7.17-beta",
            "tagName": "v1.7.17-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-23T18:59:41Z",
            "publishedAt": "2024-02-23T18:59:57Z"
          },
          {
            "name": "v1.7.16-beta",
            "tagName": "v1.7.16-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-23T18:55:47Z",
            "publishedAt": "2024-02-23T18:57:02Z"
          },
          {
            "name": "test",
            "tagName": "v1.7.15-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-23T18:45:20Z",
            "publishedAt": "2024-02-23T18:51:13Z"
          },
          {
            "name": "v1.7.15-draft",
            "tagName": "v1.7.15-draft",
            "isDraft": true,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-16T15:37:12Z",
            "publishedAt": null
          },
          {
            "name": "v1.7.14-beta",
            "tagName": "v1.7.14-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-15T16:04:51Z",
            "publishedAt": "2024-02-15T16:12:54Z"
          },
          {
            "name": "v1.7.13-beta",
            "tagName": "v1.7.13-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-15T16:04:51Z",
            "publishedAt": "2024-02-15T16:09:[11](https://github.com/tinyfists/gh-nonsense-internal/actions/runs/9357421608/job/25757095175#step:3:12)Z"
          },
          {
            "name": "v1.7.[12](https://github.com/tinyfists/gh-nonsense-internal/actions/runs/9357421608/job/25757095175#step:3:13)-beta",
            "tagName": "v1.7.12-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-15T16:04:51Z",
            "publishedAt": "2024-02-15T16:05:04Z"
          },
          {
            "name": "v1.7.11-beta",
            "tagName": "v1.7.11-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-15T15:43:56Z",
            "publishedAt": "2024-02-15T15:47:24Z"
          },
          {
            "name": "v1.7.10-beta",
            "tagName": "v1.7.10-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-15T15:24:57Z",
            "publishedAt": "2024-02-15T15:26:12Z"
          },
          {
            "name": "v1.7.8-beta",
            "tagName": "v1.7.8-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-15T15:20:56Z",
            "publishedAt": "2024-02-15T15:21:34Z"
          },
          {
            "name": "v1.7.7-beta",
            "tagName": "v1.7.7-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-15T15:01:18Z",
            "publishedAt": "2024-02-15T15:01:54Z"
          },
          {
            "name": "v1.7.6-beta",
            "tagName": "v1.7.6-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-15T14:58:43Z",
            "publishedAt": "2024-02-15T14:59:06Z"
          },
          {
            "name": "v1.7.5-beta",
            "tagName": "v1.7.5-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-14T20:21:27Z",
            "publishedAt": "2024-02-14T20:21:41Z"
          },
          {
            "name": "v1.7.4-beta",
            "tagName": "v1.7.4-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-14T20:18:04Z",
            "publishedAt": "2024-02-14T20:18:21Z"
          },
          {
            "name": "v1.7.3-beta",
            "tagName": "v1.7.3-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-14T20:14:29Z",
            "publishedAt": "2024-02-14T20:14:50Z"
          },
          {
            "name": "v1.7.2-beta",
            "tagName": "v1.7.2-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-14T20:03:27Z",
            "publishedAt": "2024-02-14T20:03:42Z"
          },
          {
            "name": "v1.7.1-beta",
            "tagName": "v1.7.1-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-14T19:55:52Z",
            "publishedAt": "2024-02-14T19:58:53Z"
          },
          {
            "name": "v1.7.0-beta",
            "tagName": "v1.7.0-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-14T17:00:30Z",
            "publishedAt": "2024-02-14T17:00:49Z"
          },
          {
            "name": "v1.6.9-beta",
            "tagName": "v1.6.9-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-14T16:59:11Z",
            "publishedAt": "2024-02-14T16:59:32Z"
          },
          {
            "name": "v1.6.8-beta",
            "tagName": "v1.6.8-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-14T16:53:31Z",
            "publishedAt": "2024-02-14T16:54:31Z"
          },
          {
            "name": "v1.6.7-beta",
            "tagName": "v1.6.7-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-14T16:26:24Z",
            "publishedAt": "2024-02-14T16:36:01Z"
          },
          {
            "name": "v1.6.6-beta",
            "tagName": "v1.6.6-beta",
            "isDraft": false,
            "isLatest": false,
            "isPrerelease": false,
            "createdAt": "2024-02-14T16:26:24Z",
            "publishedAt": "2024-02-14T16:31:49Z"
          }
        ],
        "pageInfo": {
          "hasNextPage": true,
          "endCursor": "Y3Vyc29yOnYyOpK0MjAyNC0wMi0xNFQxNjoyNjoyNFrOCHb1hA=="
        }
      }
    }
  }
}

* Request took 319.770283ms
v1.8.2-beta		v1.8.2-beta	2024-02-26T19:42:57Z
v1.8.1-beta		v1.8.1-beta	2024-02-26T19:40:31Z
v1.7.17-beta		v1.7.17-beta	2024-02-23T18:59:57Z
v1.7.16-beta		v1.7.16-beta	2024-02-23T18:57:02Z
test		v1.7.15-beta	2024-02-23T18:51:[13](https://github.com/tinyfists/gh-nonsense-internal/actions/runs/9357421608/job/25757095175#step:3:14)Z
v1.7.15-draft	Draft	v1.7.15-draft	2024-02-16T15:37:12Z
v1.7.[14](https://github.com/tinyfists/gh-nonsense-internal/actions/runs/9357421608/job/25757095175#step:3:15)-beta		v1.7.14-beta	2024-02-[15](https://github.com/tinyfists/gh-nonsense-internal/actions/runs/9357421608/job/25757095175#step:3:16)T16:12:54Z
v1.7.13-beta		v1.7.13-beta	2024-02-15T[16](https://github.com/tinyfists/gh-nonsense-internal/actions/runs/9357421608/job/25757095175#step:3:17):09:11Z
v1.7.12-beta		v1.7.12-beta	2024-02-15T16:05:04Z
v1.7.11-beta		v1.7.11-beta	2024-02-15T15:47:24Z
v1.7.10-beta		v1.7.10-beta	2024-02-15T15:26:12Z
v1.7.8-beta		v1.7.8-beta	2024-02-15T15:21:34Z
v1.7.7-beta		v1.7.7-beta	2024-02-15T15:01:54Z
v1.7.6-beta		v1.7.6-beta	2024-02-15T14:59:06Z
v1.7.5-beta		v1.7.5-beta	2024-02-14T20:21:41Z
v1.7.4-beta		v1.7.4-beta	2024-02-14T20:18:21Z
v1.7.3-beta		v1.7.3-beta	2024-02-14T20:14:50Z
v1.7.2-beta		v1.7.2-beta	2024-02-14T20:03:42Z
v1.7.1-beta		v1.7.1-beta	2024-02-14T19:58:53Z
v1.7.0-beta		v1.7.0-beta	2024-02-14T[17](https://github.com/tinyfists/gh-nonsense-internal/actions/runs/9357421608/job/25757095175#step:3:18):00:49Z
v1.6.9-beta		v1.6.9-beta	2024-02-14T16:59:32Z
v1.6.8-beta		v1.6.8-beta	[20](https://github.com/tinyfists/gh-nonsense-internal/actions/runs/9357421608/job/25757095175#step:3:21)24-02-14T16:54:31Z
v1.6.7-beta		v1.6.7-beta	2024-02-14T16:36:01Z
v1.6.6-beta		v1.6.6-beta	2024-02-14T16:31:49Z

@juanjjaramillo
Copy link
Author

Thank you @andyfeller this helped us understand the underlying issue. The token we are using was not authorized to write on that specific repo but in others. That is why we did not face issues in any other repos. We updated token permissions to grant write access in the problematic repo and now gh release list is working as expected

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working gh-release relating to the gh release command
Projects
None yet
Development

No branches or pull requests

5 participants
@andyfeller @juanjjaramillo @cliAutomation and others