Skip to content
This repository has been archived by the owner on Dec 5, 2022. It is now read-only.

trigger gh webserver from gh-pages with default gh action GITHUB_TOKEN, not bespoke PAT #1

Closed
maxheld83 opened this issue Jan 30, 2019 · 14 comments · May be fixed by #18
Closed

trigger gh webserver from gh-pages with default gh action GITHUB_TOKEN, not bespoke PAT #1

maxheld83 opened this issue Jan 30, 2019 · 14 comments · May be fixed by #18
Labels

Comments

@maxheld83
Copy link
Owner

No description provided.

@maxheld83
Copy link
Owner Author

maxheld83 commented Jan 30, 2019

from gh:

Currently, using an installation token to make a server-to-server request won't kick off a page build, whether it's creating a commit or explicitly requesting a page build.

However, I'd like to mention that the requesting a page build endpoint is enabled for integrations via a user access token. More specifically, you can create a personal access token and use that instead of the installation token to push a commit or request a page build:

https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line

my response / latest experience:

I did just build a github action for vanilla (= no static site building included) gh pages deployment: https://github.com/maxheld83/ghaction-ghpages

It took me a while to understand what you had already warned about; that GITHUB_TOKEN wouldn't trigger a page build.

I now got this to work with a normal Github PAT, just like we used to do it in the old Travis days :/.

I was initially confused because I never really needed GitHub to start a (Jekyll) build, but just serve whatever was up on my gh-pages branch. But I guess for the GitHub webserver to kick in and update, the same conditions have to be met.

It'd be great if you guys could lift this limitation of the GITHUB_TOKEN soon, or provide some other way to seamlessly deploy to GitHub pages.

Not having to deal with this kind of manual auth via PATs was a big draw for me to use gh actions in the first place, and having GITHUB_TOKEN auth a git push to gh-pages branch, but not triggering the downstream update of the gh webserver is really counterintuitive.

I'll write something up on my action tomorrow to prevent others from stumbling into this issue as well.

cheers: Max

@maxheld83
Copy link
Owner Author

@helaili @BryanSchuetz @shalzz you guys also seemed to have implemented deploying assets to github pages from within GitHub actions (in fact, I stole your git incantations).

I noticed that you guys also used GITHUB_TOKEN as a secret, though I now understand that the default GITHUB_TOKEN that comes with github actions does not suffice to trigger an update to the github webserver, even though it does suffice to push to the gh-pages branch.
I only got it to work once I provisioned a bespoke GitHub PAT for this purpose, and passed that as a secret.

Did I get this right? Did you face the same limitation as well?

@maxheld83 maxheld83 changed the title transition to "native" auth via GITHUB_TOKEN asap trigger gh webserver from gh-pages with default GITHUB_TOKEN, not bespoke PAT Jan 30, 2019
@maxheld83 maxheld83 changed the title trigger gh webserver from gh-pages with default GITHUB_TOKEN, not bespoke PAT trigger gh webserver from gh-pages with default gh action GITHUB_TOKEN, not bespoke PAT Jan 30, 2019
maxheld83 added a commit that referenced this issue Jan 31, 2019
@helaili
Copy link

helaili commented Jan 31, 2019

👋 @maxheld83 - there is indeed a difference of behavior when using Personal Access Tokens and OAuth Tokens, which the GITHUB_TOKEN is. In my experience, the difference actually only happen on public repos. Pages publishing works fine on private repos, which is ironic as the Pages site is always public anyway.

I'm planning on investigating this deeper but I'm afraid this is not on top of todo list.

@shalzz
Copy link

shalzz commented Jan 31, 2019

@maxheld83 Yes that's correct. In fact this is what I explicitly mention in the README.
I'm not sure if this behaviour is different for private repos but I'd probably say it isn't.

For posterity this is the complete explanation I got from the Github Staff:

I see that you're using the GITHUB_TOKEN environment variable to authenticate. That variable is a GitHub App installation token (also known as a server-to-server installation token).

After speaking with the team about this, they let me know that server-to-server requests won't kick off a page build, whether it's creating a commit or explicitly requesting a page build:

I see how it would be useful to open this functionality to GitHub Actions, so I've let the team know about this internally.

However, I'd like to mention that the requesting a page build endpoint is enabled for integrations via a user access token. In other words, you can make a user-to-server request to request a page build:

Alternatively, you can create a personal access token and use that to request a page build:

@joshuarubin
Copy link

We’ve found that using a repository deployment key and using an ssh remote also works and is safer since it’s scoped to the repo only.

@BryanSchuetz
Copy link

As @helaili mentions—using GITHUB_TOKEN to kick off a pages build seems to work fine in private repositories—at least it has for me. I haven't really dug into the documentation much, but I wonder if the problem you're seeing might simply be a function of the currently limited beta?

GitHub Actions is limited to private repositories and push events in public repositories during the limited public beta.

sagebind added a commit to sagebind/riptide that referenced this issue Feb 6, 2019
Use a personal access token instead of the provided Actions token. See maxheld83/ghpages#1.
sagebind added a commit to sagebind/riptide that referenced this issue Feb 6, 2019
Use a personal access token instead of the provided Actions token. See maxheld83/ghpages#1.
@alex-page
Copy link
Contributor

@maxheld83 Thanks for documenting this I spent a ton of time trying to figure out why my environment was not building!

@gr2m
Copy link

gr2m commented Apr 15, 2019

Did you try https://x-access-token:<GITHUB_TOKEN>@github.com/owner/repo.git? I’ve heard that worked for others to push updates to the repository from an action, but didn’t use it myself yet.

See https://developer.github.com/apps/building-github-apps/authenticating-with-github-apps/#http-based-git-access-by-an-installation - I know this is for installations, but I think actions are sharing some implementation logic or something

@alex-page
Copy link
Contributor

alex-page commented Apr 15, 2019

@gr2m I didn't get to give that a go. I will definitely give that a go in the next few weeks!

@gr2m
Copy link

gr2m commented Apr 15, 2019

I just tested it and it works: https://github.com/gr2m/ghpages/tree/gh-pages

Pull request incoming

@alex-page
Copy link
Contributor

alex-page commented Apr 18, 2019

Thanks @gr2m this works great!

https://github.com/alex-page/alex-page/blob/f17cca0ac31dca924737045d152a25384c350bf9/scripts/deploy.js#L16

This appears to work but the environment does not build on deployment, you can read more here: #18

@a-recknagel
Copy link

What kind of permissions does the PAT need in order to be able to push? There is no checkbox there that says "push_rights".

@wei
Copy link

wei commented Sep 18, 2019

repo

@maxheld83
Copy link
Owner Author

closing this in favor of #18

HMKnapp added a commit to seerbit/openapi that referenced this issue Nov 9, 2020
HMKnapp added a commit to seerbit/openapi that referenced this issue Nov 9, 2020
* Export GITHUB_TOKEN to env also

* Enable deployment of branch for testing purpose

* Provide TOKEN
as  maxheld83/ghpages#1 (comment)

* Disable deployment for branches again
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants