From 42296a354e2a5e07af08961d648536127a6e472d Mon Sep 17 00:00:00 2001 From: Thomas Kastl Date: Tue, 27 Sep 2022 17:36:21 +0200 Subject: [PATCH 1/7] Update regarding rate limit issues I added subsections and also the full error message to make it easier to find, since I expect most people (like me) will stumble upon this after running into the rate limit message and might not even realise that it usually happens on GHES. Once the change is in a release version, the full hash ID of the commit should be replace with the release version id. --- docs/advanced-usage.md | 45 +++++++++++++++++++++++++++++++++++------- 1 file changed, 38 insertions(+), 7 deletions(-) diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index 243be4335..7ffad6165 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -469,17 +469,48 @@ One quick way to grant access is to change the user and group of `/Users/runner/ -## Using `setup-python` on GHES +## Using `setup-python` on GHES: -`setup-python` comes pre-installed on the appliance with GHES if Actions is enabled. When dynamically downloading Python distributions, `setup-python` downloads distributions from [`actions/python-versions`](https://github.com/actions/python-versions) on github.com (outside of the appliance). These calls to `actions/python-versions` are made via unauthenticated requests, which are limited to [60 requests per hour per IP](https://docs.github.com/en/rest/overview/resources-in-the-rest-api#rate-limiting). If more requests are made within the time frame, then you will start to see rate-limit errors during downloading that looks like: `##[error]API rate limit exceeded for...`. +### Avoiding rate limit issues -To get a higher rate limit, you can [generate a personal access token on github.com](https://github.com/settings/tokens/new) and pass it as the `token` input for the action: +`setup-python` comes pre-installed on the appliance with GHES if Actions is enabled. When dynamically downloading Python distributions, `setup-python` downloads distributions from [`actions/python-versions`](https://github.com/actions/python-versions) on github.com (outside of the appliance). These calls to `actions/python-versions` are by default made via unauthenticated requests, which are limited to [60 requests per hour per IP](https://docs.github.com/en/rest/overview/resources-in-the-rest-api#rate-limiting). If more requests are made within the time frame, then you will start to see rate-limit errors during downloading that looks like: `##[error]API rate limit exceeded for YOUR_IP. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)`. + +To get a higher rate limit, you can [generate a personal access token (PAT) on github.com](https://github.com/settings/tokens/new) and pass it as the `token` input for the action. It is important to understand that this needs to be a token from github.com and _not_ from your Github Enterprise account. If you or your colleagues do not yet have a github.com account, you might need to create one. + +Here are the steps you need to follow to avoid the rate limit: + +1. Create a PAT on any github.com account by using [this link](https://github.com/settings/tokens/new) after logging into github.com (not your Enterprise instance). This PAT does _not_ need any rights, so make sure all the boxes are unchecked. +2. Store this PAT in the repository / organization where you run your action, e.g. as `GH_GITHUB_COM_TOKEN`. You can do this by navigating to your repository -> Settings -> Secrets -> Actions -> "New repository secret". +3. Since this functionality is not yet merged into any release version, for now, use the action with the hash below. Once this is merged into main, use the "normal" action like `@v4`. Also, change _python-version_ as needed. ```yml -uses: actions/setup-python@v4 -with: - token: ${{ secrets.GH_DOTCOM_TOKEN }} - python-version: 3.11 +- name: Set up Python + uses: actions/setup-python@98c991d13f3149457a7c1ac4083885d0d9db98e1 + with: + python-version: 3.8 + token: ${{ secrets.GH_GITHUB_COM_TOKEN }} +``` + +Requests should now be authenticated. To actually check this is however difficult, since caching as well as the hourly rate reset make it hard to know. Here is how you can check success: + +1. Enable debugging for your github actions by following [these instructions](https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging) +2. If you do not have access to your github runner's console, start a job with a `python-version` that you are sure wasn't used yet to avoid it simply being read from cache. +3. In your github action logs, check for the following line: + +``` + Version 3.8 was not found in the local cache + ##[debug]Getting manifest from actions/python-versions@main + ##[debug]set auth <--- Make sure this line exists. + ##[debug]check 3.11.0-rc.2 satisfies 3.8 +``` + +4. If you have access to your runner's console, you can manually trigger the rate limit by running the following line 60 times (or less, until you get an error response): + +``` + curl -I https://api.github.com/users/octocat/orgs ``` + +5. Now, trigger your github action run. It will fail if auth was not successful, but run through if it was. +### No access to github.com If the runner is not able to access github.com, any Python versions requested during a workflow run must come from the runner's tool cache. See "[Setting up the tool cache on self-hosted runners without internet access](https://docs.github.com/en/enterprise-server@3.2/admin/github-actions/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access)" for more information. From 390c51f3946d5d51fa8faa04deff740a825bdceb Mon Sep 17 00:00:00 2001 From: Thomas Kastl Date: Tue, 27 Sep 2022 17:37:25 +0200 Subject: [PATCH 2/7] Header change Minor style issue. --- docs/advanced-usage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index 7ffad6165..f2f35380a 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -469,7 +469,7 @@ One quick way to grant access is to change the user and group of `/Users/runner/ -## Using `setup-python` on GHES: +## Using `setup-python` on GHES ### Avoiding rate limit issues From 5cb1b8966bc37c78c714fa330e56542bc71be37e Mon Sep 17 00:00:00 2001 From: Thomas Kastl Date: Wed, 28 Sep 2022 09:28:34 +0200 Subject: [PATCH 3/7] Apply suggestions from code review Co-authored-by: Brian Cristante <33549821+brcrista@users.noreply.github.com> --- docs/advanced-usage.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index f2f35380a..a35116a43 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -475,12 +475,12 @@ One quick way to grant access is to change the user and group of `/Users/runner/ `setup-python` comes pre-installed on the appliance with GHES if Actions is enabled. When dynamically downloading Python distributions, `setup-python` downloads distributions from [`actions/python-versions`](https://github.com/actions/python-versions) on github.com (outside of the appliance). These calls to `actions/python-versions` are by default made via unauthenticated requests, which are limited to [60 requests per hour per IP](https://docs.github.com/en/rest/overview/resources-in-the-rest-api#rate-limiting). If more requests are made within the time frame, then you will start to see rate-limit errors during downloading that looks like: `##[error]API rate limit exceeded for YOUR_IP. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)`. -To get a higher rate limit, you can [generate a personal access token (PAT) on github.com](https://github.com/settings/tokens/new) and pass it as the `token` input for the action. It is important to understand that this needs to be a token from github.com and _not_ from your Github Enterprise account. If you or your colleagues do not yet have a github.com account, you might need to create one. +To get a higher rate limit, you can [generate a personal access token (PAT) on github.com](https://github.com/settings/tokens/new) and pass it as the `token` input for the action. It is important to understand that this needs to be a token from github.com and _not_ from your GHES instance. If you or your colleagues do not yet have a github.com account, you might need to create one. Here are the steps you need to follow to avoid the rate limit: 1. Create a PAT on any github.com account by using [this link](https://github.com/settings/tokens/new) after logging into github.com (not your Enterprise instance). This PAT does _not_ need any rights, so make sure all the boxes are unchecked. -2. Store this PAT in the repository / organization where you run your action, e.g. as `GH_GITHUB_COM_TOKEN`. You can do this by navigating to your repository -> Settings -> Secrets -> Actions -> "New repository secret". +2. Store this PAT in the repository / organization where you run your workflow, e.g. as `GH_GITHUB_COM_TOKEN`. You can do this by navigating to your repository -> **Settings** -> **Secrets** -> **Actions** -> **New repository secret**. 3. Since this functionality is not yet merged into any release version, for now, use the action with the hash below. Once this is merged into main, use the "normal" action like `@v4`. Also, change _python-version_ as needed. ```yml From de9c411c81fd9f7280933d9903e92eedd135cd17 Mon Sep 17 00:00:00 2001 From: Thomas Kastl Date: Wed, 28 Sep 2022 14:11:49 +0200 Subject: [PATCH 4/7] Integrate feedback from PR - Move debug text to own line - Shorten section about checking auth --- docs/advanced-usage.md | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index a35116a43..5f9253ce4 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -473,7 +473,9 @@ One quick way to grant access is to change the user and group of `/Users/runner/ ### Avoiding rate limit issues -`setup-python` comes pre-installed on the appliance with GHES if Actions is enabled. When dynamically downloading Python distributions, `setup-python` downloads distributions from [`actions/python-versions`](https://github.com/actions/python-versions) on github.com (outside of the appliance). These calls to `actions/python-versions` are by default made via unauthenticated requests, which are limited to [60 requests per hour per IP](https://docs.github.com/en/rest/overview/resources-in-the-rest-api#rate-limiting). If more requests are made within the time frame, then you will start to see rate-limit errors during downloading that looks like: `##[error]API rate limit exceeded for YOUR_IP. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)`. +`setup-python` comes pre-installed on the appliance with GHES if Actions is enabled. When dynamically downloading Python distributions, `setup-python` downloads distributions from [`actions/python-versions`](https://github.com/actions/python-versions) on github.com (outside of the appliance). These calls to `actions/python-versions` are by default made via unauthenticated requests, which are limited to [60 requests per hour per IP](https://docs.github.com/en/rest/overview/resources-in-the-rest-api#rate-limiting). If more requests are made within the time frame, then you will start to see rate-limit errors during downloading that looks like: + + ##[error]API rate limit exceeded for YOUR_IP. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.) To get a higher rate limit, you can [generate a personal access token (PAT) on github.com](https://github.com/settings/tokens/new) and pass it as the `token` input for the action. It is important to understand that this needs to be a token from github.com and _not_ from your GHES instance. If you or your colleagues do not yet have a github.com account, you might need to create one. @@ -491,26 +493,18 @@ Here are the steps you need to follow to avoid the rate limit: token: ${{ secrets.GH_GITHUB_COM_TOKEN }} ``` -Requests should now be authenticated. To actually check this is however difficult, since caching as well as the hourly rate reset make it hard to know. Here is how you can check success: +Requests should now be authenticated. To ensure this was set up correctly, if you have access to your runner, you can simply test this with Github's [rate limit API](https://docs.github.com/en/rest/rate-limit). However, if you do not have access to your runner, you can confirm authentication via the following workaround: 1. Enable debugging for your github actions by following [these instructions](https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging) -2. If you do not have access to your github runner's console, start a job with a `python-version` that you are sure wasn't used yet to avoid it simply being read from cache. +2. Start a job with a `python-version` that you are sure wasn't used before to avoid it simply being read from cache. 3. In your github action logs, check for the following line: ``` Version 3.8 was not found in the local cache ##[debug]Getting manifest from actions/python-versions@main - ##[debug]set auth <--- Make sure this line exists. + ##[debug]set auth <-------- Make sure this line exists. ##[debug]check 3.11.0-rc.2 satisfies 3.8 ``` -4. If you have access to your runner's console, you can manually trigger the rate limit by running the following line 60 times (or less, until you get an error response): - -``` - curl -I https://api.github.com/users/octocat/orgs -``` - -5. Now, trigger your github action run. It will fail if auth was not successful, but run through if it was. - ### No access to github.com If the runner is not able to access github.com, any Python versions requested during a workflow run must come from the runner's tool cache. See "[Setting up the tool cache on self-hosted runners without internet access](https://docs.github.com/en/enterprise-server@3.2/admin/github-actions/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access)" for more information. From 26baaecc757312f7361b3dcb7b6f3297f7c03c91 Mon Sep 17 00:00:00 2001 From: Thomas Kastl Date: Thu, 20 Oct 2022 19:22:30 +0200 Subject: [PATCH 5/7] Update advanced-usage.md Adapt to reviewer input --- docs/advanced-usage.md | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index 5f9253ce4..e5a6be468 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -487,24 +487,13 @@ Here are the steps you need to follow to avoid the rate limit: ```yml - name: Set up Python - uses: actions/setup-python@98c991d13f3149457a7c1ac4083885d0d9db98e1 + uses: actions/setup-python@4.3 with: python-version: 3.8 token: ${{ secrets.GH_GITHUB_COM_TOKEN }} ``` -Requests should now be authenticated. To ensure this was set up correctly, if you have access to your runner, you can simply test this with Github's [rate limit API](https://docs.github.com/en/rest/rate-limit). However, if you do not have access to your runner, you can confirm authentication via the following workaround: - -1. Enable debugging for your github actions by following [these instructions](https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging) -2. Start a job with a `python-version` that you are sure wasn't used before to avoid it simply being read from cache. -3. In your github action logs, check for the following line: - -``` - Version 3.8 was not found in the local cache - ##[debug]Getting manifest from actions/python-versions@main - ##[debug]set auth <-------- Make sure this line exists. - ##[debug]check 3.11.0-rc.2 satisfies 3.8 -``` +Requests should now be authenticated. To verify that you are getting the higher rate limit, you can call GitHub's [rate limit API](https://docs.github.com/en/rest/rate-limit) from within your workflow ((example)[https://github.com/actions/setup-python/pull/443#issuecomment-1206776401]). ### No access to github.com If the runner is not able to access github.com, any Python versions requested during a workflow run must come from the runner's tool cache. See "[Setting up the tool cache on self-hosted runners without internet access](https://docs.github.com/en/enterprise-server@3.2/admin/github-actions/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access)" for more information. From 04af828ba290cd358db93e4f222c520aafaebce4 Mon Sep 17 00:00:00 2001 From: Thomas Kastl Date: Thu, 20 Oct 2022 19:27:36 +0200 Subject: [PATCH 6/7] Update advanced-usage.md Further adaptions to version change & typos. --- docs/advanced-usage.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index e5a6be468..0f96784a9 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -473,7 +473,7 @@ One quick way to grant access is to change the user and group of `/Users/runner/ ### Avoiding rate limit issues -`setup-python` comes pre-installed on the appliance with GHES if Actions is enabled. When dynamically downloading Python distributions, `setup-python` downloads distributions from [`actions/python-versions`](https://github.com/actions/python-versions) on github.com (outside of the appliance). These calls to `actions/python-versions` are by default made via unauthenticated requests, which are limited to [60 requests per hour per IP](https://docs.github.com/en/rest/overview/resources-in-the-rest-api#rate-limiting). If more requests are made within the time frame, then you will start to see rate-limit errors during downloading that looks like: +`setup-python` comes pre-installed on the appliance with GHES if Actions is enabled. When dynamically downloading Python distributions, `setup-python` downloads distributions from [`actions/python-versions`](https://github.com/actions/python-versions) on github.com (outside of the appliance). These calls to `actions/python-versions` are by default made via unauthenticated requests, which are limited to [60 requests per hour per IP](https://docs.github.com/en/rest/overview/resources-in-the-rest-api#rate-limiting). If more requests are made within the time frame, then you will start to see rate-limit errors during downloading that look like this: ##[error]API rate limit exceeded for YOUR_IP. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.) @@ -483,11 +483,11 @@ Here are the steps you need to follow to avoid the rate limit: 1. Create a PAT on any github.com account by using [this link](https://github.com/settings/tokens/new) after logging into github.com (not your Enterprise instance). This PAT does _not_ need any rights, so make sure all the boxes are unchecked. 2. Store this PAT in the repository / organization where you run your workflow, e.g. as `GH_GITHUB_COM_TOKEN`. You can do this by navigating to your repository -> **Settings** -> **Secrets** -> **Actions** -> **New repository secret**. -3. Since this functionality is not yet merged into any release version, for now, use the action with the hash below. Once this is merged into main, use the "normal" action like `@v4`. Also, change _python-version_ as needed. +3. To use this functionality, you need to use any version newer than `v4.3`. Also, change _python-version_ as needed. ```yml - name: Set up Python - uses: actions/setup-python@4.3 + uses: actions/setup-python@4 with: python-version: 3.8 token: ${{ secrets.GH_GITHUB_COM_TOKEN }} From 6796e79944fbe4086132000945d0c69a8a3684a3 Mon Sep 17 00:00:00 2001 From: Brian Cristante <33549821+brcrista@users.noreply.github.com> Date: Mon, 24 Oct 2022 17:02:54 -0400 Subject: [PATCH 7/7] Fix Markdown link syntax --- docs/advanced-usage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index 0f96784a9..9fc41aeaa 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -493,7 +493,7 @@ Here are the steps you need to follow to avoid the rate limit: token: ${{ secrets.GH_GITHUB_COM_TOKEN }} ``` -Requests should now be authenticated. To verify that you are getting the higher rate limit, you can call GitHub's [rate limit API](https://docs.github.com/en/rest/rate-limit) from within your workflow ((example)[https://github.com/actions/setup-python/pull/443#issuecomment-1206776401]). +Requests should now be authenticated. To verify that you are getting the higher rate limit, you can call GitHub's [rate limit API](https://docs.github.com/en/rest/rate-limit) from within your workflow ([example](https://github.com/actions/setup-python/pull/443#issuecomment-1206776401)). ### No access to github.com If the runner is not able to access github.com, any Python versions requested during a workflow run must come from the runner's tool cache. See "[Setting up the tool cache on self-hosted runners without internet access](https://docs.github.com/en/enterprise-server@3.2/admin/github-actions/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access)" for more information.