Deprecated authentication style used in CI scripts against GitHub's APIs #22759
Description
Prerequisites
- Put an X between the brackets on this line if you have done all of the following:
- Reproduced the problem in Safe Mode: https://flight-manual.atom.io/hacking-atom/sections/debugging/#using-safe-mode
- Followed all applicable steps in the debugging guide: https://flight-manual.atom.io/hacking-atom/sections/debugging/
- Checked the FAQs on the message board for common solutions: https://discuss.atom.io/c/faq
- Checked that your issue isn't already filed: https://github.com/issues?utf8=✓&q=is%3Aissue+user%3Aatom
- Checked that there is not already an Atom package that provides the described functionality: https://atom.io/packages
Note: The checklist is not applicable. This is an Atom CI issue, not an Atom app issue.
Description
In two places in script/vsts/lib/release-notes.js (here and here), Atom's CI scripts authenticate to the GitHub APIs in a deprecated way, with an older version of @octokit/rest.
Behind the scenes, this version of @octokit/rest apparently uses a URL query parameter (like https://some.domain?query_parameter=value) to give the authentication token to the GitHub API servers. This style of authentication to the GitHub APIs is deprecated, and should be replaced with an HTTP header Authorization, with the value of the header being the token.
Steps to Reproduce
- Run Atom's CI on either the "Atom Production Branches" or the "Atom Nightly" pipeline
Expected behavior:
No deprecation warning emails to me from GitHub
Actual behavior:
I got this notice in my email when running Atom's CI at my forked copy of the Atom repo...
Full deprecation notice email (click to expand)
Hi @DeeDeeG,
On July 25th, 2021 at 04:55 (UTC) your personal access token ([TOKEN NAME REDACTED]) using octokit/rest.js v15.9.5 was used as part of a query parameter to access an endpoint through the GitHub API:
https://api.github.com/repositories/REPO_NUMBER_REDACTED/releases
Please use the Authorization HTTP header instead, as using the access_token query parameter is deprecated. If this token is being used by an app you don't have control over, be aware that it may stop working as a result of this deprecation.
Depending on your API usage, we'll be sending you this email reminder on a monthly basis for each token and User-Agent used in API calls made on your behalf.
Just one URL that was accessed with a token and User-Agent combination will be listed in the email reminder, not all.
Visit https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param for more information about suggested workarounds and removal dates.
Thanks,
The GitHub Team
Reproduces how often:
The old, deprecated authentication method is used every time release notes are created during Atom's CI.
The deprecation notice email is sent no more often than once a month.
Versions
The same (now old) version of @octokit/rest has been used in this repo's CI as of #17862. (Since around the time Atom 1.35 came out.)
Additional Information
I suggest to upgrade to a newer version of @octokit/rest, and/or try different auth options, such as the token auth option instead of the oauth option, in script/vsts/lib/release-notes.js.
// See: https://github.com/octokit/rest.js/tree/v15.9.5#authentication
// token (https://github.com/settings/tokens)
octokit.authenticate({
type: 'token',
token: 'secrettoken123'
})