"Bad Token" With Github Action Deployment via kalix-actions

I am starting to deploy services to Kalix now and while it works fine from the command line, it isn’t working from a github action as it fails with this:
Error: unable to create token: rpc error: code = Unauthenticated desc = Bad token
You can find the code for it here.
And the full workflow output is here

The Github Secret named KALIX_TOKEN is set to a token value that has “execution” scope and “refresh” status. Does it need something else? Is the error even related to the Kalix token?

Looking at your deploy, quick question… why are you storing your repository name as a secret? Have you tried simply specify the image name; xxx/xxx:tag?

Hi Jim,

the REPO_HOST secret is the path prefix to the Docker image repository that we are pulling images from. In our case it is the three-part path to our GCR repository.

i.e. if we did as you suggest, I believe Kalix would default to docker hub, but wouldn’t find the image there.

Isn’t there a docker push missing there to actually publish the built image to the repository before trying to deploy it? (I only see packageBin and Docker/publishLocal)

The sbt-native-packager command Docker/publishLocal creates the Docker image and pushes it successfully to our Docker repository. This much I have successfully verified. The problem is with the kalix services deploy command. I’m really just asking what “Bad Token” means in the error message it produces.

I see. Sure looks like something wrong with the token, can you try using the token manually outside of ci as described in Integrate with CI/CD tools :: Kalix Documentation to verify that the token works at all?

reid@Reids-Mac-mini ~ % export KALIX_TOKEN=
reid@Reids-Mac-mini ~ % kalix config set refresh-token $KALIX_TOKEN

That much worked fine. The documentation you referenced doesn’t indicate any other ways to use the token. Is there something else I should try? Also it is an “execution” scoped token not “all” scoped. The docs say CI/CD tokens should be “execution” but perhaps it should be “all” ?

You are right, the problem is that the scope from the docs is not enough, it needs at least both projects and execution. I can’t see there is a way to list more than one scope so all is probably the way to go for now.

I’m afraid I was a bit vague when I asked you to try it manually, the steps you have tried only sets the token in ~/.kalix/config.yaml (which probably messes with your logged in user).

If you want to try it out manually you’ll have to:

  • Use a different account on your machine, a different machine/docker container, or temporarily move the file ~/.kalix/config.yaml out of the way so that you are not authenticated/logged in.

  • Run the kalix config set refresh-token [token......] which will create a new config.yaml

  • Try to deploy an artifact to see that the token works. Since it now started from empty you’d need to specify the project you are deploying to, something kalix service deploy myservice use/image:tag --project=my-project

Hi Johan,

I seem to have moved beyond the token problem. The deployment via GitHub action is now executing the kalix service deploy command. It still doesn’t work as it can’t find the image, but I’ll start another topic on that front.

Thanks for your help with this one!