How to handle the GitHub token for the Jupyter Releaser?

[jtpio]

Problem

Today I hit the following issue when trying to make a new release of JupyterLab:

+ python -m jupyter_releaser.actions.prep_release
Getting GitHub connection for jupyterlab/jupyterlab
Getting permission level for jtpio
HTTP Error 401: Unauthorized
====Error Body====
{
  "message": "Bad credentials",
  "documentation_url": "https://docs.github.com/rest"
}

Traceback (most recent call last):
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/runpy.py", line 196, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/jupyter_releaser/actions/prep_release.py", line 9, in <module>
    setup(False)
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/jupyter_releaser/actions/common.py", line 19, in setup
    return prepare_environment(fetch_draft_release=fetch_draft_release)
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/jupyter_releaser/util.py", line 615, in prepare_environment
    raise RuntimeError(
RuntimeError: Could not get user permission level, assuming user was not admin!

This prevented me from using the releaser bot for making the release. I don't have access to the bot account or the Jupyter shared 1Password, so it was not possible for me to update the token and resume the release from the repo.

Fortunately it is still possible to use a fork of the releaser to make the release. This worked as a workaround but for transparency and consistency it would be great to always make releases from the JupyterLab repo.

Proposed Solution

There has been some discussion about how to handle the GitHub token in jupyterlab/jupyterlab#14176 (comment).

It would be good to have some process in place to:

• either use a non-expiring token to avoid such issues
• or remind someone with access to the bot account to renew the token and set it as a GitHub Actions secret

Additional context

This is also documented in jupyterlab/jupyterlab#14431.

Failed releaser run: https://github.com/jupyterlab/jupyterlab/actions/runs/4794399088/jobs/8527738241

cc @jupyterlab/release for awareness

[fcollonval]

Thanks for opening this @jtpio

I think the proposal of Steve to give access to the password vault to SSC members is a good way to smooth the issue.

[blink1073]

I opened jupyter-server/jupyter_releaser#505 to track a method to avoid using this token altogether.

[jtpio]

@blink1073 @fcollonval looks like I'm getting the same issue again today when trying to make a new JupyterLab release:

https://github.com/jupyterlab/jupyterlab/actions/runs/6485418200/job/17611833242

I supposed this is because the ADMIN_GITHUB_TOKEN has expired, as it's been 3 months since it was last updated?

[jtpio]

Would generating a fine-grained token with "JupyterLab" as the owner work, instead of generating a token for the bot account? (https://github.com/jupyterlab-bot)

[jtpio]

Looks like we would indeed need a new token as per the discussion linked above: jupyterlab/jupyterlab#14176 (comment)

[krassowski]

I'm on it. I see that secretes for jupyterlab_server, lumino, maintainer-tools and pytest-check-links were updated yesterday but jupyterlab seems to have been missed.

I will regenerate the token, and update it in all four repositories after testing that it works with JupyterLab.

[blink1073]

I updated the other ones yesterday, I missed this one. @krassowski it would be good to see if a fine-grained token works if you want to try that. If not, I'll use the one from the vault.

[krassowski]

Sorry, already regenerated. I see what you mean, will update it. Thanks for all the work in the background on making it a smooth experience!

[krassowski]

@blink1073 it looks like the October token for JupyterLab has expired (I was not able to proceed with release and it was just over 3 months since it was regernerated); were you planning on updating the tokens this week?

[blink1073]

Sigh, I missed that one, now updated. I'm working on making this self-service, hopefully before the next deadline...

[jtpio]

Looks like we can close this issue, as JupyterLab now uses a GitHub app instead of a release bot.

Information about the GitHub app is located in the Jupyter 1Password. But we don't need to refresh the tokens anymore with this approach.

Thanks @blink1073 for fixing this in jupyter-server/jupyter_releaser#557 !