Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pr-creator does not successfully use GitHub app authentication: "BUG apps auth requested but empty org, please report this to the test-infra repo." #33829

Open
sosiouxme opened this issue Nov 22, 2024 · 4 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. sig/testing Categorizes an issue or PR as relevant to SIG Testing.

Comments

@sosiouxme
Copy link
Contributor

sosiouxme commented Nov 22, 2024

What happened:
Using the pr-creator built from latest I ran (real names swapped out with fake):

pr-creator -github-app-private-key-path "${keyfile}" \
           -github-app-id "${appid}" \
           -org origin-org -repo reponame \
           -source app-org:update -branch main \
           -body "Automatically generated update" \
           -title "Automatic update"

INFO[0000] Throttle(0, 0, [])                            client=github
INFO[0000] Looking for a PR to reuse...                 
INFO[0000] App()                                         client=github
INFO[0000] FindIssues(is:open is:pr archived:false repo:origin-org/reponame author:app-org in:title )  client=github
ERRO[0000] Stopping retry due to appsAuthError           client=github error="Get \"https://api.github.com/search/issues?[...]\": 
BUG apps auth requested but empty org, please report this to the test-infra repo. 
Stack: goroutine 1 [running]:\nruntime/debug.Stack()\n\truntime/debug/stack.go:24 +0x5e\nsigs.k8s.io/prow/pkg/github.(*appsRoundTripper).addAppInstallationAuth(0x0?, 0xc000200500)\n\tsigs.k8s.io/prow@v0.0.0-20240419142743-3cb2506c2ff3/pkg/github/app_auth_roundtripper.go:158 +0x9b\nsigs.k8s.io/prow/pkg/github.(*appsRoundTripper).RoundTrip(0xc000344c80, 0xc000200500)\n\tsigs.k8s.io/prow@v0.0.0-20240419142743-3cb2506c2ff3/pkg/github/app_auth_roundtripper.go:104 +0x14c\nnet/http.send(0xc000200400, {0x1eed7c0, 0xc000344c80}, {0x1?, 0x4cb2d4?, 0x2cf8120?})\n\tnet/http/client.go:260 +0x606\nnet/http.(*Client).send(0xc0006ca900, 0xc000200400, {0x0?, 0x0?, 0x2cf8120?})\n\tnet/http/client.go:181 +0x98\nnet/http.(*Client).do(0xc0006ca900, 0xc000200400)\n\tnet/http/client.go:724 +0x912\nnet/http.(*Client).Do(0xc0006ca9f0?, 0x1f0beb8?)\n\tnet/http/client.go:590 +0x13\nsigs.k8s.io/prow/pkg/github.(*ghThrottler).Do(0xc0000c01c0, 0xc000200400)\n\tsigs.k8s.io/prow@v0.0.0-20240419142743-3cb2506c2ff3/pkg/github/client.go:435 +0x10c\nsigs.k8s.io/prow/pkg/github.(*client).doRequest(0xc0006d4100, {0x1f0beb8?, 0x2d28400?}, {0x1b75b5d?, 0x5?}, {0xc000c3e000?, 0x418dcb?}, {0x0, 0x0}, {0x0, ...}, ...)\n\tsigs.k8s.io/prow@v0.0.0-20240419142743-3cb2506c2ff3/pkg/github/client.go:1096 +0x9c8\nsigs.k8s.io/prow/pkg/github.(*client).requestRetryWithContext(0xc0006d4100, {0x1f0beb8, 0x2d28400}, {0x1b75b5d, 0x3}, {0xc0001c6280, 0x97}, {0x0, 0x0}, {0x0, ...}, ...)\n\tsigs.k8s.io/prow@v0.0.0-20240419142743-3cb2506c2ff3/pkg/github/client.go:945 +0x250\nsigs.k8s.io/prow/pkg/github.(*client).readPaginatedResultsWithValuesWithContext(0x0?, {0x1f0beb8, 0x2d28400}, {0xc0001718c0?, 0xe?}, 0xc0006c6820?, {0x0, 0x0}, {0x0, 0x0}, ...)\n\tsigs.k8s.io/prow@v0.0.0-20240419142743-3cb2506c2ff3/pkg/github/client.go:1886 +0x17d\nsigs.k8s.io/prow/pkg/github.(*client).readPaginatedResultsWithValues(...)\n\tsigs.k8s.io/prow@v0.0.0-20240419142743-3cb2506c2ff3/pkg/github/client.go:1877\nsigs.k8s.io/prow/pkg/github.(*client).FindIssuesWithOrg(0xc0001806c0?, {0x0, 0x0}, {0xc0001807e0, 0x5e}, {0x1b791fb, 0x7}, 0x0)\n\tsigs.k8s.io/prow@v0.0.0-20240419142743-3cb2506c2ff3/pkg/github/client.go:3450 +0x47d\nsigs.k8s.io/prow/pkg/github.(*client).FindIssues(0x1bd31d1?, {0xc0001807e0?, 0xc000a87620?}, {0x1b791fb?, 0x4?}, 0xdf?)\n\tsigs.k8s.io/prow@v0.0.0-20240419142743-3cb2506c2ff3/pkg/github/client.go:3419 +0x30\nk8s.io/test-infra/robots/pr-creator/updater.updatePRWithQueryTokens({0x7ffcd09e4d47, 0xd}, {0x7ffcd09e4d5b, 0xf}, {0x7ffcd09e4dd3, 0x27}, {0x7ffcd09e4d9b, 0x30}, {0x1b7c043, 0x9}, ...)\n\tk8s.io/test-infra/robots/pr-creator/updater/updater.go:77 +0x2c5\nk8s.io/test-infra/robots/pr-creator/updater.EnsurePRWithQueryTokens({0x7ffcd09e4d47, 0xd}, {0x7ffcd09e4d5b, 0xf}, {0x7ffcd09e4dd3, 0x27}, {0x7ffcd09e4d9b, 0x30}, {0x7ffcd09e4d73, 0x14}, ...)\n\tk8s.io/test-infra/robots/pr-creator/updater/updater.go:55 +0xe5\nk8s.io/test-infra/robots/pr-creator/updater.EnsurePRWithQueryTokensAndLabels({0x7ffcd09e4d47, 0xd}, {0x7ffcd09e4d5b, 0xf}, {0x7ffcd09e4dd3?, 0x0?}, {0x7ffcd09e4d9b?, 0x0?}, {0x7ffcd09e4d73, 0x14}, ...)\n\tk8s.io/test-infra/robots/pr-creator/updater/updater.go:101 +0xb9\nmain.main()\n\tk8s.io/test-infra/robots/pr-creator/main.go:115 +0x374\n"

Note that the error occurred on the search for matching PR, even though in my case the repo is public; it was trying to auth as directed but ran into this.

What you expected to happen:
At least a dry run of a PR being created or updated (should work with -confirm of course too).

How to reproduce it (as minimally and precisely as possible):

  • with a github app
  • install that app on a repo
  • run the command above, specifying the app's client id file and app id and appropriate org/repo

Anything else we need to know?:
It looks to me like this almost works, and I would be willing to put together a PR if I could figure out how to connect the dots.

As near as I can tell, this bot got the flags/options for app auth for free when the prow github client library it uses got them; however compared to PATs and oauth2 there is an added need to generate an installation token, which requires looking up the installation based on the org; something must wire the org into the tokenGenerator, and in pr-creator's code nothing does (the client doesn't store the org or tokenGenerator, and the failing call to gc.FindIssues doesn't either). I think that's why we end up with BUG apps auth requested but empty org.

This issue is somewhat related to:

@sosiouxme sosiouxme added the kind/bug Categorizes issue or PR as related to a bug. label Nov 22, 2024
@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Nov 22, 2024
@sosiouxme
Copy link
Contributor Author

/sig testing

@k8s-ci-robot k8s-ci-robot added sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Nov 22, 2024
@BenTheElder
Copy link
Member

Yeah, I think that's coming from some generic code from prow for github client behavior, but we're not using app support for Kubernetes for this particular tool.

@sosiouxme
Copy link
Contributor Author

@BenTheElder any pointers on how that support is supposed to be invoked would be helpful... I had a look through the code here and it's just not evident to me where there's a good point to inject the org (seems it could be added to a context, or the tokenGenerator could be invoked with it...)

@BenTheElder
Copy link
Member

Kubernetes runs it with a user account, the jobs running it are in this repo under config/

sosiouxme added a commit to sosiouxme/test-infra that referenced this issue Dec 13, 2024
k8s-ci-robot added a commit that referenced this issue Dec 18, 2024
fix issue #33829: allow pr-creator to work with GH app auth
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. sig/testing Categorizes an issue or PR as relevant to SIG Testing.
Projects
None yet
Development

No branches or pull requests

3 participants