ERROR: The API returned with error 400: CSRF token not in form, and ERROR: The given run number does not appear to exist: 1

I have been repeatedly getting these two errors when doing fuzzing, it seems that others in the Discord are getting the same. I would like to put some attention on this and hopefully get this resolved for everyone.

At first when I got these errors, I would mess around with settings, like adding a MAYHEM_TOKEN, and changing package permissions, and it would go away. However, with mattjurenka/block-ciphers and mattjurenka/predicates-rs, this tactic does not seem to work. Both of these repos are configured with a MAYHEM_TOKEN, although I have been using the same token for these two projects and others that do work. What is strange is that on the mayhem web dashboard, I see that these runs do actually go through, however somehow the action sees it as a failure. I have observed sometimes that if I get one error, and I rerun the action, I will then see the other.

Here are the failing log files: predicates-rs failing fuzz target
Run not found GH action log file

When I click on the run URL it presents in the run not found case, it takes me to the mayhem dashboard where everything looks fine.

I went ahead and submitted both of these repos because I am confident the integration is correct beyond these errors.

1 Like

Hi @mattjurenka, thanks for reporting this issue! We were able to confirm it on our end and it appears to manifest on action workflows with high parallelism. I have filed a ticket on this and we should be able to come up with a solution early next week. We’ll keep you posted.

Thanks again for reporting and helping us build a better product!

1 Like

Hi again! We spent a bit more time looking into the reproducer and it appears that this only repros when the user does not specify a MAYHEM_TOKEN secret in their repository secrets (we are still working on a fix for that but this is not live yet). Are you pretty confident that your forked repositories do have a valid (no typos) MAYHEM_TOKEN?

On further inspection, one of the repos had a misspelled MAYHEM_TOKEN, and while I’m not sure what was wrong with the other one I added a new MAYHEM_TOKEN and it seems to work now. I feel that it would be very helpful for debugging to have some sort of info in the log about whether or not your MAYHEM_TOKEN was accepted and if so, the username it authenticates you as

Great! Thank you for checking again. I also filed a ticket on our end to print details about the authentication mechanism/success within the action.