OIDC Login Logs: Error: undefined. Please make sure to give write permissions to id-token in the workflow. When run on Dedicated Runners
dptaf opened this issue · comments
We have workflows that run on the github dedicated runners. When running on those runners we get the following log:
Error: undefined. Please make sure to give write permissions to id-token in the workflow.
The workflow still continues with the rest of the actions, so it doesn't seem like it's a fatal error. We've noticed that if we just use the ubuntu-latest runners, we don't get an error.
Hi @dptaf ,
Did you put the below part before your job in the workflow file?
permissions:
id-token: write
contents: readhi @YanaXu -- yes we have the permissions block in there. and to note, this only shows when running on the github large runners. if we use a regular ubuntu agent, we don't see the error. and to re-iterate this doesn't seem to block our deployments to azure, just produces that error log
Hi @dptaf , I suspect the GitHub large runners env you're using blocks the message from your runner to GitHub Service. Could you run below workflow file and provide me the run log? Please note, runs-on: ubuntu-latest may need to be updated to the right value.
name: Test getIDToken
on: [push, workflow_dispatch]
permissions:
id-token: write
contents: read
jobs:
test-getIDToken:
runs-on: ubuntu-latest
steps:
- name: GetToken
continue-on-error: true
uses: actions/github-script@v3
with:
script: |
const idToken = await core.getIDToken('api://AzureADTokenExchange');
idToken == null ? console.log("idToken is null or undefined") : console.log("idToken is fine");
let tokenPayload = idToken.split('.')[1];
tokenPayload == null ? console.log("tokenPayload is null or undefined") : console.log("tokenPayload is fine");
let bufferObj = Buffer.from(tokenPayload, "base64");
bufferObj == null ? console.log("bufferObj is null or undefined") : console.log("bufferObj is fine");
let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
decodedPayload == null ? console.log("decodedPayload is null or undefined") : console.log("decodedPayload is fine")
let iss = decodedPayload['iss'];
iss == null ? console.log("iss is null or undefined") : console.log("iss is fine")
let sub = decodedPayload['sub'];
sub == null ? console.log("sub is null or undefined") : console.log("sub is fine")hi @YanaXu -- see below
2023-11-27T13:51:55.7363498Z Requested runner group: iac-larger-static-ip-runners
2023-11-27T13:51:55.7363681Z Job defined at: turnaroundfactor/adapt_pspdf_manager/.github/workflows/oidc-logging.yml@refs/heads/develop
2023-11-27T13:51:55.7363805Z Waiting for a runner to pick up this job...
2023-11-27T13:52:02.3498586Z Job is waiting for a runner from 'iac-runner-01' to come online.
2023-11-27T13:52:06.5049830Z Job is about to start running on the runner: iac-runner-01_74e947d04818 (organization)
2023-11-27T13:52:10.5085005Z Current runner version: '2.311.0'
2023-11-27T13:52:10.5092081Z Runner name: 'iac-runner-01_74e947d04818'
2023-11-27T13:52:10.5093269Z Runner group name: 'iac-larger-static-ip-runners'
2023-11-27T13:52:10.5094220Z Machine name: 'runner'
2023-11-27T13:52:10.5110513Z ##[group]Operating System
2023-11-27T13:52:10.5111074Z Ubuntu
2023-11-27T13:52:10.5111413Z 22.04.3
2023-11-27T13:52:10.5111843Z LTS
2023-11-27T13:52:10.5112168Z ##[endgroup]
2023-11-27T13:52:10.5112543Z ##[group]Runner Image
2023-11-27T13:52:10.5113059Z Image: ubuntu-22.04
2023-11-27T13:52:10.5113418Z Version: 20231115.7.0
2023-11-27T13:52:10.5114418Z Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20231115.7/images/ubuntu/Ubuntu2204-Readme.md
2023-11-27T13:52:10.5115948Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20231115.7
2023-11-27T13:52:10.5116770Z ##[endgroup]
2023-11-27T13:52:10.5117680Z ##[group]GITHUB_TOKEN Permissions
2023-11-27T13:52:10.5119355Z Contents: read
2023-11-27T13:52:10.5119951Z Metadata: read
2023-11-27T13:52:10.5120339Z ##[endgroup]
2023-11-27T13:52:10.5123430Z Secret source: Actions
2023-11-27T13:52:10.5124132Z Prepare workflow directory
2023-11-27T13:52:10.5744079Z Prepare all required actions
2023-11-27T13:52:10.5900793Z Getting action download info
2023-11-27T13:52:10.9044539Z Download action repository 'actions/github-script@v3' (SHA:ffc2c79a5b2490bd33e0a41c1de74b877714d736)
2023-11-27T13:52:11.3356728Z Complete job name: test-getIDToken
2023-11-27T13:52:11.4302097Z ##[group]Run actions/github-script@v3
2023-11-27T13:52:11.4302895Z with:
2023-11-27T13:52:11.4308452Z script: const idToken = await core.getIDToken('api://AzureADTokenExchange');
idToken == null ? console.log("idToken is null or undefined") : console.log("idToken is fine");
let tokenPayload = idToken.split('.')[1];
tokenPayload == null ? console.log("tokenPayload is null or undefined") : console.log("tokenPayload is fine");
let bufferObj = Buffer.from(tokenPayload, "base64");
bufferObj == null ? console.log("bufferObj is null or undefined") : console.log("bufferObj is fine");
let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
decodedPayload == null ? console.log("decodedPayload is null or undefined") : console.log("decodedPayload is fine")
let iss = decodedPayload['iss'];
iss == null ? console.log("iss is null or undefined") : console.log("iss is fine")
let sub = decodedPayload['sub'];
sub == null ? console.log("sub is null or undefined") : console.log("sub is fine")
2023-11-27T13:52:11.4314734Z github-token: ***
2023-11-27T13:52:11.4315133Z debug: false
2023-11-27T13:52:11.4315543Z user-agent: actions/github-script
2023-11-27T13:52:11.4316161Z result-encoding: json
2023-11-27T13:52:11.4316573Z ##[endgroup]
2023-11-27T13:52:11.8318891Z idToken is fine
2023-11-27T13:52:11.8319454Z tokenPayload is fine
2023-11-27T13:52:11.8319980Z bufferObj is fine
2023-11-27T13:52:11.8320397Z decodedPayload is fine
2023-11-27T13:52:11.8320848Z iss is fine
2023-11-27T13:52:11.8321217Z sub is fine
2023-11-27T13:52:11.8633796Z Cleaning up orphan processes