GitHub actions are failint

[achew22]

There appears to be something wrong with the GitHub actions setup for getting things stamped.

[achew22]

fatal: No names found, cannot describe anything.

I added the fetch-depth thing to no avail but then I realized there are 2 of them. I'm going to try --always in the stamp script which should make it work no matter what (even if it's tagged wrong, which would be bad but would be educational)

[joeljeske]

I think the GH Actions is not fetching the tags locally. I think its doing a shallow clone of the SHA but without any branches/tags in the cloned repo.

[joeljeske]

Do you want to try adding fetch-depth:0 to the checkout?
https://github.com/actions/checkout#Fetch-all-history-for-all-tags-and-branches

Alternatively we could try a post-checkout fetch of the tags or unshallow the clone?

[achew22]

Here is the result of adding fetch-depth:0

https://github.com/bazelbuild/bazel-watcher/runs/2167896165?check_suite_focus=true

But it doesn't look like it showed up on the npm side

https://www.npmjs.com/package/@bazel/ibazel

Thanks for helping me get this closer!

[joeljeske]

For better or worse, I hade made it only publish to npm if it was the result of creating a new GH release
https://github.com/bazelbuild/bazel-watcher/blob/master/.github/workflows/release.yaml#L116

[joeljeske]

You could remove that condition, or try to create a formal GH release (not just a tag and manually running it)

[joeljeske]

That condition corresponds with the condition to upload the assets to the real GH release
https://github.com/bazelbuild/bazel-watcher/blob/master/.github/workflows/release.yaml#L63

[achew22]

Let's try doing a full release! https://github.com/bazelbuild/bazel-watcher/actions/runs/677723048

[achew22]

That looks VERY promising! Now to figure out how to allow a service account to deploy when you have two factor turned on... this'll be fun...

[achew22]

I think this is the one https://github.com/bazelbuild/bazel-watcher/actions/runs/677790605

[achew22]

I sort of had the idea that this would fix it

but apparently not? Maybe NPM has some latency between that setting being changed and taking effect. I'll try a release again later.

[joeljeske]

I don’t think you want 2fa on the publishing token at all. Option 1?

#456 (comment)

[achew22]

If I pick option 1 that will disable the requirement that MFA be turned on for manual pushes which means that someone who guesses my password alone would be able to publish. Option 2 seems like the correct one since we are using automation tokens and those automation tokens are not bound to MFA?

[achew22]

As a quick test I tried releasing v0.15.5 with MFA completely disabled. It is now reenabled.

Lessons learned from this test:

• It doesn't matter what the setting is, which means it is probably a setting that comes from the @bazel organization.
• I have no idea who owns the @bazel organization so I can ask them to change this setting 😦

[joeljeske]

Have you tried the steps I put here? #456 (comment)

I think you need a new explicit token for automation.

[achew22]

Yes, I have generated an auth token.

Did I miss a step in that?

[achew22]

Since I don't have a good way to validate the kind of token behind that, I'm going to try generating a new automation token and see what happens.

[achew22]

I think that might have been it! Thanks so much @joeljeske for all your hard work on this. I really appreciate it.