BUG: Authenticated REST API queries of repos/OWNER/REPO/issues/NUMBER/timeline return fewer events than UNAUTHENTICATED queries do

[0xB10C]

Select Topic Area

Bug

Body

When querying an issue timeline via the REST API, a response to an UNAUTHENTICATED request returns MORE information than when authenticating with a Personal Access Token. In my particular case, no cross-referenced events are returned when authenticated.

This can be reproduced with the following steps:

1. Unauthenticated request loading a timeline and saving the response to a file.

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
 https://api.github.com/repos/bitcoin/bitcoin/issues/27761/timeline > without-pat.json

2. Authenticated request loading a timeline and saving the response to a file.

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>"\
  -H "X-GitHub-Api-Version: 2022-11-28" \
   https://api.github.com/repos/bitcoin/bitcoin/issues/27761/timeline > with-pat.json

3. Compare both responses:

diff without-pat.json with-pat.json

The cross-referenced event is missing from the request made with the Personal Access Token.

102,305d101
<     "actor": {
<       "login": "mzumsande",
<       "id": 48763452,
<       "node_id": "MDQ6VXNlcjQ4NzYzNDUy",
<       "avatar_url": "https://avatars.githubusercontent.com/u/48763452?v=4",
<       "gravatar_id": "",
<       "url": "https://api.github.com/users/mzumsande",
<       "html_url": "https://github.com/mzumsande",
<       "followers_url": "https://api.github.com/users/mzumsande/followers",
<       "following_url": "https://api.github.com/users/mzumsande/following{/other_user}",
<       "gists_url": "https://api.github.com/users/mzumsande/gists{/gist_id}",
<       "starred_url": "https://api.github.com/users/mzumsande/starred{/owner}{/repo}",
<       "subscriptions_url": "https://api.github.com/users/mzumsande/subscriptions",
<       "organizations_url": "https://api.github.com/users/mzumsande/orgs",
<       "repos_url": "https://api.github.com/users/mzumsande/repos",
<       "events_url": "https://api.github.com/users/mzumsande/events{/privacy}",
<       "received_events_url": "https://api.github.com/users/mzumsande/received_events",
<       "type": "User",
<       "site_admin": false
<     },
<     "created_at": "2023-05-25T19:40:59Z",
<     "updated_at": "2023-05-25T19:40:59Z",
<     "source": {
<       "type": "issue",
<       "issue": {
<         "url": "https://api.github.com/repos/bitcoin/bitcoin/issues/27705",
<         "repository_url": "https://api.github.com/repos/bitcoin/bitcoin",
<         "labels_url": "https://api.github.com/repos/bitcoin/bitcoin/issues/27705/labels{/name}",
<         "comments_url": "https://api.github.com/repos/bitcoin/bitcoin/issues/27705/comments",
<         "events_url": "https://api.github.com/repos/bitcoin/bitcoin/issues/27705/events",
<         "html_url": "https://github.com/bitcoin/bitcoin/issues/27705",
<         "id": 1718114131,
<         "node_id": "I_kwDOABII585maFdT",
<         "number": 27705,
<         "title": "Frequent \"Timeout downloading block\" with 24.1",
<         "user": {
<           "login": "ArmchairCryptologist",
<           "id": 73581993,
<           "node_id": "MDQ6VXNlcjczNTgxOTkz",
<           "avatar_url": "https://avatars.githubusercontent.com/u/73581993?v=4",
<           "gravatar_id": "",
<           "url": "https://api.github.com/users/ArmchairCryptologist",
<           "html_url": "https://github.com/ArmchairCryptologist",
<           "followers_url": "https://api.github.com/users/ArmchairCryptologist/followers",
<           "following_url": "https://api.github.com/users/ArmchairCryptologist/following{/other_user}",
<           "gists_url": "https://api.github.com/users/ArmchairCryptologist/gists{/gist_id}",
<           "starred_url": "https://api.github.com/users/ArmchairCryptologist/starred{/owner}{/repo}",
<           "subscriptions_url": "https://api.github.com/users/ArmchairCryptologist/subscriptions",
<           "organizations_url": "https://api.github.com/users/ArmchairCryptologist/orgs",
<           "repos_url": "https://api.github.com/users/ArmchairCryptologist/repos",
<           "events_url": "https://api.github.com/users/ArmchairCryptologist/events{/privacy}",
<           "received_events_url": "https://api.github.com/users/ArmchairCryptologist/received_events",
<           "type": "User",
<           "site_admin": false
<         },
<         "labels": [
<
<         ],
<         "state": "open",
<         "locked": false,
<         "assignee": null,
<         "assignees": [
<
<         ],
<         "milestone": null,
<         "comments": 10,
<         "created_at": "2023-05-20T09:27:59Z",
<         "updated_at": "2023-05-26T15:09:27Z",
<         "closed_at": null,
<         "author_association": "NONE",
<         "active_lock_reason": null,
<         "repository": {
<           "id": 1181927,
<           "node_id": "MDEwOlJlcG9zaXRvcnkxMTgxOTI3",
<           "name": "bitcoin",
<           "full_name": "bitcoin/bitcoin",
<           "private": false,
<           "owner": {
<             "login": "bitcoin",
<             "id": 528860,
<             "node_id": "MDEyOk9yZ2FuaXphdGlvbjUyODg2MA==",
<             "avatar_url": "https://avatars.githubusercontent.com/u/528860?v=4",
<             "gravatar_id": "",
<             "url": "https://api.github.com/users/bitcoin",
<             "html_url": "https://github.com/bitcoin",
<             "followers_url": "https://api.github.com/users/bitcoin/followers",
<             "following_url": "https://api.github.com/users/bitcoin/following{/other_user}",
<             "gists_url": "https://api.github.com/users/bitcoin/gists{/gist_id}",
<             "starred_url": "https://api.github.com/users/bitcoin/starred{/owner}{/repo}",
<             "subscriptions_url": "https://api.github.com/users/bitcoin/subscriptions",
<             "organizations_url": "https://api.github.com/users/bitcoin/orgs",
<             "repos_url": "https://api.github.com/users/bitcoin/repos",
<             "events_url": "https://api.github.com/users/bitcoin/events{/privacy}",
<             "received_events_url": "https://api.github.com/users/bitcoin/received_events",
<             "type": "Organization",
<             "site_admin": false
<           },
<           "html_url": "https://github.com/bitcoin/bitcoin",
<           "description": "Bitcoin Core integration/staging tree",
<           "fork": false,
<           "url": "https://api.github.com/repos/bitcoin/bitcoin",
<           "forks_url": "https://api.github.com/repos/bitcoin/bitcoin/forks",
<           "keys_url": "https://api.github.com/repos/bitcoin/bitcoin/keys{/key_id}",
<           "collaborators_url": "https://api.github.com/repos/bitcoin/bitcoin/collaborators{/collaborator}",
<           "teams_url": "https://api.github.com/repos/bitcoin/bitcoin/teams",
<           "hooks_url": "https://api.github.com/repos/bitcoin/bitcoin/hooks",
<           "issue_events_url": "https://api.github.com/repos/bitcoin/bitcoin/issues/events{/number}",
<           "events_url": "https://api.github.com/repos/bitcoin/bitcoin/events",
<           "assignees_url": "https://api.github.com/repos/bitcoin/bitcoin/assignees{/user}",
<           "branches_url": "https://api.github.com/repos/bitcoin/bitcoin/branches{/branch}",
<           "tags_url": "https://api.github.com/repos/bitcoin/bitcoin/tags",
<           "blobs_url": "https://api.github.com/repos/bitcoin/bitcoin/git/blobs{/sha}",
<           "git_tags_url": "https://api.github.com/repos/bitcoin/bitcoin/git/tags{/sha}",
<           "git_refs_url": "https://api.github.com/repos/bitcoin/bitcoin/git/refs{/sha}",
<           "trees_url": "https://api.github.com/repos/bitcoin/bitcoin/git/trees{/sha}",
<           "statuses_url": "https://api.github.com/repos/bitcoin/bitcoin/statuses/{sha}",
<           "languages_url": "https://api.github.com/repos/bitcoin/bitcoin/languages",
<           "stargazers_url": "https://api.github.com/repos/bitcoin/bitcoin/stargazers",
<           "contributors_url": "https://api.github.com/repos/bitcoin/bitcoin/contributors",
<           "subscribers_url": "https://api.github.com/repos/bitcoin/bitcoin/subscribers",
<           "subscription_url": "https://api.github.com/repos/bitcoin/bitcoin/subscription",
<           "commits_url": "https://api.github.com/repos/bitcoin/bitcoin/commits{/sha}",
<           "git_commits_url": "https://api.github.com/repos/bitcoin/bitcoin/git/commits{/sha}",
<           "comments_url": "https://api.github.com/repos/bitcoin/bitcoin/comments{/number}",
<           "issue_comment_url": "https://api.github.com/repos/bitcoin/bitcoin/issues/comments{/number}",
<           "contents_url": "https://api.github.com/repos/bitcoin/bitcoin/contents/{+path}",
<           "compare_url": "https://api.github.com/repos/bitcoin/bitcoin/compare/{base}...{head}",
<           "merges_url": "https://api.github.com/repos/bitcoin/bitcoin/merges",
<           "archive_url": "https://api.github.com/repos/bitcoin/bitcoin/{archive_format}{/ref}",
<           "downloads_url": "https://api.github.com/repos/bitcoin/bitcoin/downloads",
<           "issues_url": "https://api.github.com/repos/bitcoin/bitcoin/issues{/number}",
<           "pulls_url": "https://api.github.com/repos/bitcoin/bitcoin/pulls{/number}",
<           "milestones_url": "https://api.github.com/repos/bitcoin/bitcoin/milestones{/number}",
<           "notifications_url": "https://api.github.com/repos/bitcoin/bitcoin/notifications{?since,all,participating}",
<           "labels_url": "https://api.github.com/repos/bitcoin/bitcoin/labels{/name}",
<           "releases_url": "https://api.github.com/repos/bitcoin/bitcoin/releases{/id}",
<           "deployments_url": "https://api.github.com/repos/bitcoin/bitcoin/deployments",
<           "created_at": "2010-12-19T15:16:43Z",
<           "updated_at": "2023-06-20T08:49:14Z",
<           "pushed_at": "2023-06-20T08:23:21Z",
<           "git_url": "git://github.com/bitcoin/bitcoin.git",
<           "ssh_url": "git@github.com:bitcoin/bitcoin.git",
<           "clone_url": "https://github.com/bitcoin/bitcoin.git",
<           "svn_url": "https://github.com/bitcoin/bitcoin",
<           "homepage": "https://bitcoincore.org/en/download",
<           "size": 234600,
<           "stargazers_count": 70024,
<           "watchers_count": 70024,
<           "language": "C++",
<           "has_issues": true,
<           "has_projects": true,
<           "has_downloads": false,
<           "has_wiki": false,
<           "has_pages": false,
<           "has_discussions": false,
<           "forks_count": 34550,
<           "mirror_url": null,
<           "archived": false,
<           "disabled": false,
<           "open_issues_count": 644,
<           "license": {
<             "key": "mit",
<             "name": "MIT License",
<             "spdx_id": "MIT",
<             "url": "https://api.github.com/licenses/mit",
<             "node_id": "MDc6TGljZW5zZTEz"
<           },
<           "allow_forking": true,
<           "is_template": false,
<           "web_commit_signoff_required": false,
<           "topics": [
<             "bitcoin",
<             "c-plus-plus",
<             "cryptocurrency",
<             "cryptography",
<             "p2p"
<           ],
<           "visibility": "public",
<           "forks": 34550,
<           "open_issues": 644,
<           "watchers": 70024,
<           "default_branch": "master"
<         },
<         "body": "### Is there an existing issue for this?\r\n\r\n- [X] I have searched the existing issues\r\n\r\n### Current behaviour\r\n\r\nAfter updating to 24.1 yesterday <snip>",
<         "reactions": {
<           "url": "https://api.github.com/repos/bitcoin/bitcoin/issues/27705/reactions",
<           "total_count": 0,
<           "+1": 0,
<           "-1": 0,
<           "laugh": 0,
<           "hooray": 0,
<           "confused": 0,
<           "heart": 0,
<           "rocket": 0,
<           "eyes": 0
<         },
<         "timeline_url": "https://api.github.com/repos/bitcoin/bitcoin/issues/27705/timeline",
<         "performed_via_github_app": null,
<         "state_reason": null
<       }
<     },
<     "event": "cross-referenced"

[0xB10C]

The GitHub support helped out here. I was using a fine-grained GitHub access token, which are still in beta. My default token with public Repositories (read-only) selected didn't have the right permissions apparently. Using a classic token worked fine.

GitHub support wrote this if anyone wants to use a fine-grained token:

Yeah Fine-grained token are still in beta and engineering team are continuing to make improvements. The token type have more granular permissions and certain API endpoints are not yet fully supported.

In this case, it seems you'd need to create a token selecting the bitcoin organization as the resource owner and the bitcoin/bitcoin repository under repository access? The token also need to be granted Metadata read permission.

Since this is targeted at an organization, the owner of the org also needs to approve the fine-grained PAT before they can be used to access the org resource.

More info about Fine-grained token is documented here.