From 09c9fd6b9d096bc496ce5077dc487150811e36c4 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <209825114+claude[bot]@users.noreply.github.com> Date: Mon, 17 Nov 2025 12:02:56 +0000 Subject: [PATCH 1/2] improve: Add hint about making GitHub org membership public in error messages When users try to publish to a GitHub organization but don't have permission, the error message now includes a helpful hint suggesting they may need to make their organization membership public in GitHub settings. This addresses the issue where users couldn't understand why they were unable to publish servers from organization repositories, even when they were members of the organization. Fixes #398 Co-authored-by: adam jones --- internal/api/handlers/v0/publish.go | 43 +++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/internal/api/handlers/v0/publish.go b/internal/api/handlers/v0/publish.go index 2bdb1987..cb341e94 100644 --- a/internal/api/handlers/v0/publish.go +++ b/internal/api/handlers/v0/publish.go @@ -84,5 +84,48 @@ func buildPermissionErrorMessage(attemptedResource string, permissions []auth.Pe } errorMsg += ". Attempting to publish: " + attemptedResource + // Add helpful hint for GitHub organization publishing issues + if strings.HasPrefix(attemptedResource, "io.github.") && !hasPermissionForResource(attemptedResource, permissions) { + // Extract the org name from the resource pattern + parts := strings.Split(attemptedResource, "/") + if len(parts) >= 2 { + namespace := parts[0] // e.g., "io.github.orgname" + if orgName := extractGitHubOrgName(namespace); orgName != "" { + // Check if user has permission for their personal namespace but not this org + hasPersonalPermission := false + for _, perm := range permissions { + if strings.Contains(perm.ResourcePattern, "io.github.") && perm.Action == auth.PermissionActionPublish { + hasPersonalPermission = true + break + } + } + + if hasPersonalPermission { + errorMsg += ". If you're trying to publish to a GitHub organization, you may need to make your membership of the '" + orgName + "' organization public in your GitHub settings" + } + } + } + } + return errorMsg } + +// extractGitHubOrgName extracts the organization name from a GitHub namespace +// e.g., "io.github.orgname" -> "orgname" +func extractGitHubOrgName(namespace string) string { + const prefix = "io.github." + if strings.HasPrefix(namespace, prefix) { + return namespace[len(prefix):] + } + return "" +} + +// hasPermissionForResource checks if any permission matches the given resource +func hasPermissionForResource(resource string, permissions []auth.Permission) bool { + for _, perm := range permissions { + if perm.Action == auth.PermissionActionPublish && strings.HasPrefix(resource, strings.TrimSuffix(perm.ResourcePattern, "*")) { + return true + } + } + return false +} From 10843d39295a4b6bb03112c42f6340e574fdb1ba Mon Sep 17 00:00:00 2001 From: Adam Jones Date: Mon, 17 Nov 2025 13:18:46 +0000 Subject: [PATCH 2/2] Simplify GitHub org membership hint in permission errors Simplifies the permission error message logic to just check if the resource starts with "io.github." and show a helpful hint with a link to GitHub docs about making organization membership public. This removes ~40 lines of complex logic that was trying to extract org names and check personal permissions, replacing it with a simple 3-line check. --- internal/api/handlers/v0/publish.go | 42 ++--------------------------- 1 file changed, 2 insertions(+), 40 deletions(-) diff --git a/internal/api/handlers/v0/publish.go b/internal/api/handlers/v0/publish.go index cb341e94..7631ae33 100644 --- a/internal/api/handlers/v0/publish.go +++ b/internal/api/handlers/v0/publish.go @@ -85,47 +85,9 @@ func buildPermissionErrorMessage(attemptedResource string, permissions []auth.Pe errorMsg += ". Attempting to publish: " + attemptedResource // Add helpful hint for GitHub organization publishing issues - if strings.HasPrefix(attemptedResource, "io.github.") && !hasPermissionForResource(attemptedResource, permissions) { - // Extract the org name from the resource pattern - parts := strings.Split(attemptedResource, "/") - if len(parts) >= 2 { - namespace := parts[0] // e.g., "io.github.orgname" - if orgName := extractGitHubOrgName(namespace); orgName != "" { - // Check if user has permission for their personal namespace but not this org - hasPersonalPermission := false - for _, perm := range permissions { - if strings.Contains(perm.ResourcePattern, "io.github.") && perm.Action == auth.PermissionActionPublish { - hasPersonalPermission = true - break - } - } - - if hasPersonalPermission { - errorMsg += ". If you're trying to publish to a GitHub organization, you may need to make your membership of the '" + orgName + "' organization public in your GitHub settings" - } - } - } + if strings.HasPrefix(attemptedResource, "io.github.") { + errorMsg += ". If you're trying to publish to a GitHub organization, you may need to make your organization membership public in your GitHub settings: https://docs.github.com/en/account-and-profile/how-tos/organization-membership/publicizing-or-hiding-organization-membership" } return errorMsg } - -// extractGitHubOrgName extracts the organization name from a GitHub namespace -// e.g., "io.github.orgname" -> "orgname" -func extractGitHubOrgName(namespace string) string { - const prefix = "io.github." - if strings.HasPrefix(namespace, prefix) { - return namespace[len(prefix):] - } - return "" -} - -// hasPermissionForResource checks if any permission matches the given resource -func hasPermissionForResource(resource string, permissions []auth.Permission) bool { - for _, perm := range permissions { - if perm.Action == auth.PermissionActionPublish && strings.HasPrefix(resource, strings.TrimSuffix(perm.ResourcePattern, "*")) { - return true - } - } - return false -}