I'm seeing a weird error in PR CI (<https://github...
# developmentb
bored-art-40741
09/20/2021, 11:16 PMI'm seeing a weird error in PR CI (https://github.com/pantsbuild/pants/pull/12890/checks?check_run_id=3657406781) that looks like a configuration issue, or maybe just something transient:
Copy code
23:09:35.17 [WARN] [rules] Failed to load Toolchain token from env var 'TOOLCHAIN_AUTH_TOKEN'. Please make sure the env var is set in your environment.
23:09:35.17 [INFO] [rules] Acquire restricted access token: {'repo_slug': 'pantsbuild/pants', 'env': {'GITHUB_ACTIONS': 'true', 'GITHUB_RUN_ID': '1255477684', 'GITHUB_REF': 'refs/pull/12890/merge', 'GITHUB_EVENT_NAME': 'pull_request', 'GITHUB_SHA': '6d88f59c53a251eb50f9c45bec971f185ec16370', 'GITHUB_REPOSITORY': 'pantsbuild/pants', 'GITHUB_WORKFLOW': 'Pull Request CI', 'GITHUB_JOB': 'lint_python'}}
23:09:35.73 [WARN] Error loading access token: AuthError('[rules] Auth rejected by server request_id=d66ee1b707d2eba195a5aa43a80279a3')
Error: Process completed with exit code 1.h
hundreds-father-404
09/20/2021, 11:20 PMMaybe that your plugin version of Toolchain is still
hundreds-father-404
09/20/2021, 11:20 PMcc @polite-garden-50641
p
polite-garden-50641
09/20/2021, 11:21 PMthis is safe to ignore.
h
hundreds-father-404
09/20/2021, 11:22 PMohh @bored-art-40741 scroll up for the actual errors, MyPy
p
polite-garden-50641
09/20/2021, 11:22 PMwe currently only issue access tokens to the toolchain service for toolchain engineers, hence the server refuses to allocation an access token for your PR.
polite-garden-50641
09/20/2021, 11:22 PMpants still works in this scenario, just w/o the remote cache and data is not uploaded to the toolchain service.
polite-garden-50641
09/20/2021, 11:23 PMwhich is perfectly fine and matches the current system design.
polite-garden-50641
09/20/2021, 11:23 PM23:07:22.56 [WARN] Auth failed - BuildSense plugin is disabled.polite-garden-50641
09/20/2021, 11:23 PMthis is 100% ok.
b
bored-art-40741
09/20/2021, 11:23 PMoh okay
bored-art-40741
09/20/2021, 11:24 PMyeah this is because I was so far behind main I think, should be an easy fix
w
witty-crayon-22786
09/20/2021, 11:29 PMno one else is seeing this, right? because i also needed to refresh the CI token last week.
b
bored-art-40741
09/20/2021, 11:36 PMNot sure, but Eric pointed out that I was just reading trailing warnings; the root cause was a regular mypy failure
w
witty-crayon-22786
09/20/2021, 11:36 PMyea. @hundreds-father-404: can you confirm that you have access in your CI runs?
witty-crayon-22786
09/20/2021, 11:36 PM(sorry, i’d check my own, but… haven’t pushed since last week)
p
polite-garden-50641
09/20/2021, 11:37 PMthis is unrelated to the CI token which is only used in branch builds not PR builds.
w
witty-crayon-22786
09/20/2021, 11:38 PMgot it.
p
polite-garden-50641
09/20/2021, 11:38 PMSince PRs can be submitted by anyone on the internet, we don't trust them (by default) and don't allow them to access the toolchain SasS.
polite-garden-50641
09/20/2021, 11:38 PMthis is by design.
polite-garden-50641
09/20/2021, 11:39 PMthe GH secrets are not exposed to PRs... this is common in CI system config for public repos (unless you are travis CI...)
https://arstechnica.com/information-technology/2021/09/travis-ci-flaw-exposed-secrets-for-thousands-of-open-source-projects/
🙈 1
🤭 1
w
witty-crayon-22786
09/20/2021, 11:47 PMyea, makes sense. would be good to silence the warning… i expect other contributors have seen this, and might have thought it was broken (i had been confused by it when looking at a contributor’s PR at one point)
👍 1
p
polite-garden-50641
09/21/2021, 3:03 PMI have a ticket to improve the DX... will be working on it soon.
w
witty-crayon-22786
09/21/2021, 3:55 PMthank you!
2 Views