Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature/Idea]: Fine-grained tokens seem to support the GraphQL API now #172

Closed
ClementTsang opened this issue Jun 18, 2023 · 5 comments
Closed
Labels
feat New feature request

Comments

@ClementTsang
Copy link

ClementTsang commented Jun 18, 2023

What would you like to see changed/added?

Hi! I was recently going through setting this up on one of my own applications as it looks great. However, as I was setting it up, I noted that the README currently mentions:

New fine-grained PATs can't access GitHub's GraphQL API, so they aren't supported by this action. Refer to cli/cli#6680 for more information.

However, going to the linked issue, as of a few weeks ago, it seems like fine-grained PATs can now call the GraphQL API.

If winget-releaser doesn't currently work with these, then it would be nice if they did (would be happy to try and help if that would be desired), along with instructions on how to use them. And whether it does or does not already support fine-grained PATs, I think it would be good to update the README to be more accurate.

@ClementTsang ClementTsang added the feat New feature request label Jun 18, 2023
@vedantmgoyal9
Copy link
Owner

vedantmgoyal9 commented Jun 18, 2023

@ClementTsang You can use a fine-grained token and if it works, I will update the docs (you're also welcome to contribute to it, would be more than happy 😃) accordingly. Please start with the lowest set of permissions and go higher step-by-step. People are extremely concerned about security, so just the required permissions should be mentioned in README.

@ClementTsang
Copy link
Author

Tried it with a fine-grained token - unfortunately, it seems like there's a small issue with creating the PR itself (the branch is created fine though), and I get this error:

Found forked winget-pkgs repository: ClementTsang/winget-pkgs
  Failed to create pull request after 3 attempts.
  Reason: {"message":"Resource not accessible by personal access token","documentation_url":"https://docs.github.com/rest/reference/pulls#create-a-pull-request"}.
  node:internal/errors:841
    const err = new Error(message);

This is weird as I have the following settings for the fine-grained PAT specified for my personal winget fork:

image

Curious as to why it's failing there.

@vedantmgoyal9
Copy link
Owner

vedantmgoyal9 commented Sep 6, 2023

image

The changelog (https://github.blog/changelog/2023-04-27-graphql-improvements-for-fine-grained-pats-and-github-apps) states that the resource owner of the token, and the resource owner of the resource being accessed should match exactly.

In the case of the action, we are opening a PR on a repo (winget-pkgs), owned by an organization (microsoft), which is not set as the resource owner of the token. This is why, opening a PR using a fine-grained personal access token results in a failed API response, because the resource owner of the token is the maintainer ("us") and is trying to access the resource that falls under a different resource owner.

To create a PR using a fine-grained personal access token successfully, we need to create a token with the resource owner as "microsoft", and for it, we first, need to be a member of the microsoft organization.

image

Thus, we will have to continue using the classic personal access token for the action.

@sitiom
Copy link
Contributor

sitiom commented Sep 7, 2023

This should be closed as "not planned" instead of completed.

@vedantmgoyal9 vedantmgoyal9 closed this as not planned Won't fix, can't repro, duplicate, stale Sep 7, 2023
@TBBle
Copy link

TBBle commented Sep 30, 2024

GitHub has a future roadmap item to support this use-case, but only that. (Created in 2022, and mentioned in https://github.com/orgs/community/discussions/36441#discussioncomment-4879243 in March 2023, so I don't see any expectation of delivery soon...)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feat New feature request
Projects
None yet
Development

No branches or pull requests

5 participants
@TBBle @ClementTsang @sitiom @vedantmgoyal9 and others