A different user's commit to github results in github actions reports user need to accept TOS even though both users have defang subscription #1882
Description
- fabricClient 682ougd39849 /io.defang.v1.FabricController/CheckToS null
- tracking event "WHOAMI INVOKED": [{args []} {err failed_precondition: you must agree to the terms of service first; please accept the terms in the Defang Portal https://portal.defang.io}/ {non-interactive true} {provider auto} {CalledAs whoami} {version 3.0.3-3a59d392-nightly}]
- Server error: failed_precondition: you must agree to the terms of service first; please accept the terms in the Defang Portal https://portal.defang.io/
Error: you must agree to the terms of service first; please accept the terms in the Defang Portal https://portal.defang.io/
It is not obvious to users that when setting up OIDC with GitHub, deployments will fail (or not trigger) under certain conditions. Specifically, once a GitHub repository is connected, it is not apparent that any collaborator pushing a commit will not automatically trigger a redeploy unless they are also a Defang workspace member.
Right now, the implicit requirement is that the GitHub user who triggers the action must also be a Defang member. This is unexpected behavior and caused confusion during setup.
Current behavior
• A GitHub repo is connected via OIDC
• Another collaborator (who has push access to the repo) pushes a commit
• The GitHub Action does not redeploy
• There is no clear indication explaining why this failed or what requirement is missing
For example:
I had deploy the crew sample after setting up the AWS trust. The first commit/action was ran automatically by creating the repo. Then I want to make a small HTML change and redeploy from my local machine. Since I did not have that new Git user setup on my machine I push a change from main Github account by adding them as a collaborator to the repo. Then second commit/action fail because my main Github account because it not added to the same defang workspace (hypothesis); the main account has a Pro tier sub. Then as a test I push a third commit/action to the repo with the Github owner of the repo and it worked.
Expected / desired clarity
• Users should have a clear indication (error message, docs, or UI hint) explaining why deployments triggered by a different GitHub user do not work
• Collaborators should know upfront whether their commits will trigger redeploys or not
• It should be explicit whether adding someone as a GitHub collaborator is sufficient, or whether they must also be added to the Defang workspace
Open questions
• Can this be worked around by adding the GitHub user to the Defang workspace, or is that a separate concern?
• What is the intended long-term behavior?
Proposed direction (to discuss)
• For public repositories: allow deployments to be triggered by commits from any user
• For private repositories: restrict deployments to users who are part of the Defang workspace / paid workgroup
This likely needs a product decision, but at minimum we should improve user-facing feedback so this behavior is not surprising.