Using GITHUB_TOKEN for Pandoc nightly download #868
Description
Not sure what changed, but I recently get pandoc nightly download to fail. Here is the debug logging
##[debug]Evaluating condition for step: 'Run r-lib/actions/setup-pandoc@v2'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Run r-lib/actions/setup-pandoc@v[2](https://github.com/rstudio/rmarkdown/actions/runs/9518128513/job/26246875020#step:7:2)
##[debug]Loading inputs
##[debug]Evaluating: matrix.config.pandoc
##[debug]Evaluating Index:
##[debug]..Evaluating Index:
##[debug]....Evaluating matrix:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'config'
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'pandoc'
##[debug]=> 'nightly'
##[debug]Result: 'nightly'
##[debug]Evaluating: secrets.GITHUB_TOKEN
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'GITHUB_TOKEN'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Loading env
Run r-lib/actions/setup-pandoc@v2
##[debug]got pandoc-version nightly
##[debug]Downloading https://api.github.com/repos/jgm/pandoc/actions/artifacts/1601[3](https://github.com/rstudio/rmarkdown/actions/runs/9518128513/job/26246875020#step:7:3)04781/zip
##[debug]Destination /home/runner/work/_temp/03[4](https://github.com/rstudio/rmarkdown/actions/runs/9518128513/job/26246875020#step:7:4)2ed2d-f740-41f0-9e4e-6c0c29[5](https://github.com/rstudio/rmarkdown/actions/runs/9518128513/job/26246875020#step:7:5)66afb
##[debug]Failed to download from "https://api.github.com/repos/jgm/pandoc/actions/artifacts/1[6](https://github.com/rstudio/rmarkdown/actions/runs/9518128513/job/26246875020#step:7:6)01304781/zip". Code(403) Message(Forbidden)
Error: Failed to download Pandoc nightly build: Error: Unexpected HTTP response: 403
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Run r-lib/actions/setup-pandoc@v2
I am wondering if the token input is correctly passed to the API call 🤔
- We see the GITHUB_TOKEN gets read
- API Docs says Actions read scoped is needed, and this is the case for this workflow: https://github.com/rstudio/rmarkdown/actions/runs/9518128513/job/26246875020#step:1:18
GITHUB_TOKEN Permissions
Actions: read
- If I call the URL using
ghCLI locally it worksgh api /repos/jgm/pandoc/actions/artifacts/1601304781/zip > nightly.zip
I don't know a lot about @action/core but I see we do this for nightly
actions/setup-pandoc/src/setup-pandoc.ts
Line 111 in fbafc3b
and so we create octokit without the GITHUB_TOKEN.
There is a function to get Auth Header
actions/setup-pandoc/src/setup-pandoc.ts
Lines 92 to 100 in fbafc3b
but it is not used in the script... So I wonder.
Is token input really used ? Or should we authenticate another way ?
I have seen in https://github.com/octokit/action.js/ that maybe setting GITHUB_TOKEN env could work so trying that now.
rstudio/rmarkdown#2559