I'm seeing this error as of today, was working yesterday and prior to that as well.
Can't see that anything has changed in the Heroku documentation that might cause this breaking change.
Error:
Switched to a new branch 'deploy'
remote: ! WARNING:
remote: ! Do not authenticate with username and password using git.
remote: ! Run `heroku login` to update your credentials, then retry the git command.
remote: ! See documentation for details: https://devcenter.heroku.com/articles/git#http-git-authentication
fatal: Authentication failed for 'https://git.heroku.com/snapnhd-staging.git/'
main.yml
server-deploy:
needs: server-check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#master
- uses: actions/setup-ruby#v1
with:
ruby-version: '2.6.x'
- name: Determine Heroku App
id: heroku
uses: ./.github/actions/heroku-app
- name: Deploy
env:
HEROKU_API_KEY: ${{ secrets.HEROKU_API_KEY }}
HEROKU_APP: ${{ steps.heroku.outputs.app }}
run: |
git remote add heroku \
https://heroku:$HEROKU_API_KEY#git.heroku.com/$HEROKU_APP.git
git fetch --unshallow origin
git checkout -b deploy
git push heroku deploy:master -f
As part of their response to this ongoing security investigation, Heroku forced all users to reset their passwords on or around May 4 (quoting from an email that, presumably, all customers should have received):
As part of our efforts to enhance our security and in response to an incident published on status.heroku.com, we wanted to inform you that we will begin resetting user account passwords on May 4, 2022.
This also invalidated API tokens:
NOTE: A password reset will also invalidate your API access tokens. As a result, any automations you’ve built to integrate with the Heroku Platform API that use these tokens may result in 403 forbidden errors. To avoid downtime you will need to re-enable direct authorizations by following the instructions here and update your integrations to use your newly generated token.
The linked article shows several ways to generate a new token, all of which boil down to a POST to
https://api.heroku.com/oauth/authorizations
The exact method depends partly on whether you have multi-factor authentication enabled. If you aren't already using MFA, this would be a good time to enable it.
Generate a new token and update your GitHub Actions configuration to use it.
Related
I have one server on my Forge account with two sites. One is a production site while the other is a staging website. For example:
domain.com
test.domain.com
Both rely on the same Github repository, the staging site should be deployed when a commit is pushed to the develop branch while production should be deployed when anything is pushed to the main branch.
What did I do:
I added the deployment hook of both sites into the secrets of the Github repository:
FORGE_DEPLOYMENT_HOOK_PRODUCTION
FORGE_DEPLOYMENT_HOOK_STAGING
Then I created a Github action for both sites which starts on push to either branch and makes a curl request to the deployment hook:
name: Deploy production
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Deploy Site
run: curl ${{ secrets.FORGE_DEPLOYMENT_HOOK_PRODUCTION }}
I added the site’s deploy key of the production site (domain.com) to the repository deploy keys. When I try to add the staging key (test.domain.com) I get the error: Key is already in use. If I check the key it is actually a different key except for the first x amount of characters. Because I can’t add the key the action only works for the production site and not the staging site. I get this error when deploying staging:
ERROR: Repository not found.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
So my question is: how can I add the second deploy key? And if this is not possible, what would be the best way to setup my Github actions to achieve the same goal? I thought this to be the easiest way.
I am trying to set up a Node app to deploy to Digital Ocean after pushing to a Github repo. I am using Github actions and have followed this tutorial but have hit a snag at step 5. I get the following error when I try to push to the repo.
! [remote rejected] master -> master (refusing to allow an OAuth App to create or update workflow `.github/workflows/main.yaml` without `workflow` scope)
error: failed to push some refs to 'https://github.com/IT-ACA/hello-node-do.git'
I have tried everything I can find, including this SO post, but nothing works. I have a .yaml file in my project, which I can't see anything immediately wrong with, that currently looks like this.
name: CI
# Controls when the workflow will run
on:
# Triggers the workflow on push or pull request events but only for the master branch
push:
branches: [ master ]
pull_request:
branches: [ master ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
name: Deploy NodeJS App
uses: jjst/action-digitalocean-deploy-app#v2
with:
token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
host: ${{ secrets.SSH_HOST }}
key: ${{ secrets.SSH_KEY }}
username: ${{ secrets.SSH_USER }}
script: |
cd hello-node-do
git clone https://github.com/IT-ACA/hello-node-do.git
echo 'Deploy successful to Digital Ocean..'
Note that I have a different value for uses in the yaml code above which comes from this page and is what I began my DigitalOcean deployment journey with. But, I have also tried the one from the tutorial linked above without any luck.
I think the secrets are all correctly in place and that I have done everything necessary on the DigitalOcean side but it still throws this error. This is the very first time I have tried implementing a CD/CI pipeline and I have spent hours troubleshooting it now. Running out of ideas and would appreciate any help getting over this frustrating hurdle. Thanks in advance!
I'm trying to use Github Actions for CI. I've created some secrets in repository on GitHub and encrypt some files in sources with a git-secret tool. In the end, I wrote netx yml-script as action for github
build:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout#v2
- name: Configure GPG Key
uses: crazy-max/ghaction-import-gpg#v3
with:
gpg-private-key: ${{ secrets.GPG_SIGNING_KEY }}
passphrase: ${{ secrets.SECRET_PWD }}
git-user-signingkey: true
git-commit-gpgsign: true
- name: Reveal secrets
env:
SECRET_PWD: ${{ secrets.SECRET_PWD }}
run: |
sudo apt install git-secret
git secret tell my#email.com
git secret reveal -p $(echo $SECRET_PWD | sed 's/./& /g')
- name: Build images
run: docker-compose build
I suppose this described next pipeline:
Checkout current branch
Install required tools for gpg with a PK (gpg key?) and PWD
Add user with email from PK to white list
Decrypt .secret files
And finally build docker images.
Am I right?
My problem is steps 3-4. I've got an error in logs
> Setting up git-secret (0.2.3-1) ...
> Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
> done. my#email.com added as someone who know(s) the secret.
> cleaning up...
> Error: Process completed with exit code 1.
I've checked my solution on local machine (linux) and it works like a charm.
Well, maybe someone knows where is my mistake in yml-script?
I would guess that the problem is the "git secret tell" line. The "tell" step needs to be done in advance by someone else (you) who already has the authority to reveal the secrets. From the documentation:
Now add this person to your secrets repo by running git secret tell
persons#email.id (this will be the email address associated with the
public key)
The newly added user cannot yet read the encrypted files. Now,
re-encrypt the files using git secret reveal; git secret hide -d, and
then commit and push the newly encrypted files.
It looks like the "git secret reveal" step failed. Did you re-encrypt and push the secret files after calling "git secret tell my#email.com" locally?
In the github action itself, you don't need to run the "tell" step again.
This might be a silly question, but here I am after two days of head banging 😔
I'm currently working on a GitHub Actions job, that would at some point git push to a protected branch (master, actually). However, once it gets to this step, the job fails with a "You're not authorized to push" error message:
error code GH006
In my situation, the first time it happened, it meant that the worker (CLI, bash) is not authorized at all. So I went to log it in a dedicated GitHub account, — and this is where I'm stuck for a couple of days now.
So, how do I login to GitHub account via CLI?
The things I've tried:
Pushing to master manually
This works without errors, since the authorization is OK, — but it is obviously not automated, which is what I'm after.
A couple of details:
I was using Windows 10, whereas the job is set up to run on "ubuntu-18.04";
I've removed all GitHub-related logins from Windows Credential Manager before performing git push, and set them up again via GitHub Login dialog window.
Manually pushing under unauthorized credentials fails, as expected.
git remote set-url origin "https://$username:$token#github.com/my/repo"
This didn't seem to give any effect. I've tried both setting URL of the existing remote and removing-than-adding remotes with different URLs, — both approaches seem to work (not work) the same.
None of the configurations below worked:
steps:
- run: git remote set-url origin "https://$username:$token#github.com/my/repo"
- run: git push origin master
steps:
- run: git remote remove origin
- run: git remote add origin "https://$username:$token#github.com/my/repo"
- run: git fetch origin --all # with and without this step
- run: git push origin master
curl -u "$username:$token" https://api.github.com/user
This is suggested in the docs, and it does succeed, but the login does not persist until git push — even if the pushing happens in the same step. I suspect, there might be a cookie-related solution, but I'm not sure how do they work in a non-browser environment. Also, I believe that this API is designed for different purposes.
Both of these configurations failed:
steps:
# separate processes
- run: curl -u "$username:$token" https://api.github.com/user
- run: git push origin master
steps:
# same process
- run: |
curl -u "$username:$token" https://api.github.com/user
git push origin master
actions/checkout#v2 will now configure and persist authentication when setting the token input. You shouldn't need to configure the origin URL manually.
- uses: actions/checkout#v2
with:
token: ${{ secrets.PAT }}
- name: Create a change
run: echo "test" > test.txt
- name: Commit change
run: |
git config --global user.name 'Your Name'
git config --global user.email 'your-username#users.noreply.github.com'
git add -A
git commit -m "Add test file"
git push
According to this comment on the GitHub forums, the PAT must be created from an admin/org owner account. A collaborator with write access is not enough to push to protected branches.
I am trying to automate uploading binaries of C++ library as GitHub Releases with Travis-CI. The release is set up to proceed with encrypted token from a user with admin privileges on repository.
Everything is according to the docs, but still getting my builds failed with this error:
`on_complete': GET https://api.github.com/user: 401 - Bad credentials // See: https://developer.github.com/v3 (Octokit::Unauthorized)
Please see details at: https://api.travis-ci.com/v3/job/161301399/log.txt
Let me clarify how I set up a release:
$ travis login
# Answer the security challenge with GitHub username/password
$ travis setup releases --com
# Answer the security challenge with GitHub username/password
# Answer few more questions
I do the --com part since the repository was recently moved to travis-ci.com and the job is performed there. However, I also tried the --pro and `` (no option, default to .org).
So here is deploy section of my .travis.yml:
deploy:
provider: releases
skip_cleanup: true
draft: true
overwrite: true
api_key:
secure: [... omitted ...]
file: ${DISTRIBUTION_NAME}
on:
all_branches: true
As for now I've run out of options, so any advice would be highly appreciated.
Well, after banging my head against the wall for the straight 3 hours, it come to my attention that I was encrypting OAuth token as secret for different repo.
Namely, travis setup releases (and updated .travis.yml) mentioned Multy-io/Multy-back while I was working on script for Multy-io/Multy-Core project.
This is leftover from setting up previous project. Please note that you might want to explicitly set the repository to avoid similar issue with:
with travis setup releases -r Name/Repo