Skip to content

migrate-secret-alerts breaks as it doesn't pick up command line argument values #1409

New issue
New issue
Open
Open
migrate-secret-alerts breaks as it doesn't pick up command line argument values#1409
Labels
bugSomething isn't working
@theztefan

Description

@theztefan
theztefan
opened on Aug 8, 2025

Description

After the v1.18.0 release the gh gei migrate-secret-alerts is not working as expected because the access tokens provided in the cli arguments are not picked up.

It now asks for GH_PAT environment variable to be defined which was not necessary before. Once defined it seems that it is used as token for both the --github-source-pat and the --github-target-pat which is obviously not correct for cases when the source and target repositories are in different organizations where access is provided for each orgs.

Reproduction Steps

Defining the vars and running the command gives the GH_PAT environment variable is not set error

SOURCE_ORG=thez-org
SOURCE_REPO=gitlab-foss
SOURCE_PAT=gho_token1
DESTINATION_ORG=theztefan-enterprise-org
DESTINATION_REPO=target
DESTINATION_PAT=ghs_token2

gh gei migrate-secret-alerts \
            --source-org "${SOURCE_ORG}" \
            --source-repo "${SOURCE_REPO}" \
            --target-org "${DESTINATION_ORG}" \
            --target-repo "${DESTINATION_REPO}" \
            --github-source-pat "${SOURCE_PAT}" \
            --github-target-pat "${DESTINATION_PAT}" \
            --verbose
[2025-08-08 14:15:24] [INFO] You are running an up-to-date version of the gei CLI [v1.18.0]
[2025-08-08 14:15:24] [INFO] SOURCE ORG: thez-org
[2025-08-08 14:15:24] [INFO] SOURCE REPO: gitlab-foss
[2025-08-08 14:15:24] [INFO] TARGET ORG: theztefan-enterprise-org
[2025-08-08 14:15:24] [INFO] TARGET REPO: target
[2025-08-08 14:15:24] [INFO] GITHUB SOURCE PAT: ***
[2025-08-08 14:15:24] [INFO] GITHUB TARGET PAT: ***
[2025-08-08 14:15:24] [INFO] VERBOSE: true
[2025-08-08 14:15:24] [ERROR] OctoshiftCLI.OctoshiftCliException: GH_PAT environment variable is not set.
   at OctoshiftCLI.Services.EnvironmentVariableProvider.GetValue(String name, Boolean throwIfNotFound)
   at OctoshiftCLI.Services.EnvironmentVariableProvider.GetSecret(String secretName, Boolean throwIfNotFound)
   at OctoshiftCLI.Services.EnvironmentVariableProvider.TargetGithubPersonalAccessToken(Boolean throwIfNotFound)
   at OctoshiftCLI.Services.EnvironmentVariableProvider.SourceGithubPersonalAccessToken(Boolean throwIfNotFound)
   at OctoshiftCLI.Factories.GithubApiFactory.OctoshiftCLI.Contracts.ISourceGithubApiFactory.Create(String apiUrl, String uploadsUrl, String sourcePersonalAccessToken)
   at OctoshiftCLI.GithubEnterpriseImporter.Factories.SecretScanningAlertServiceFactory.Create(String sourceApi, String sourceToken, String targetApi, String targetToken, Boolean sourceApiNoSsl)
   at OctoshiftCLI.GithubEnterpriseImporter.Commands.MigrateSecretAlerts.MigrateSecretAlertsCommand.BuildHandler(MigrateSecretAlertsCommandArgs args, IServiceProvider sp)
   at OctoshiftCLI.Extensions.CommandExtensions.RunHandler[TArgs,THandler](TArgs args, ServiceProvider sp, CommandBase`2 command)
   at OctoshiftCLI.Extensions.CommandExtensions.<>c__DisplayClass1_0`3.<<ConfigureCommand>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Invocation.AnonymousCommandHandler.InvokeAsync(InvocationContext)
   at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass4_0.<<BuildInvocationChain>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass17_0.<<UseParseErrorReporting>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass12_0.<<UseHelp>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass22_0.<<UseVersionOption>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass19_0.<<UseTypoCorrections>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<UseSuggestDirective>b__18_0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass16_0.<<UseParseDirective>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<RegisterWithDotnetSuggest>b__5_0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass8_0.<<UseExceptionHandler>b__0>d.MoveNext()

Setting a GH_PAT and then running the command shows that the GH_PAT is used for both the source and the target

SOURCE_ORG=thez-org
SOURCE_REPO=gitlab-foss
SOURCE_PAT=gho_token1
DESTINATION_ORG=theztefan-enterprise-org
DESTINATION_REPO=target
DESTINATION_PAT=ghs_token2

export GH_PAT=${SOURCE_PAT} 

[2025-08-08 14:24:11] [INFO] You are running an up-to-date version of the gei CLI [v1.18.0]
[2025-08-08 14:24:11] [INFO] SOURCE ORG: thez-org
[2025-08-08 14:24:11] [INFO] SOURCE REPO: gitlab-foss
[2025-08-08 14:24:11] [INFO] TARGET ORG: theztefan-enterprise-org
[2025-08-08 14:24:11] [INFO] TARGET REPO: target
[2025-08-08 14:24:11] [INFO] GITHUB SOURCE PAT: ***
[2025-08-08 14:24:11] [INFO] GITHUB TARGET PAT: ***
[2025-08-08 14:24:11] [INFO] VERBOSE: true
[2025-08-08 14:24:11] [INFO] Migrating Secret Scanning Alerts...
[2025-08-08 14:24:11] [INFO] Migrating Secret Scanning Alerts from 'thez-org/gitlab-foss' to 'theztefan-enterprise-org/target'
[2025-08-08 14:24:11] [DEBUG] HTTP GET: https://api.github.com/repos/thez-org/gitlab-foss/secret-scanning/alerts?per_page=100
[2025-08-08 14:24:11] [DEBUG] GITHUB REQUEST ID: EF3E:3811AC:726241:6A6762:6895EC6B
[2025-08-08 14:24:11] [DEBUG] RESPONSE (OK): [{"number":45,"created_at":"2025-07-29T22:16:20Z","updated_at":"2025-07-29T22:16:20Z","url":"https://api.github.com/repos/thez-org/gitlab-f

--- redacted debug msgs that show secret scanning alert data is fetched correctly from source repo ---

...

Getting to the next step where the command should pull alerts from the target repo we see that the calls fail even though the github-target-pat is valid which implies that the same GH_PAT token is used and not the one provided as a cli argument.

[2025-08-08 14:24:18] [DEBUG] HTTP GET: https://api.github.com/repos/theztefan-enterprise-org/target/secret-scanning/alerts?per_page=100
[2025-08-08 14:24:18] [DEBUG] GITHUB REQUEST ID: EF3E:3811AC:72894B:6A8BFC:6895EC72
[2025-08-08 14:24:18] [DEBUG] RESPONSE (NotFound): {"message":"Not Found","documentation_url":"https://docs.github.com/rest/secret-scanning/secret-scanning#list-secret-scanning-alerts-for-a-repository","status":"404"}
[2025-08-08 14:24:18] [DEBUG] [HTTP ERROR 404] System.Net.Http.HttpRequestException: GitHub API error: {"message":"Not Found","documentation_url":"https://docs.github.com/rest/secret-scanning/secret-scanning#list-secret-scanning-alerts-for-a-repository","status":"404"}
 ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (Not Found).
   at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
   at OctoshiftCLI.Services.GithubClient.SendAsync(HttpMethod httpMethod, String url, Object body, HttpStatusCode expectedStatus, Dictionary`2 customHeaders)
   --- End of inner exception stack trace ---
   at OctoshiftCLI.Services.GithubClient.SendAsync(HttpMethod httpMethod, String url, Object body, HttpStatusCode expectedStatus, Dictionary`2 customHeaders)
   at OctoshiftCLI.Services.GithubClient.<>c__DisplayClass20_0.<<GetWithRetry>b__0>d.MoveNext()
...

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions