95

I have been using github actions for quite sometime but today my deployments started failing. Below is the error from github action logs

Command: git
Arguments: ls-remote --tags --heads git://github.com/adobe-webplatform/eve.git
Directory: /home/runner/work/stackstream-fe/stackstream-fe
Output:
fatal: remote error: 
  The unauthenticated git protocol on port 9418 is no longer supported.

Upon investigation, it appears that below section in my yml file is causing the issue.

    - name: Installing modules
      run: yarn install

I have looked into this change log but can't seem to comprehend the issue.

Additional Details: Server: EC2 Instance Github actions steps:

  steps:
  - name: Checkout
    uses: actions/checkout@v2

  - id: vars
    run: |
      if [ '${{ github.ref }}' == 'refs/heads/master' ]; then echo "::set-output name=environment::prod_stackstream" ; echo "::set-output name=api-url::api" ; elif [ '${{ github.ref }}' == 'refs/heads/staging' ]; then echo "::set-output name=environment::staging_stackstream"  ; echo "::set-output name=api-url::stagingapi" ; else echo "::set-output name=environment::dev_stackstream" ; echo "::set-output name=api-url::devapi" ; fi

  - uses: pCYSl5EDgo/cat@master
    id: slack
    with:
      path: .github/workflows/slack.txt

  - name: Slack Start Notification
    uses: 8398a7/action-slack@v3
    env:
      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
      ENVIRONMENT: '`${{ steps.vars.outputs.environment }}`'
      COLOR: good
      STATUS: '`Started`'
    with:
      status: custom
      fields: workflow,job,commit,repo,ref,author,took
      custom_payload: |
        ${{ steps.slack.outputs.text }}

  - name: Installing modules
    env:
      REACT_APP_API_URL: 'https://${{ steps.vars.outputs.api-url }}mergestack.com/api/v1'
    run: yarn install

  - name: Create Frontend Build
    env:
      REACT_APP_API_URL: 'https://${{ steps.vars.outputs.api-url }}mergestack.com/api/v1'
    run: yarn build

  - name: Deploy to Frontend Server DEV
    if: ${{ contains(github.ref, 'dev') }}
    uses: easingthemes/[email protected]
    env:
      SSH_PRIVATE_KEY: ${{ secrets.DEV_KEY }}
      ARGS: '-rltgoDzvO --delete'
      SOURCE: 'deploy/'
      REMOTE_HOST: ${{ secrets.DEV_HOST }}
      REMOTE_USER: plyfolio-dev
      TARGET: '/home/plyfolio-dev/${{ steps.vars.outputs.environment }}/fe/deploy'

package.json file

   {
  "name": "stackstream-fe",
  "version": "1.0.0",
  "authors": [
    "[email protected]"
  ],
  "private": true,
  "dependencies": {
    "@fortawesome/fontawesome-svg-core": "^1.2.34",
    "@fortawesome/free-solid-svg-icons": "^5.15.2",
    "@fortawesome/react-fontawesome": "^0.1.14",
    "@fullcalendar/bootstrap": "^5.5.0",
    "@fullcalendar/core": "^5.5.0",
    "@fullcalendar/daygrid": "^5.5.0",
    "@fullcalendar/interaction": "^5.5.0",
    "@fullcalendar/react": "^5.5.0",
    "@lourenci/react-kanban": "^2.1.0",
    "@redux-saga/simple-saga-monitor": "^1.1.2",
    "@testing-library/jest-dom": "^5.11.9",
    "@testing-library/react": "^11.2.3",
    "@testing-library/user-event": "^12.6.0",
    "@toast-ui/react-chart": "^1.0.2",
    "@types/jest": "^26.0.14",
    "@types/node": "^14.10.3",
    "@types/react": "^16.9.49",
    "@types/react-dom": "^16.9.8",
    "@vtaits/react-color-picker": "^0.1.1",
    "apexcharts": "^3.23.1",
    "availity-reactstrap-validation": "^2.7.0",
    "axios": "^0.21.1",
    "axios-mock-adapter": "^1.19.0",
    "axios-progress-bar": "^1.2.0",
    "bootstrap": "^5.0.0-beta2",
    "chart.js": "^2.9.4",
    "chartist": "^0.11.4",
    "classnames": "^2.2.6",
    "components": "^0.1.0",
    "dotenv": "^8.2.0",
    "draft-js": "^0.11.7",
    "echarts": "^4.9.0",
    "echarts-for-react": "^2.0.16",
    "firebase": "^8.2.3",
    "google-maps-react": "^2.0.6",
    "history": "^4.10.1",
    "i": "^0.3.6",
    "i18next": "^19.8.4",
    "i18next-browser-languagedetector": "^6.0.1",
    "jsonwebtoken": "^8.5.1",
    "leaflet": "^1.7.1",
    "lodash": "^4.17.21",
    "lodash.clonedeep": "^4.5.0",
    "lodash.get": "^4.4.2",
    "metismenujs": "^1.2.1",
    "mkdirp": "^1.0.4",
    "moment": "2.29.1",
    "moment-timezone": "^0.5.32",
    "nouislider-react": "^3.3.9",
    "npm": "^7.6.3",
    "prop-types": "^15.7.2",
    "query-string": "^6.14.0",
    "react": "^16.13.1",
    "react-apexcharts": "^1.3.7",
    "react-auth-code-input": "^1.0.0",
    "react-avatar": "^3.10.0",
    "react-bootstrap": "^1.5.0",
    "react-bootstrap-editable": "^0.8.2",
    "react-bootstrap-sweetalert": "^5.2.0",
    "react-bootstrap-table-next": "^4.0.3",
    "react-bootstrap-table2-editor": "^1.4.0",
    "react-bootstrap-table2-paginator": "^2.1.2",
    "react-bootstrap-table2-toolkit": "^2.1.3",
    "react-chartist": "^0.14.3",
    "react-chartjs-2": "^2.11.1",
    "react-color": "^2.19.3",
    "react-confirm-alert": "^2.7.0",
    "react-content-loader": "^6.0.1",
    "react-countdown": "^2.3.1",
    "react-countup": "^4.3.3",
    "react-cropper": "^2.1.4",
    "react-data-table-component": "^6.11.8",
    "react-date-picker": "^8.0.6",
    "react-datepicker": "^3.4.1",
    "react-dom": "^16.13.1",
    "react-draft-wysiwyg": "^1.14.5",
    "react-drag-listview": "^0.1.8",
    "react-drawer": "^1.3.4",
    "react-dropzone": "^11.2.4",
    "react-dual-listbox": "^2.0.0",
    "react-facebook-login": "^4.1.1",
    "react-flatpickr": "^3.10.6",
    "react-google-login": "^5.2.2",
    "react-hook-form": "^7.15.2",
    "react-i18next": "^11.8.5",
    "react-icons": "^4.2.0",
    "react-image-lightbox": "^5.1.1",
    "react-input-mask": "^2.0.4",
    "react-jvectormap": "^0.0.16",
    "react-leaflet": "^3.0.5",
    "react-meta-tags": "^1.0.1",
    "react-modal-video": "^1.2.6",
    "react-notifications": "^1.7.2",
    "react-number-format": "^4.7.3",
    "react-perfect-scrollbar": "^1.5.8",
    "react-rangeslider": "^2.2.0",
    "react-rating": "^2.0.5",
    "react-rating-tooltip": "^1.1.6",
    "react-redux": "^7.2.1",
    "react-responsive-carousel": "^3.2.11",
    "react-router-dom": "^5.2.0",
    "react-script": "^2.0.5",
    "react-scripts": "3.4.3",
    "react-select": "^4.3.1",
    "react-sparklines": "^1.7.0",
    "react-star-ratings": "^2.3.0",
    "react-super-responsive-table": "^5.2.0",
    "react-switch": "^6.0.0",
    "react-table": "^7.6.3",
    "react-toastify": "^7.0.3",
    "react-toastr": "^3.0.0",
    "react-twitter-auth": "0.0.13",
    "reactstrap": "^8.8.1",
    "recharts": "^2.0.8",
    "redux": "^4.0.5",
    "redux-saga": "^1.1.3",
    "reselect": "^4.0.0",
    "sass": "^1.37.5",
    "simplebar-react": "^2.3.0",
    "styled": "^1.0.0",
    "styled-components": "^5.2.1",
    "toastr": "^2.1.4",
    "typescript": "^4.0.2",
    "universal-cookie": "^4.0.4"
  },
  "devDependencies": {
    "@typescript-eslint/eslint-plugin": "^2.27.0",
    "@typescript-eslint/parser": "^2.27.0",
    "@typescript-eslint/typescript-estree": "^4.15.2",
    "eslint-config-prettier": "^6.10.1",
    "eslint-plugin-prettier": "^3.1.2",
    "husky": "^4.2.5",
    "lint-staged": "^10.1.3",
    "prettier": "^1.19.1",
    "react-test-renderer": "^16.13.1",
    "redux-devtools-extension": "^2.13.8",
    "redux-mock-store": "^1.5.4"
  },
  "scripts": {
    "start": "react-scripts start",
    "build": "react-scripts build && mv build ./deploy/build",
    "build-local": "react-scripts build",
    "test": "react-scripts test",
    "eject": "react-scripts eject"
  },
  "eslintConfig": {
    "extends": "react-app"
  },
  "husky": {
    "hooks": {
      "pre-commit": "lint-staged"
    }
  },
  "lint-staged": {
    "*.{js,ts,tsx}": [
      "eslint --fix"
    ]
  },
  "browserslist": {
    "production": [
      ">0.2%",
      "not dead",
      "not op_mini all"
    ],
    "development": [
      "last 1 chrome version",
      "last 1 firefox version",
      "last 1 safari version"
    ]
  }
}

package-lock.json

7
  • 5
    Am I wrong or is this going to be a huge issue for many yocto project layers..
    – Logan
    Commented Jan 11, 2022 at 16:42
  • 1
    @Mixxiphoid They (GitHup) might have missed al the indirect dependencies pulled by projects, and those indirect dependencies could still include some git:// URLs.
    – VonC
    Commented Jan 12, 2022 at 8:57
  • 1
    So, I think there are going to be many people with this sort of dependencies in their project.
    – monofal
    Commented Jan 12, 2022 at 9:14
  • 3
    @Logan: There was a 4-month warning. The entire Internet has been moving away from un-authenticated, un-encrypted protocols for a decade, it's not like this is a huge surprise. Personally, I consider it less an "issue" and more "detecting unmaintained dependencies". Plus, this is still only the brownout period, so the protocol will only be disabled for a short period of time, allowing developers to discover the problem. The permanent shutdown is not until March. Commented Jan 12, 2022 at 11:39
  • 7
    4-months to whom and where I wonder, first I've heard of it is this post!
    – deep64blue
    Commented Jan 12, 2022 at 19:15

10 Answers 10

112

First, this error message is indeed expected on Jan. 11th, 2022.
See "Improving Git protocol security on GitHub".

January 11, 2022 Final brownout.

This is the full brownout period where we’ll temporarily stop accepting the deprecated key and signature types, ciphers, and MACs, and the unencrypted Git protocol.
This will help clients discover any lingering use of older keys or old URLs.

Second, check your package.json dependencies for any git:// URL, as in this example, fixed in this PR.

As noted by Jörg W Mittag:

There was a 4-month warning.
The entire Internet has been moving away from unauthenticated, unencrypted protocols for a decade, it's not like this is a huge surprise.

Personally, I consider it less an "issue" and more "detecting unmaintained dependencies".

Plus, this is still only the brownout period, so the protocol will only be disabled for a short period of time, allowing developers to discover the problem.

The permanent shutdown is not until March 15th.


For GitHub Actions:

As in actions/checkout issue 14, you can add as a first step:

    - name: Fix up git URLs
      run: echo -e '[url "https://github.com/"]\n  insteadOf = "git://github.com/"' >> ~/.gitconfig

That will change any git://github.com/ into https://github.com/.

For local projects

For all your repositories, you can set:

git config --global url."https://github.com/".insteadOf git://github.com/

You can also use SSH, but GitHub Security reminds us that, as of March 15th, 2022, GitHub stopped accepting DSA keys. RSA keys uploaded after Nov 2, 2021 will work only with SHA-2 signatures.
The deprecated MACs, ciphers, and unencrypted Git protocol are permanently disabled.

So this (with the right key) would work:

git config --global url."[email protected]:".insteadOf git://github.com/

That will change any git://github.com/ (unencrypted Git protocol) into [email protected]: (SSH URL).

5
  • Thanks @VonC. I did check the package.json and package-lock.json but there is no dependency using git:// .
    – monofal
    Commented Jan 11, 2022 at 8:33
  • @monofal Maybe an indirect dependencies then. If possible, you should set up an insteadOf Git setting: stackoverflow.com/a/11383587/6309
    – VonC
    Commented Jan 11, 2022 at 8:42
  • @monofal Example: github.com/actions/checkout/issues/14#issuecomment-523916396
    – VonC
    Commented Jan 11, 2022 at 8:43
  • Shall I use this for git submodules
    – sejn
    Commented May 12, 2022 at 14:21
  • @sejn Yes, that would work for submodule URL too.
    – VonC
    Commented May 12, 2022 at 14:47
77

Try using the following command before install:

git config --global url."https://".insteadOf git://

P.S. or better ( thanks @bgraves )

git config --global url."https://github.com/".insteadOf git://github.com/
2
  • 2
    Works! Avoids having to wait for repos to update. Commented Jan 11, 2022 at 17:55
  • 28
    better use the reduced version git config --global url."https://github.com/".insteadOf git://github.com/
    – bgraves
    Commented Jan 11, 2022 at 18:47
19

Try using https://github.com instead of git://github.com

3
  • 1
    This is the simplest and most effective method. Commented Jan 11, 2022 at 19:17
  • 2
    @BuffMcBigHuge one that I already mentioned in my answer, used in the context of a GitHub Action yaml, since the question is about GitHub Action.
    – VonC
    Commented Jan 11, 2022 at 21:03
  • 3
    This is exactly what GitHub recommends in their blog post. You could improve your answer by citing this semi-official resource as justification for the correctness and suitability of your proposed solution. Commented Jan 12, 2022 at 5:28
8

@toast-ui/react-chart dependency is causing issue for you here.

If you look closely inside your package-lock.json you can backtrack eve to @toast-ui/react-chart

eve --> raphael --> tui-chart --> @toast-ui/react-chart

You can follow this same technique to find any more issues inside your project.

1
  • 2
    Thanks @ahmad faraz. Yes, indeed this was the issue. There was some dependency in my package.json file which was in turn using some dependency which was basically causing the issue with github latest upgrade. I didn't needed that specific dependency so I just removed it and it worked like a charm.
    – monofal
    Commented Jan 11, 2022 at 9:39
8

I hope this answer would provide more context omitted in the other answers.

Git can use four protocols to transfer data:

  • Local (not relevant here)
  • (Smart) HTTP - runs over standard HTTPS ports, and can use various HTTP authentication mechanisms (e.g. username/password) if authentication is required. This protocol allows you to provide both read and write access using the same URL; if authentication is required, the server will prompt the client.
  • Secure Shell (SSH) - authenticated workflow where both reads and writes are authenticated. It does not support unauthenticated (i.e. anonymous) access. Users need to generate an SSH key pair (containing a private and public key) locally and upload their public key to the server.
  • Git protocol - unencrypted and unauthenticated. There is a Git Daemon that runs on the Git server that listens on port 9418 and services requests.

Each of the protocols uses different URLs:

  • Local:
    • Absolute path (e.g. /srv/git/project.git)
    • Absolute path prefixed with file:// protocol (e.g. file:///srv/git/project.git)
  • HTTP: https://example.com/gitproject.git
  • SSH
    • ssh://[user@]server/project.git
    • Shorter SCP-like syntax - [user@]server:project.git
  • Git protocol - Starts with git://

GitHub has dropped support for all unencrypted protocols, which only includes the Git protocol (those that uses the git:// prefix). Thus, the The unauthenticated git protocol on port 9418 is no longer supported. error confirms this.

The way to mitigate this is by searching for the string git:// within your package.json and lockfiles (e.g. yarn.lock or package-lock.json) to identify the offending package(s), and upgrade them to a version that does not use dependencies that resolves to a URL with the git:// prefix. If the offending package is not in your package.json, you may find it helpful to run a command like yarn why to understand why the package is installed.

If that's not possible, and the repository is public, a temporary solution would be to manually replace git:// with https://. But this solution is not permanent and may get overwritten the next time the lockfile is written to.

7

Change git://github.com/<blah> to [email protected]:<blah> (note the /: at the end) in your repository's .git/config file.

In my repository's .git/config file I had this line

[remote "upstream"]
    url = git://github.com/curlconverter/curlconverter.git
    fetch = +refs/heads/*:refs/remotes/upstream/*

which I changed to

[remote "upstream"]
    url = [email protected]:curlconverter/curlconverter.git
    fetch = +refs/heads/*:refs/remotes/upstream/*

and stopped getting this error.

2

When all of the other solutions don't help, try editing your global config and removing all instead of declarations.

git config --global --edit

1
  • only answer that worked for me. My config was littered with all the insteadOf commands from everybody
    – 55 Cancri
    Commented Apr 5, 2022 at 17:52
2

Add the code into ~/.gitconfig:

[url "https://"]

    insteadOf = ssh://

[url "https://"]

    insteadOf = git://
1

If you are getting this issue while running something like pip install git+git://github.com/SomeCompany/somerepo.git@sometag, then only the second part of git+git needs to change, i.e. it becomes pip install git+https://github.com/SomeCompany/somerepo.git@sometag

1

Hello try the below options - this one worked for me

git config --global url."https://github".insteadOf git://github

Now git hubwont support unauthenticated git protocol https://github.blog/2021-09-01-improving-git-protocol-security-github/

I was getting the bellow error

Unhandled rejection Error: Command failed: /usr/bin/git submodule update -q --init --recursive
warning: templates not found /tmp/pacote-git-template-tmp/git-clone-a001527f
fatal: remote error:
  The unauthenticated git protocol on port 9418 is no longer supported.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.
fatal: clone of 'git://github.com/jquery/sizzle.git' into submodule path '/root/.npm/_cacache/tmp/git-clone-19674e32/src/sizzle' failed
Failed to clone 'src/sizzle'. Retry scheduled
warning: templates not found /tmp/pacote-git-template-tmp/git-clone-a001527f
1

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.