All PRs get "Edited/blocked notification" when using `MEND_RNV_GITHUB_BOT_USER_ID` with Renovate CE

[simonhaenisch]

The problem is that when Renovate CE re-runs a repository, it always puts the "edited/blocked notification" comment on all PRs it created previously.

From what I understood from the debug logs, I think the problem might be our use of MEND_RNV_GITHUB_BOT_USER_ID, but not sure.

DEBUG: PR cache: Filtered 16 PRs to 14 (user=our-app[bot]) (repository=our-org/our-repo)

and

DEBUG: branch.isModified() = true (repository=our-org/our-repo, branch=our-branch)
       "branchName": "our-branch",
       "unrecognizedAuthors": ["<bot-user-id>+our-app[bot]@users.noreply.ghe.com"]

i.e. the unrecognized author with the <bot-user-id>+ prefix doesn't match the logged user for the PR filtering.

---

I tried getting Renovate to fetch the bot user ID by itself instead of providing it via env var, but the problem is that our Github Enterprise Cloud's API requires authentication for fetching the bot user, and it seems like it purposely unsets the auth before fetching the bot user:

 INFO: Using GitHub endpoint
       "endpoint": "https://api.our-company.ghe.com/"
DEBUG: hostRules: authentication already set for api.our-company.ghe.com

WARN: The following GitHub App permissions are required: vulnerability_alerts(read)

DEBUG: hostRules: no authentication for api.our-company.ghe.com

DEBUG: GET https://api.our-company.ghe.com/users/our-app[bot] = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=401 retryCount=0, duration=185)
ERROR: Failed to fetch bot user

I tried setting up a host rule for api.our-company.ghe.com (in various ways) with a personal access token but the 2nd debug log with "no authentication" just keeps happening.

Thus I cannot confirm that the PR "orphaning" wouldn't happen without MEND_RNV_GITHUB_BOT_USER_ID.

[simonhaenisch]

I also found this log line now which seems to confirm my suspicion:

INFO: Renovate Bot platform details
       "botData": {
         "id": 123,
         "name": "our-app",
         "botName": "our-app[bot]",
         "endpoint": "https://api.our-company.ghe.com/",
         "gitAuthor": "our-app[bot] <1234567+our-app[bot]@users.noreply.our-company.ghe.com>",
         "gitIgnoredAuthors": [
           "our-app[bot]@users.noreply.our-company.ghe.com"
         ],
         "platform": "github"
       }

i.e. the email in the gitAuthor field doesn't match the one pre-configured in gitIgnoredAuthors.

I tried gitAuthor and gitIgnoredAuthors in our renovate config file and via RENOVATE_ env var but that didn't have any effect (seems like Renovate CE enforces the config it prints there).

[simonhaenisch]

Found out that I can't change gitAuthor or gitIgnoredAuthors via config file cause env vars take precedence. So I tried RENOVATE_GIT_AUTHOR again and the weird thing is that when the worker runs on the repo, it does seem to pick it up and prints the correct author name and author email in the logs:

DEBUG: Setting git author name: Custom User (repository=our-org/our-repo, branch=our-branch)
DEBUG: Setting git author email: custom.user@our-company.com (repository=our-org/our-repo, branch=our-branch)

But when I look at the commit in our Github, it just uses the normal bot user name/email as printed in my previous message anyway 🤔

I tried using RENOVATE_GIT_IGNORED_AUTHORS as well, and in the combined config log it showed up as expected:

DEBUG: Combined config
       "config": {
         ...
         "gitIgnoredAuthors": [
           "1234567+our-app[bot]@users.noreply.our-company.ghe.com"
         ]

However it still "orphaned" the PR with "edited/blocked notification", indicating that this was also ignored in the end :/

[rarkins]

If platformCommit=true then GitHub determines the gitAuthor (and sets it to the id+name bot user).

If you set platformCommit=false then you'll lose the automatically signed commits and need to set up signing separately.

[simonhaenisch]

Thanks for mentioning that option, will have a look but ideally would want to be able to keep using "platform commits" then.

I actually noticed a tiny difference now only... when it says unrecognizedAuthors, the domain of the email address is "users.noreply.ghe.com", but the gitIgnoredAuthors is auto-configured with the domain "users.noreply.our-company.ghe.com" 🙈

Could this be a bug with how the automatic platform config works, or maybe there's a difference in the email address look-up depending on whether MEND_RNV_GITHUB_BOT_USER_ID is set or not?

[rarkins]

If you want to keep platformCommits (which I recommend) then you need to abandon gitAuthor.

There could be a bug with gitIgnoredAuthors although if so then somehow nobody else has been impacted or reported it.

The way that you are redacting everything means that the chances you made a mistake in redacting are also non-zero so we usually don't try to give "technical support" like this for free users - it's time-consuming.

[simonhaenisch]

K go it, and yeah I did abandon GIT_AUTHOR, but btw I don't think I made a mistake with the redacting. Overwriting RENOVATE_GIT_IGNORED_AUTHORS with

<bot-user-id>+<app-name>[bot]@users.noreply.ghe.com

fixed it, instead of leaving it as the default detected for the platform
(<app-name>[bot]@users.noreply.<company-sub-domain>.ghe.com).

The reason it wasn't working the first time I tried it was because I was using the wrong domain name for the email address.

[rarkins]

That's surprising to me how the email address omits your company part of the domain - seems almost like a github bug

[simonhaenisch]

🤔 or could it be that Renovate CE generates the git author email address incorrectly when using MEND_RNV_GITHUB_BOT_USER_ID on a Github Enterprise Cloud, because the env var prevents Renovate from fetching the correct email address via API?

[simonhaenisch]

At least the docs hint that this could be the case, based on the given example git author:

MEND_RNV_GITHUB_BOT_USER_ID: Optional: The bot user ID that will be used in gitAuthor (example author myBotName[bot] <123456+myBotName[bot]@users.noreply.github.com and the user id is 123456). The value can be found by calling https://api.github.com/users/{appName}[bot] under the id key (replace the {appName} with the actual app name).
Note: By default Renovate server will attempt to call this endpoint once during startup (both CE and EE server) and it does not require authentication. If you wish to skip this call for any reason you will need to provide the value in MEND_RNV_GITHUB_BOT_USER_ID=<id-number>

(https://github.com/mend/renovate-ce-ee/blob/main/docs/configuration-options.md#github-connection-variables)

[simonhaenisch]

Hm I see in the API response for curl https://api.<our-company>.ghe.com/users/<our-app>%5Bbot%5D that it returns

  "email": null

so maybe it's also that our GHE is configured in a way that doesn't allow fetching the bot user's email address, and thus there's some fallback mechanism that generates the email address with the @users.noreply.github.com domain 🤔