Error: not found when using action on self-hosted GHE and with.version not explicitly set.

[kquinsland]

I have a pretty standard "setup python ci" flow that features a step like this:

            - name: Check for lint violations
              id: check-lint-rules
              uses: astral-sh/ruff-action@v3
              with:
                  args: check --output-format=github .

When running on self-hosted GHA runners (because self-hosted GHE instance), I get the following error (this is with debug logs on):

##[debug]=> true
##[debug]Result: true
##[debug]Starting: Check for lint violations
##[debug]Loading inputs
##[debug]Evaluating: github.workspace
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'workspace'
##[debug]=> '/runner/_work/theRepoNameHere/theRepoNameHere'
##[debug]Result: '/runner/_work/theRepoNameHere/theRepoNameHere'
##[debug]Evaluating: github.token
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'token'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Loading env
Run astral-sh/ruff-action@v3
  with:
    args: check --output-format=github .
    src: /runner/_work/theRepoNameHere/theRepoNameHere
    github-token: ***
  env:
    UV_CACHE_DIR: /runner/_work/_temp/setup-uv-cache
Found ruff version in pyproject.toml: >=0.[9](https://github.theInternalZoneNameHere.com/theInternalZoneNameHere/theRepoNameHere/actions/runs/124462/job/225152#step:6:9).2
##[debug]isExplicit: 
##[debug]explicit? false
Error: Not Found - https://docs.github.com/enterprise-server@3.14/rest/releases/releases#list-releases
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Check for lint violations

As the logs indicate, my pyproject.toml does feature this line:

[dependency-groups]
dev = [
    # <...>
    "ruff>=0.9.2",
]

Noting how similar the typescript code is, I figured that the same workaround here would work here:

      - name: Check for lint violations
        id: check-lint-rules
        uses: astral-sh/ruff-action@v3
        with:
          # 0.9.2 is the latest version as of 2025-01
          version: "0.9.2"
          args: check --output-format=github .

Which works!

I think the issue is here: https://github.com/astral-sh/ruff-action/blob/main/src/ruff-action.ts#L109

return await resolveVersion(versionFromPyproject || "latest", githubToken);

Which calls into this:

  if (tc.isExplicitVersion(version)) {
    core.debug(`Version ${version} is an explicit version.`);
    return version;
  }

Which - because the pyproject.toml has an expresison (>=0.9.2) not a literal (0.9.2), the if(){} is false so we execute:

const availableVersions = await getAvailableVersions(githubToken);

which - for the same reasons detailed in astral-sh/setup-uv#221, results in an api/auth related error due to this not being "regular, public github".

---

The workaround

Is to explicitly set the with.version to an explicit version. That skips the logic that assumes regular github and goes straight to the actual "plug the version into the URL template, then fetch the URL" flow which has no issues.

[eifinger]

Thank you for reporting the bug.

Could you please test if the fix works for you? (Mind the different branch instead of v3)

- name: Check for lint 
  id: check-lint-
  uses: astral-sh/ruff-action@github-base-url
  with:
    args: check --output-format=github .

[kquinsland]

• name: Check for lint
  id: check-lint-
  uses: astral-sh/ruff-action@github-base-url
  with:
  args: check --output-format=github .

Nope.

##[debug]Evaluating condition for step: 'Check for lint violations'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Check for lint violations
##[debug]Loading inputs
##[debug]Evaluating: github.workspace
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'workspace'
##[debug]=> '/runner/_work/theRepoNameHere/theRepoNameHere'
##[debug]Result: '/runner/_work/theRepoNameHere/theRepoNameHere'
##[debug]Evaluating: github.token
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'token'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Loading env
Run astral-sh/ruff-action@github-base-url
  with:
    args: check --output-format=github .
    src: /runner/_work/theRepoNameHere/theRepoNameHere
    github-token: ***
  env:
    UV_CACHE_DIR: /runner/_work/_temp/setup-uv-cache
Found ruff version in pyproject.toml: >=0.9.2
##[debug]isExplicit: 
##[debug]explicit? false
Error: Bad credentials - https://docs.github.com/rest
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Check for lint violations

Take a look at this comment from astral-sh/setup-uv#221.

There are two conflating/co-morbid issues here:

1. Which value of $remoteHost are you using? (in my case, it's $selfHostedInstance not api.github.com)
2. What value of github-token are you presenting when you talk to $remoteHost? (in my case it's a token that is only valid on $selfHostedInstance)

The core issue is that I (in the plural sense; "I" means "everybody w/ GHE or similar") will only ever have an API token that is valid for $selfHostedInstance. As long as a valid api.github.com token is required, GHE users will be SoL unless they bypass that code path all together)

[eifinger]

Thank you for checking and providing the details. Seems like I have to pick up replacing octokit...

[eifinger]

@kquinsland can you please try again? I added a way to access the API without a token. I pushed 3dc8519 to the same branch. You should be able to rerun your workflow and fetch the latest state

[kquinsland]

Thank you for checking and providing the details. Seems like I have to pick up replacing octokit...

If there's no way to pass along a "do this as anon, no API token" flag, that would be a solution.
it's also pretty easy to identify the correct/latest using no auth: astral-sh/setup-uv#221 (comment)

but I'm not sure if that'll result in rate-limits or not. Perhaps a try/catch around the normal lookup with a fallback to anon flow if the initial attempt fails? That should keep the "anon, counts against rate limit quotas" traffic to just the people that can't provide a token?

I could also see a "we know it's a problem, but GHE users are < 5% user base and the workaround isn't difficult so we'll re-visit this $later unless a motivated PR is forthcoming in the mean time" policy.

[kquinsland]

@kquinsland can you please try again? I added a way to access the API without a token. I pushed 3dc8519 to the same branch. You should be able to rerun your workflow and fetch the latest state

Nope :/.

##[debug]Evaluating condition for step: 'Check for lint violations'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Check for lint violations
##[debug]Loading inputs
##[debug]Evaluating: github.workspace
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'workspace'
##[debug]=> '/runner/_work/theRepoNameHere/theRepoNameHere'
##[debug]Result: '/runner/_work/theRepoNameHere/theRepoNameHere'
##[debug]Evaluating: github.token
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'token'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Loading env
Run astral-sh/ruff-action@github-base-url
  with:
    args: check --output-format=github .
    src: /runner/_work/theRepoNameHere/theRepoNameHere
    github-token: ***
  env:
    UV_CACHE_DIR: /runner/_work/_temp/setup-uv-cache
Found ruff version in pyproject.toml: >=0.9.2
##[debug]isExplicit: 
##[debug]explicit? false
Error: Bad credentials - https://docs.github.com/rest
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Check for lint violations

Let me try using the hash explicitly...

[eifinger]

Ah. I assumed the token is an empty string. (I think someone mentioned it in the setup-uv issue). Let me replace this with a try/catch as you suggested

[kquinsland]

      - name: Check for lint violations
        id: check-lint-rules
        # Turns out, you can't use short hashes here. TIL!
        uses: astral-sh/ruff-action@3dc85199c716fa0820c1a98d8baeb356eee22cf8
        with:
          # Very similar to the above, you need to explicitly set the version when
          #   using GHE instances.
          # See: https://github.com/astral-sh/ruff-action/issues/49
          ##
          # 0.9.2 is the latest version as of 2025-01
          # version: "0.9.2"
          args: check --output-format=github .

Produces:

##[debug]Evaluating condition for step: 'Check for lint violations'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Check for lint violations
##[debug]Loading inputs
##[debug]Evaluating: github.workspace
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'workspace'
##[debug]=> '/runner/_work/theRepoNameHere/theRepoNameHere'
##[debug]Result: '/runner/_work/theRepoNameHere/theRepoNameHere'
##[debug]Evaluating: github.token
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'token'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Loading env
Run astral-sh/ruff-action@3dc85199c716fa0820c1a98d8baeb356eee22cf8
  with:
    args: check --output-format=github .
    src: /runner/_work/theRepoNameHere/theRepoNameHere
    github-token: ***
  env:
    UV_CACHE_DIR: /runner/_work/_temp/setup-uv-cache
Found ruff version in pyproject.toml: >=0.9.2
##[debug]isExplicit: 
##[debug]explicit? false
Error: Bad credentials - https://docs.github.com/rest
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Check for lint violations

[kquinsland]

Ah. I assumed the token is an empty string.

I'll spare you the long </rant> about env-vars and just say that this ends up biting everybody at some point in time :D. Depending on the underlying OS/Shell (and some other things) empty might be the same as "undefined/not-set" but not usually. Ask me how I know / how many times i've been bitten by this :(.

In any case, the GHA runtime (both "regular" GH and GHE) always has $GITHUB_TOKEN set to a valid token. That token will have the default permissions attached to it unless the GHA file explicitly changed them. It is possible to remove/un-set/empty this var but it's a bit kludgey to do so.

[eifinger]

Can you please try again? I implemented the try/catch

[kquinsland]

Can you please try again? I implemented the try/catch

Which branch/ref?

[eifinger]

Can you please try again? I implemented the try/catch

Which branch/ref?

391eb4b

[kquinsland]

That did the trick:

Run astral-sh/ruff-action@github-base-url
  with:
    args: check --output-format=github .
    src: /runner/_work/theRepoNameHere/theRepoNameHere
    github-token: ***
  env:
    UV_CACHE_DIR: /runner/_work/_temp/setup-uv-cache
Found ruff version in pyproject.toml: >=0.9.2
No (valid) GitHub token provided. Falling back to anonymous. Requests might be rate limited.
Downloading ruff from "https://github.com/astral-sh/ruff/releases/download/0.9.3/ruff-x86_64-unknown-linux-gnu.tar.gz" ...
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /runner/_work/_temp/44992807-0cbf-4da3-aff6-c1205eb3b726 -f /runner/_work/_temp/57d06443-7e04-45f5-b0e7-dfa7bacba5f0
Added /opt/hostedtoolcache/ruff/0.9.3/x86_64 to the path
Set RUFF_OUTPUT_FORMAT to github
Successfully installed ruff version 0.9.3
/opt/hostedtoolcache/ruff/0.9.3/x86_64/ruff check --output-format=github . /runner/_work/theRepoNameHere/theRepoNameHere

[eifinger]

Thanks for hanging in there with me!

[eifinger]

@kquinsland could you do me a favor and try again with the branch do-not-assume-github-token?
I removed the GITHUB_BASE_URL there and only left in the handling for invalid token. I assume it will fail but would like to be sure.

[kquinsland]

Thanks for hanging in there with me!

No, than you for being responsive and driving the fix :). (and for keeping the uv/ruff ecosystem awesome).

[kquinsland]

@kquinsland could you do me a favor and try again with the branch do-not-assume-github-token? I removed the GITHUB_BASE_URL there and only left in the handling for invalid token. I assume it will fail but would like to be sure.

Sure thing.

      - name: Check for lint violations
        id: check-lint-rules
        uses: astral-sh/ruff-action@do-not-assume-github-token
        with:
          # Very similar to the above, you need to explicitly set the version when
          #   using GHE instances.
          # See: https://github.com/astral-sh/ruff-action/issues/49
          ##
          # 0.9.2 is the latest version as of 2025-01
          # version: "0.9.2"
          args: check --output-format=github .

Produces:

Run astral-sh/ruff-action@do-not-assume-github-token
  with:
    args: check --output-format=github .
    src: /runner/_work/theRepoNameHere/theRepoNameHere
    github-token: ***
  env:
    UV_CACHE_DIR: /runner/_work/_temp/setup-uv-cache
Found ruff version in pyproject.toml: >=0.9.2
No (valid) GitHub token provided. Falling back to anonymous. Requests might be rate limited.
Downloading ruff from "https://github.com/astral-sh/ruff/releases/download/0.9.3/ruff-x86_64-unknown-linux-gnu.tar.gz" ...
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /runner/_work/_temp/1554d4d4-8f54-4dae-a4dc-bf272e556ee4 -f /runner/_work/_temp/da89fed4-57f1-482b-9aed-eacb7f2c130f
Added /opt/hostedtoolcache/ruff/0.9.3/x86_64 to the path
Set RUFF_OUTPUT_FORMAT to github
Successfully installed ruff version 0.9.3
/opt/hostedtoolcache/ruff/0.9.3/x86_64/ruff check --output-format=github . /runner/_work/theRepoNameHere/theRepoNameHere

no failure