fix: bypass determine_name/email GET /user calls with bind-mounted override scripts

Copilot · BarkinKctp · web-flow · commit bb24e07053f8 · 2026-04-28T09:11:46.000Z
GitHub App installation tokens cannot call GET /user or GET /user/emails (those endpoints require a user-scoped PAT). The packaging containers call those endpoints via determine_name and determine_email. Instead of requiring a PAT, write tiny override scripts on the host and bind-mount them over /scripts/determine_name and /scripts/determine_email inside the container. The overrides just echo the supplied actor identity without any API call. - Add --actor_name / --actor_email params to citus_package.py - In build_package(): when both params are set, write override scripts to a temp dir and add -v mounts to the docker command; clean up in finally block - Update workflow to use App token for all git ops and pass --actor_name 'github-actions[bot]' / --actor_email for the containers Agent-Logs-Url: https://github.com/citusdata/tools/sessions/fdb492ee-94bb-42dc-a5d3-56e2d4b2f40b Co-authored-by: BarkinKctp <181959180+BarkinKctp@users.noreply.github.com>
diff --git a/.github/workflows/build-citus-community-nightlies.yml b/.github/workflows/build-citus-community-nightlies.yml
@@ -4,7 +4,6 @@ env:
   MAIN_BRANCH: "all-citus"
   PACKAGING_PASSPHRASE: ${{ secrets.PACKAGING_PASSPHRASE }}
   PACKAGING_SECRET_KEY: ${{ secrets.PACKAGING_SECRET_KEY }}
-  GH_TOKEN: ${{ secrets.GH_TOKEN }}
   DOCKERHUB_USER_NAME: ${{ secrets.DOCKERHUB_USER_NAME }}
   DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
 on:
@@ -32,9 +31,25 @@ jobs:
           - ubuntu/jammy
 
     steps:
+
+      - name: Create GitHub App token
+        id: app
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_KEY }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Set GH_TOKEN for all steps
+        run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV
+
+      - name: Configure git with x-access-token
+        run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/"
+
       - name: Checkout repository
         uses: actions/checkout@v3
         with:
+          token: ${{ steps.app.outputs.token }}
           fetch-depth: 1
           path: tools
 
@@ -46,7 +61,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: Clone build branch
-        run: git clone -b "${MAIN_BRANCH}" --depth=1  https://github.com/citusdata/packaging.git packaging
+        run: git clone -b "${MAIN_BRANCH}" --depth=1 https://github.com/citusdata/packaging.git packaging
 
       - name: Install package dependencies
         run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources
@@ -58,7 +73,8 @@ jobs:
         run: |
           python -m  tools.packaging_automation.citus_package \
           --gh_token "${GH_TOKEN}" \
-          --container_gh_token "${GH_TOKEN}" \
+          --actor_name "github-actions[bot]" \
+          --actor_email "41898282+github-actions[bot]@users.noreply.github.com" \
           --platform "${{ matrix.platform }}" \
           --build_type "nightly" \
           --secret_key "${PACKAGING_SECRET_KEY}" \
diff --git a/packaging_automation/citus_package.py b/packaging_automation/citus_package.py
@@ -1,7 +1,10 @@
 import argparse
 import glob
 import os
+import shlex
+import shutil
 import subprocess
+import tempfile
 from enum import Enum
 from typing import Dict
 from typing import List
@@ -338,34 +341,62 @@ def build_package(
     postgres_version: str,
     input_output_parameters: InputOutputParameters,
     is_test: bool = False,
-    container_gh_token: str = "",
+    actor_name: str = "",
+    actor_email: str = "",
 ):
     docker_image_name = "packaging" if not is_test else "packaging-test"
     postgres_extension = "all" if postgres_version == "all" else f"pg{postgres_version}"
-    # Packaging containers call GET /user and GET /user/emails via determine_name/determine_email.
-    # Those endpoints require a user-scoped token (PAT). GitHub App installation tokens are
-    # repository-scoped and will receive a 403 for user endpoints, so a separate PAT token is
-    # used for the container when provided.
-    os.environ["GITHUB_TOKEN"] = container_gh_token if container_gh_token else github_token
+    os.environ["GITHUB_TOKEN"] = github_token
     os.environ["CONTAINER_BUILD_RUN_ENABLED"] = "true"
     if not os.path.exists(input_output_parameters.output_dir):
         os.makedirs(input_output_parameters.output_dir)
 
+    # When an actor name and email are provided (e.g. when running under a GitHub App
+    # installation token), we shadow the /scripts/determine_name and
+    # /scripts/determine_email scripts inside the container with tiny override scripts
+    # that just echo the supplied values.  This avoids the GET /user and GET /user/emails
+    # API calls that those scripts make, which fail with 403 when the token is a GitHub
+    # App installation token (not a user-scoped PAT).
+    actor_tmpdir = None
+    actor_mounts = ""
+    if actor_name and actor_email:
+        actor_tmpdir = tempfile.mkdtemp(prefix="citus_pkg_actor_")
+        for script_name, value in [
+            ("determine_name", actor_name),
+            ("determine_email", actor_email),
+        ]:
+            script_path = os.path.join(actor_tmpdir, script_name)
+            with open(script_path, "w", encoding="utf-8") as f:
+                f.write(f"#!/bin/bash\nprintf '%s\\n' {shlex.quote(value)}\n")
+            os.chmod(script_path, 0o755)
+        actor_mounts = (
+            f"-v {actor_tmpdir}/determine_name:/scripts/determine_name:ro "
+            f"-v {actor_tmpdir}/determine_email:/scripts/determine_email:ro "
+        )
+
     docker_command = (
-        f"docker run --rm -v {input_output_parameters.output_dir}:/packages -v "
+        f"docker run --rm {actor_mounts}"
+        f"-v {input_output_parameters.output_dir}:/packages -v "
         f"{input_output_parameters.input_files_dir}:/buildfiles:ro "
         f"-e GITHUB_TOKEN -e PACKAGE_ENCRYPTION_KEY -e UNENCRYPTED_PACKAGE -e CONTAINER_BUILD_RUN_ENABLED "
         f"-e MSRUSTUP_PAT -e CRATES_IO_MIRROR_FEED_TOKEN -e INSTALL_RUST -e CI "
         f"citus/{docker_image_name}:{docker_platform}-{postgres_extension} {build_type.name}"
     )
 
     print(f"Executing docker command: {docker_command}")
-    output = run_with_output(docker_command, text=True)
+    try:
+        output = run_with_output(docker_command, text=True)
+    finally:
+        if actor_tmpdir:
+            shutil.rmtree(actor_tmpdir, ignore_errors=True)
 
-    if output.stdout:
-        print("Output:" + output.stdout)
     if output.returncode != 0:
-        raise ValueError(output.stderr)
+        raise ValueError(
+            "Docker command failed.\n"
+            f"Command: {docker_command}\n"
+            f"Exit code: {output.returncode}\n"
+            f"--- combined output (stdout+stderr) ---\n{output.stdout}\n"
+        )
 
     if input_output_parameters.output_validation:
         validate_output(
@@ -405,7 +436,8 @@ def build_packages(
     signing_credentials: SigningCredentials,
     input_output_parameters: InputOutputParameters,
     is_test: bool = False,
-    container_gh_token: str = "",
+    actor_name: str = "",
+    actor_email: str = "",
 ) -> None:
     os_name, os_version = decode_os_and_release(platform)
     release_versions, nightly_versions = get_postgres_versions(
@@ -454,7 +486,8 @@ def build_packages(
             postgres_docker_extension,
             input_output_parameters,
             is_test,
-            container_gh_token,
+            actor_name,
+            actor_email,
         )
         print(
             f"Package build for {os_name}-{os_version} for postgres {postgres_docker_extension} finished "
@@ -528,13 +561,19 @@ def tear_release_stage_from_package_version(package_version: str) -> str:
     parser = argparse.ArgumentParser()
     parser.add_argument("--gh_token", required=True)
     parser.add_argument(
-        "--container_gh_token",
+        "--actor_name",
+        required=False,
+        default="",
+        help="Committer name written into package changelogs. When set together with "
+             "--actor_email, the packaging container's determine_name and determine_email "
+             "scripts are overridden so that GET /user is never called. This allows "
+             "GitHub App installation tokens to be used without a PAT.",
+    )
+    parser.add_argument(
+        "--actor_email",
         required=False,
         default="",
-        help="Token used as GITHUB_TOKEN inside packaging containers. "
-             "Defaults to --gh_token when not set. Must be a user-scoped token "
-             "(PAT) because the packaging scripts call GET /user and GET /user/emails, "
-             "which are not accessible with GitHub App installation tokens.",
+        help="Committer email written into package changelogs. See --actor_name.",
     )
     parser.add_argument("--platform", required=False, choices=platform_names())
     parser.add_argument(
@@ -567,5 +606,6 @@ def tear_release_stage_from_package_version(package_version: str) -> str:
         sign_credentials,
         io_parameters,
         args.is_test,
-        args.container_gh_token,
+        args.actor_name,
+        args.actor_email,
     )
