-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Impossible to set permissions for view annotations, for gh run watch
#8842
Comments
Hey @bendavies, off the top of my head I'm not sure. In the meantime, what permissions do you have on your fine grained PAT, then we can try to reproduce? |
@williammartin i added |
I was able to recreate this also with
I checked this out internally and unfortunately the platform doesn't support adding I've created #8843 in the meantime to document this more clearly in the CLI. Is it a requirement for you to use fine grained PATs for these commands? We could consider the addition of a flag to skip annotations if that is the only bit that is currently failing, though I'd prefer not to add permanent flags for temporary situations if possible. |
Thanks for the investigation.
well, they are nice in that they allow scoping to an org, so i prefer to use them. You could also gracefully skip over annotations if they 403, while still showing the run, informing the user that there were no permissions for annotations. |
That's an interesting idea and I'm leaning in favour of it. My only concern is whether we want to try and be smart about the type of token in use. For example, if it were a legacy PAT would we error, would we be more informative, or would we just have a generalised error message to help differentiate the steps (or lack of) that a user could take to fix it. |
Affected by this as well. Hoping for a solution 🙏 |
Labelling this |
the platform already does error handling with informative error messaging so I'm not sure we should introduce some custom error handling in the cli. as is:
|
Thanks @wingleung, your write up makes sense to me! I don't know how easy it is to change the platform error message in this case as I believe there is a lot of 🌈 magic 🌈 in the authorization code. That said, it seems like if we choose to suppress the error on I agree with your statement about exit codes. Would you be interested in opening a PR for this? |
indeed, it would be more for debugging faster why I couldn't fetch the annotations with my token. and I would also understand if platform people don't want this level of detail in their error messaging. I can take a look later this week 🙏 |
Looking at this a bit closer, presumably this is also an issue for Lines 340 to 347 in 3620e79
|
@williammartin thanks for the heads up! PR updated with changes to the view command as well |
@bendavies this should go out in the next release but if you'd like to try it now and provide feedback then you can build from source. |
Describe the bug
When using a Fine Grained Token, it seems impossible to use
gh run watch
, as this requires permissions to view annotations.It doesn't seem possible to grant
checks:read
with Fine Grained Tokens, unless i'm missing something.Steps to reproduce the behavior
gh run watch $id
The text was updated successfully, but these errors were encountered: