-
-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature/Idea]: Fine-grained tokens seem to support the GraphQL API now #172
Comments
@ClementTsang You can use a fine-grained token and if it works, I will update the docs (you're also welcome to contribute to it, would be more than happy 😃) accordingly. Please start with the lowest set of permissions and go higher step-by-step. People are extremely concerned about security, so just the required permissions should be mentioned in README. |
Tried it with a fine-grained token - unfortunately, it seems like there's a small issue with creating the PR itself (the branch is created fine though), and I get this error:
This is weird as I have the following settings for the fine-grained PAT specified for my personal winget fork: Curious as to why it's failing there. |
The changelog (https://github.blog/changelog/2023-04-27-graphql-improvements-for-fine-grained-pats-and-github-apps) states that the resource owner of the token, and the resource owner of the resource being accessed should match exactly. In the case of the action, we are opening a PR on a repo (winget-pkgs), owned by an organization (microsoft), which is not set as the resource owner of the token. This is why, opening a PR using a fine-grained personal access token results in a failed API response, because the resource owner of the token is the maintainer ("us") and is trying to access the resource that falls under a different resource owner. To create a PR using a fine-grained personal access token successfully, we need to create a token with the resource owner as "microsoft", and for it, we first, need to be a member of the microsoft organization. Thus, we will have to continue using the classic personal access token for the action. |
This should be closed as "not planned" instead of completed. |
GitHub has a future roadmap item to support this use-case, but only that. (Created in 2022, and mentioned in https://github.com/orgs/community/discussions/36441#discussioncomment-4879243 in March 2023, so I don't see any expectation of delivery soon...) |
What would you like to see changed/added?
Hi! I was recently going through setting this up on one of my own applications as it looks great. However, as I was setting it up, I noted that the README currently mentions:
However, going to the linked issue, as of a few weeks ago, it seems like fine-grained PATs can now call the GraphQL API.
If winget-releaser doesn't currently work with these, then it would be nice if they did (would be happy to try and help if that would be desired), along with instructions on how to use them. And whether it does or does not already support fine-grained PATs, I think it would be good to update the README to be more accurate.
The text was updated successfully, but these errors were encountered: