Can't use GitHub CLI with GITHUB_TOKEN to mark PR as ready from GitHub Action

[bewuethr]

This looks a bit similar to #1026, but I don't think it's the same.

gh has been added to the virtual environment for GitHub actions recently; as per the README, it's version 10.1 since the 20200625.0 update of the environment.

I'm using it to create a new branch and then a pull request from a GitHub Actions workflow; to authenticate, I use the GITHUB_TOKEN, support for which has been added in #976.

To create a branch, I'm running this command in my workflow:

GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} \
    gh api repos/:owner/:repo/git/refs \
    --raw-field ref=refs/heads/sandbox-release-2020-07-03 \
    --raw-field sha="$(git rev-parse --verify HEAD)"

which works fine.

To create the pull request, I run

git fetch origin
git checkout sandbox-release-2020-07-03
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} \
    gh pr create --base sandbox --label release \
    --title 'Sandbox release 2020-07-03' --body ''

which also works fine.

Now, I have a Slack channel listening to this repo, for PRs with the release label. However, the label seems to be applied to the PR after it has been created, so the Slack notification isn't triggered (see integrations/slack#1039).

To get a notification, I'm creating the PR as a draft first, then switch it to ready; this does trigger the notification. However, I'm running into a problem with the auth scopes required for this. This is what I run:

git fetch origin
git checkout sandbox-release-2020-07-03
export GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
gh pr create --base sandbox --label release --draft \
    --title 'Sandbox release 2020-07-03' --body ''
gh pr ready sandbox-release-2020-07-03

Each gh command generates a warning:

Warning: gh now requires the `read:org` OAuth scope.
Visit https://github.com/settings/tokens and edit your token to enable `read:org`
or generate a new token for the GITHUB_TOKEN environment variable

and the gh pr ready command fails with

API call failed: Resource not accessible by integration

When I use a personal access token instead of GITHUB_TOKEN and give it the read:org OAuth scope, the PR can be marked as ready, but then everything will show up as created by my user instead of the GitHub Actions user, and it also feels like this should work out of the box.

Is this something that can be fixed in gh? Why does marking a PR as ready even require read:org permissions?

[mislav]

and the gh pr ready command fails with

API call failed: Resource not accessible by integration

This is interesting; thanks for letting us know! I'll be looking into this, since I know no reason why this resource wouldn't be available when using GITHUB_TOKEN in Actions.

Why does marking a PR as ready even require read:org permissions?

It doesn't, but creating a PR and asking for reviewers does need read:org, since reviewers can be teams. Because of that, we just issue a blanket notice about needing read:org. I understand that it's noisy and unnecessary in your use-case. We will consider removing the notice for endpoints where it's not necessary, or removing it at all in the context of Actions. 🤔

[bewuethr]

I have teams as code owners defined in that repository, and marking a PR as ready is actually requesting a review from them – might that be the reason?

[mislav]

@bewuethr That's a really good lead for reproducing; thank you!

I would still classify that as an API bug, though. Let me first try to reproduce it and then I will report internally.

[davereid-pfg]

I'm still running into this today trying to use our default ${{ secrets.GITHUB_TOKEN }} within a Github action to run gh pr ready and running into the same issue:

Run gh pr ready https://github.com/myorg/myrepo/pull/7
  gh pr ready https://github.com/myorg/myrepo/pull/7
  shell: /usr/bin/bash -e {0}
  env:
    COMPOSER_NO_INTERACTION: 1
    PULL_REQUEST_NUMBER: 7
    GITHUB_TOKEN: ***
API call failed: Message: Resource not accessible by integration, Locations: [{Line:1 Column:80}]
Error: Process completed with exit code 1.