Bumper jobs failing

[yakimant]

Started to fail after Tanguy left.
After getting access to the repo Settings @diegomrsantos and I discovered the probably personal token was used for ACTIONS_GITHUB_TOKEN.

Token is setup here:
https://github.com/status-im/nim-libp2p/settings/secrets/actions

See action code:
https://github.com/status-im/nim-libp2p/blob/d2c98bd87d540ec2f2d1a7c244b60386dfda66d3/.github/workflows/bumper.yml#L28

Actions & security docs:

• https://docs.github.com/en/actions/security-guides
• https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
• https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens
• https://github.com/actions/checkout

[yakimant]

Added status-im-auto token to ACTIONS_GITHUB_TOKEN

And added it to nwaku&nimbus:
https://github.com/waku-org/nwaku/settings/access
https://github.com/status-im/nimbus-eth2/settings/access

[yakimant]

Found out experimentaly, that public_repo is required, see
https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps

[yakimant]

Codex repo is missing the status-im-auto user with Write permissions.

[yakimant]

Done, added:
https://github.com/codex-storage/nim-codex/settings/access

[yakimant]

Bumper is green again:
https://github.com/status-im/nim-libp2p/actions/workflows/bumper.yml

@jakubgs, please review this workaround when you are back.

Token for status-im-auto:
https://github.com/settings/tokens/1428298602

[yakimant]

This is a useful part of security guide:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#considering-cross-repository-access

This list describes the recommended approaches for accessing repository data within a workflow, in descending order of preference:

1. The GITHUB_TOKEN
2. Repository deploy key
3. GitHub App tokens
4. personal access tokens
5. SSH keys on a personal account

We use 4 approach. And It looks like we can't use 1, because we need write access to other repos. So it's wort to check 2 and 3.

[jakubgs]

If possible we should avoid using old "classic" tokens and we should try to create as specific "Fine-grained personal access tokens" as possible. They can be created to target a specific repo with a specific permission only.

[yakimant]

"Fine-grained" token didn't work with user owner - git fails to push:

remote: Permission to status-im/nimbus-eth2.git denied to status-im-auto.
fatal: unable to access 'https://github.com/status-im/nimbus-eth2/': The requested URL returned error: 403

https://github.com/status-im/nim-libp2p/actions/runs/7252738074/job/20160975446

Organisation wide token worked! We'll need to have 1 token for each of 3 orgs (waku, status and codex) and update the job.

[yakimant]

Looks like Deploy key is actually might be useful for us:

1. https://stackoverflow.com/questions/76888117/how-can-i-push-changes-to-a-private-repository-using-github-actions
2. https://tabris.com/using-deploy-keys-on-github-actions/
3. https://docs.github.com/en/authentication/connecting-to-github-with-ssh/managing-deploy-keys#set-up-deploy-keys

[diegomrsantos]

@yakimant what's the status here?

[yakimant]

No update since January.

There are 2 options:

• Deploy keys
• Create a github user with limited permissions just for this task

[diegomrsantos]

is there any pending input from the libp2p team?