Describe the bug
This was mentioned in #901 and #938 and resolved in version frogbot v2.29.1, however I recently upgraded to v3.2.0 and the issue has returned. Confirmed the issue still exists in v3.3.0
Current behavior
When using github oidc based authentication frogbot fails to authenticate.
Frogbot
/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot scan-pull-request
16:30:41 [Info] Frogbot version: 3.3.0
16:30:41 [Info] Using API endpoint: https://api.github.com/
Error: 3 [Error] failed to get config profile for url 'https://artifacts-artefacts.devops.cloud-nuage.canada.ca/': "server response: 403 Forbidden"
Error: The process '/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1
however this worked in previous versions
Frogbot
/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot scan-pull-request
16:42:01 [Info] Frogbot version: 2.35.0
16:42:02 [Info] Using API endpoint: https://api.github.com/
16:42:02 [Info] Successfully downloaded frogbot-config.yml file from <KingBain/guest-inviter-service/main>
16:42:02 [Info] Running Frogbot "scan-pull-request" command
16:42:04 [Info] Scanning Pull Request #2 (from source branch: <KingBain/guest-inviter-service/renovate/net-dependencies> to target branch: <KingBain/guest-inviter-service/main>)
16:42:04 [Info] -----------------------------------------------------------
16:42:04 [Info] Getting resources (git repository: github.com/KingBain/guest-inviter-service.git, project: ssc-fsdh) active watches...
16:42:04 [Info] Found 1 active watches in the following resources - git repository: github.com/KingBain/guest-inviter-service.git, project: ssc-fsdh
16:42:06 [Info] Downloading source branch code...
16:42:06 [Info] guest-inviter-service repository downloaded successfully. Starting with repository extraction...
16:42:06 [Info] Extracted repository successfully
16:42:07 [Info] guest-inviter-service repository downloaded successfully. Starting with repository extraction...
16:42:07 [Info] Extracted repository successfully
16:42:09 [Warn] Requested technology dotnet but not found any indicators/descriptors in detection.
16:42:09 [Warn] Requested technology nuget but not found any indicators/descriptors in detection.
16:42:09 [Info] Generating SBOM...
16:42:09 [Info] Calculating NuGet dependencies...
Reproduction steps
Working config
---
name: GC SecureArtifacts Scan Pull Request
on:
pull_request:
branches:
- main
types:
- opened
- synchronize
- reopened
permissions:
contents: read
pull-requests: write
security-events: write
id-token: write
env:
JF_URL: https://artifacts-artefacts.devops.cloud-nuage.canada.ca
JF_PROJECT: ssc-fsdh
jobs:
scan-pull-request:
name: Scan Pull Request
runs-on: ubuntu-latest
environment: frogbot
steps:
- name: Setup JFrog CLI with OIDC
id: setup-jfrog-cli
uses: jfrog/setup-jfrog-cli@deda456d982fc5e9a7a020b63eb0d2968aedd33e # v5.1.0
env:
JFROG_CLI_AVOID_NEW_VERSION_WARNING: "true"
with:
oidc-provider-name: github-oidc
version: 2.91.0
- name: Verify JFrog authentication
shell: bash
env:
JF_ACCESS_TOKEN: ${{ steps.setup-jfrog-cli.outputs.oidc-token }}
run: |
set -euo pipefail
echo "Checking JFrog CLI authentication..."
jf rt ping
- name: Run Frogbot
uses: jfrog/frogbot@v2.35.0
env:
JF_ACCESS_TOKEN: ${{ steps.setup-jfrog-cli.outputs.oidc-token }}
JF_USER: ${{ steps.setup-jfrog-cli.outputs.oidc-user }}
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
JF_GIT_PROVIDER: github
JF_GIT_API_ENDPOINT: https://api.github.com
JF_GIT_OWNER: ${{ github.repository_owner }}
JF_GIT_REPO: ${{ github.event.repository.name }}
JF_GIT_BASE_BRANCH: main
JF_INSTALL_DEPS_CMD: "dotnet restore guest-inviter-service.sln"
Notworking config
---
name: GC SecureArtifacts Scan Pull Request
on:
pull_request:
branches:
- main
types:
- opened
- synchronize
- reopened
permissions:
contents: read
pull-requests: write
security-events: write
id-token: write
env:
JF_URL: https://artifacts-artefacts.devops.cloud-nuage.canada.ca
JF_PROJECT: ssc-fsdh
jobs:
scan-pull-request:
name: Scan Pull Request
runs-on: ubuntu-latest
environment: frogbot
steps:
- name: Setup JFrog CLI with OIDC
id: setup-jfrog-cli
uses: jfrog/setup-jfrog-cli@deda456d982fc5e9a7a020b63eb0d2968aedd33e # v5.1.0
env:
JFROG_CLI_AVOID_NEW_VERSION_WARNING: "true"
with:
oidc-provider-name: github-oidc
version: 2.91.0
- name: Verify JFrog authentication
shell: bash
env:
JF_ACCESS_TOKEN: ${{ steps.setup-jfrog-cli.outputs.oidc-token }}
run: |
set -euo pipefail
echo "Checking JFrog CLI authentication..."
jf rt ping
- name: Run Frogbot
uses: jfrog/frogbot@v3.2.1
env:
JF_ACCESS_TOKEN: ${{ steps.setup-jfrog-cli.outputs.oidc-token }}
JF_USER: ${{ steps.setup-jfrog-cli.outputs.oidc-user }}
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
JF_GIT_PROVIDER: github
JF_GIT_API_ENDPOINT: https://api.github.com
JF_GIT_OWNER: ${{ github.repository_owner }}
JF_GIT_REPO: ${{ github.event.repository.name }}
JF_GIT_BASE_BRANCH: main
JF_INSTALL_DEPS_CMD: "dotnet restore guest-inviter-service.sln"
Expected behavior
I expected frogbot to authenticate and scan the PR
JFrog Frogbot version
Multiple
Package manager info
nuget
Git provider
GitHub
JFrog Frogbot configuration yaml file
.frogbot/frogbot-config.yml
-
params:
git:
repoName: guest-inviter-service
branches:
- main
aggregateFixes: true
branchNameTemplate: "frogbot-${IMPACTED_PACKAGE}-${BRANCH_NAME_HASH}"
commitMessageTemplate: "fix(deps): upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}"
pullRequestTitleTemplate: "[Frogbot] Fix vulnerable dependency: ${IMPACTED_PACKAGE}"
scan:
includeAllVulnerabilities: false
failOnSecurityIssues: true
fixableOnly: false
minSeverity: High
projects:
- workingDirs:
- "."
installCommand: "dotnet restore guest-inviter-service.sln"
Operating system type and version
github runner
JFrog Xray version
No response
Describe the bug
This was mentioned in #901 and #938 and resolved in version frogbot v2.29.1, however I recently upgraded to v3.2.0 and the issue has returned. Confirmed the issue still exists in v3.3.0
Current behavior
When using github oidc based authentication frogbot fails to authenticate.
however this worked in previous versions
Reproduction steps
Working config
Notworking config
Expected behavior
I expected frogbot to authenticate and scan the PR
JFrog Frogbot version
Multiple
Package manager info
nuget
Git provider
GitHub
JFrog Frogbot configuration yaml file
.frogbot/frogbot-config.yml
params:
git:
repoName: guest-inviter-service
branches:
- main
aggregateFixes: true
branchNameTemplate: "frogbot-${IMPACTED_PACKAGE}-${BRANCH_NAME_HASH}"
commitMessageTemplate: "fix(deps): upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}"
pullRequestTitleTemplate: "[Frogbot] Fix vulnerable dependency: ${IMPACTED_PACKAGE}"
scan:
includeAllVulnerabilities: false
failOnSecurityIssues: true
fixableOnly: false
minSeverity: High
Operating system type and version
github runner
JFrog Xray version
No response