If GITHUB_TOKEN isn't set, tell httpx to try .netrc for auth.

[rweir]

Hi! As far as I could tell, the current behaviour doesn't match the documentation - I could not get watch_gha to use my ~/.netrc file (using this format). This tiny yet ugly patch seems to fix it, making httpx use the GITHUB_TOKEN env var if set, and if not, trying netrc auth.

Unfortunately it will spew an error at the user if they have a ~/.netrc file with loose permissions, which they may not know or care about, but adding a configurable opt-in to having it try netrc seemed a bit much for a drive by, but let me know if I can do that instead.

[nedbat]

You showed this format (from the gist link):

machine github.com
    login <put-your-application-token-here>
    password x-oauth-basic

This is the format that works for me:

machine api.github.com
  login nedbat
  password ghp_FWDOJblahblah_github_token

(actually, the login name seems irrelevant, the token has everything.)

Can you try that? I'm not sure the different ways auth tokens get shimmed into name/password formats.

[rweir]

Hi!

Interesting, I hadn't thought to try different formats (or trace it to see if the file was in fact being read already) - sorry!

machine api.github.com
    login rweir
    password ghp_XXXXXXXXXXXX

does not work for me with my change removed:

Client error '404 Not Found' for url 'https://api.github.com/repos/rweir/someprivaterepo/actions/runs?per_page=40&branch=main'
For more information check: https://httpstatuses.com/404
message: Not Found
documentation_url: https://docs.github.com/rest/reference/actions#list-workflow-runs-for-a-repository

curl -n -i -v https://api.github.com/user works with either format.

Dumb question, but you definitely didn't have a GITHUB_TOKEN env var set in that shell?

[nedbat]

The GITHUB_TOKEN environment variable is good thinking, but that is not my situation. If I edit my .netrc file to pollute the token, I get a 404 for a private repo just like you do.

Next thing: what scopes does your token have? https://docs.github.com/en/rest/actions/workflow-runs says it needs repo scope. The thing I really don't understand is how your code change can make things work. On my machine, the .netrc file is clearly being read even without your change.

[rweir]

Scopes is a good point, I had trimmed it down to avoid things that seemed unnecessary. It does work in GITHUB_TOKEN, though, and I just made a new one with all scopes, put it in ~/.netrc and no change in behaviour.

I can't figure out how to make dtruss work on MacOS, but I've straced watch_gha_runs on Linux, and it doesn't appear to try to open ~/.netrc at all:

$ strace -ff -o ~/log  ~/.local/bin/watch_gha_runs 2>&1                                                                                                
Client error '404 Not Found' for url 'https://api.github.com/repos/rweir/dotfiles/actions/runs?per_page=40&branch=main'
For more information check: https://httpstatuses.com/404
message: Not Found
documentation_url: https://docs.github.com/rest/reference/actions#list-workflow-runs-for-a-repository
$ cat ~/log.2720* | grep netrc
newfstatat(AT_FDCWD, "/usr/lib/python3.11/netrc.py", {st_mode=S_IFREG|0644, st_size=6929, ...}, 0) = 0
newfstatat(AT_FDCWD, "/usr/lib/python3.11/netrc.py", {st_mode=S_IFREG|0644, st_size=6929, ...}, 0) = 0
openat(AT_FDCWD, "/usr/lib/python3.11/__pycache__/netrc.cpython-311.pyc", O_RDONLY|O_CLOEXEC) = 3

with my change applied to ~/.local/pipx/venvs/watchgha/lib/python3.11/site-packages/watchgha/http_help.py it does try to load it (and complain for an unrelated reason):

$ strace -ff -o ~/log-after-patch  ~/.local/bin/watch_gha_runs 2>&1
Traceback (most recent call last):
  File "/home/rob/.local/bin/watch_gha_runs", line 5, in <module>
    from watchgha.watch_runs import main
  File "/home/rob/.local/pipx/venvs/watchgha/lib/python3.11/site-packages/watchgha/watch_runs.py", line 22, in <module>
    from .http_help import get_data
  File "/home/rob/.local/pipx/venvs/watchgha/lib/python3.11/site-packages/watchgha/http_help.py", line 88, in <module>
    _get_data = Http().get_data
                ^^^^^^
  File "/home/rob/.local/pipx/venvs/watchgha/lib/python3.11/site-packages/watchgha/http_help.py", line 41, in __init__
    self.auth = httpx.NetRCAuth()
                ^^^^^^^^^^^^^^^^^
  File "/home/rob/.local/pipx/venvs/watchgha/lib/python3.11/site-packages/httpx/_auth.py", line 151, in __init__
    self._netrc_info = netrc.netrc(file)
                       ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/netrc.py", line 75, in __init__
    self._parse(file, fp, default_netrc)
  File "/usr/lib/python3.11/netrc.py", line 142, in _parse
    self._security_check(fp, default_netrc, self.hosts[entryname][0])
  File "/usr/lib/python3.11/netrc.py", line 161, in _security_check
    raise NetrcParseError(
netrc.NetrcParseError: ~/.netrc access too permissive: access permissions must restrict access to only the owner (None, line None)

and strace shows it too:

$ cat ~/log-after-patch.2723* | grep netrc
newfstatat(AT_FDCWD, "/usr/lib/python3.11/netrc.py", {st_mode=S_IFREG|0644, st_size=6929, ...}, 0) = 0
newfstatat(AT_FDCWD, "/usr/lib/python3.11/netrc.py", {st_mode=S_IFREG|0644, st_size=6929, ...}, 0) = 0
openat(AT_FDCWD, "/usr/lib/python3.11/__pycache__/netrc.cpython-311.pyc", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/home/rob/.netrc", O_RDONLY|O_CLOEXEC) = 3
read(4, "import hashlib\nimport netrc\nimpo"..., 4096) = 4096
read(3, "import hashlib\nimport netrc\nimpo"..., 8192) = 8192
write(2, "    self._netrc_info = netrc.net"..., 41) = 41
openat(AT_FDCWD, "/usr/lib/python3.11/netrc.py", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/python3.11/netrc.py", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/python3.11/netrc.py", O_RDONLY|O_CLOEXEC) = 3
write(2, "netrc.NetrcParseError: ~/.netrc "..., 131) = 131

I had a skim of httpx, and it has some envvars that affect how it works, but couldn't see anything that looks auth-y. So, I'm quite stumped about what might be causing different behaviour between your system and mine.

[nedbat]

Mystery solved: httpx removed implicit netrc authentication in 0.24.0: https://github.com/encode/httpx/blob/master/CHANGELOG.md#0240-6th-april-2023

Thanks for this fix. I do wonder if implicit authentication is a good thing (see #6), but I'll take this to keep things working while we think more about it.

[nedbat]

This is now released as watchgha 2.1.0.

[nedbat]

Oops, and defaulting the location is in httpx 0.24.1, so this is now released as watchgha 2.1.1.