powerplatform-actions icon indicating copy to clipboard operation
powerplatform-actions copied to clipboard
verified publisher icon microsoft

Async import-solution action times out after 1 hour but solution gets imported anyway

Open nkirstein opened this issue 4 years ago • 2 comments

I'm using the pack-solution and import-solution actions to import an unmanaged solution from a GH repo to a dev environment. This is how I use the import-solution action:

- name: Import unmanaged solution to dev
      uses: microsoft/powerplatform-actions/import-solution@v0
      with:
        environment-url: ${{ env.DEV_URL }}
        app-id: ${{ env.APP_ID }}
        client-secret: ${{ secrets.CLIENT_SECRET }}
        tenant-id: ${{ env.TENANT_ID }}
        solution-file: out/solutions/${{ env.SOLUTION }}.zip
        run-asynchronously: true
        force-overwrite: true
        publish-changes: true

Most of the time this works as expected, but sometimes the action runs for an hour and then times out with Error: The HTTP request is unauthorized with client authentication scheme 'Anonymous'. But when I check the target environment, the solution has actually been imported and works just fine.

I've experienced this with different solutions and different environments. It's also happened with small solutions that usually only take a few minutes to import. Any ideas why this might be happening? It's a bit frustrating because every time this happens a full 60 minutes of run time get added to your billable GH actions minutes.

nkirstein avatar Jun 03 '21 10:06 nkirstein

@nkirstein the underlying reason for the authN error is that for appID/clientSecret, the MSAL library offers no way to refresh the OAuth access token (i.e. no refresh token). And our pac CLI does not store the actual secrets on the runner/agent, so we have no good way to re-acquire a fresh token from the actual secrets. We're considering a design change to capture the provided secrets within the nodejs process that runs a particular GH Action to improve this situation. Ideally, importing solutions shouldn't take that much time to begin with, but alas, that's a current perf limitation within Dataverse.

davidjenni avatar Jun 09 '21 04:06 davidjenni

@davidjenni Thanks for the detailed explanation. And also for the great work you're doing here, these actions are extremely useful.

Regarding the original issue, it now seems to me that it only happens with default and "developer" (aka community plan) environments but not with sandbox or production environments. The exact same solution might take 5 minutes to import into a sandbox, but may time out after an hour when importing to a default env. Not sure what that means, but that's what I'm seeing.

nkirstein avatar Jun 11 '21 15:06 nkirstein

in recent releases of both pac CLI and the pp-actions tasks, we've added a more robust renewal for MSAL confidential apps by holding on to the client secret for the duration of the action. This is necessary, since in the MSAL design, confidential apps do not have a client-side refresh token that can be used

davidjenni avatar Sep 16 '22 16:09 davidjenni