Use of team-reviewers results in: "Could not resolve to a node with the global id of..." error

[jchoksijudopay]

Subject of the issue

Providing a GitHub team to request a review from doesn't work.

Steps to reproduce

    - name: Push changes to Github and create pull request
      if: ${{ env.CREATE_PR == 1 }}
      id: pull_request
      uses: peter-evans/create-pull-request@v2
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        title: 'Some text here...'
        body: |
          Some text here...
          - Some text here...
          - Auto-generated by [create-pull-request][1]

          [1]: https://github.com/peter-evans/create-pull-request
        labels: binupdate, automated pr
        team-reviewers: developers
        branch: binbase/update
        branch-suffix: timestamp

In the example above, developers is a valid Github team. When I base64 decode MDQ6VGVhbTE3NTI3NjE= in the error below, it resolves to: 04:Team1752761 and I can confirm that 1752761 is the correct id for our developers Github team.

The error message we see is:

Requesting team reviewers 'developers'
Traceback (most recent call last):
  File "/home/runner/work/_actions/peter-evans/create-pull-request/v2/dist/cpr/create_pull_request.py", line 213, in <module>
    coupr.create_or_update_pull_request(
  File "/home/runner/work/_actions/peter-evans/create-pull-request/v2/dist/cpr/create_or_update_pull_request.py", line 143, in create_or_update_pull_request
    pull_request.create_review_request(
  File "/opt/hostedtoolcache/Python/3.8.2/x64/lib/python3.8/site-packages/github/PullRequest.py", line 511, in create_review_request
    headers, data = self._requester.requestJsonAndCheck(
  File "/opt/hostedtoolcache/Python/3.8.2/x64/lib/python3.8/site-packages/github/Requester.py", line 317, in requestJsonAndCheck
    return self.__check(
  File "/opt/hostedtoolcache/Python/3.8.2/x64/lib/python3.8/site-packages/github/Requester.py", line 342, in __check
    raise self.__createException(status, responseHeaders, output)
github.GithubException.GithubException: 422 {"message": "Validation Failed", "errors": ["Could not resolve to a node with the global id of 'MDQ6VGVhbTE3NTI3NjE='."], "documentation_url": "https://developer.github.com/v3/pulls/review_requests/#create-a-review-request"}
##[error]The process '/opt/hostedtoolcache/Python/3.8.2/x64/bin/python' failed with exit code 1
/usr/bin/git config --local --add http.https://github.com/.extraheader AUTHORIZATION: basic ***

[peter-evans]

Hi @jchoksijudopay

This looks like a permissions issue. Could you explain a bit more about your setup. Is the team in the same org as the repository? Does the team have collaborator (write) access to the repository? Is the repository private?

[jchoksijudopay]

Is the team in the same org as the repository?

Yes it is.

Does the team have collaborator (write) access to the repository?

Yes the developers team has Write role access to the repository.

We have a Nested Team structure as follows:

- WriteAccess Team (is the team that is assigned the "Write" Role to the repository)
  |--- CI Team
       |--- CI Member 1
       |--- CI Member 2
       |--- CI Member n
  |--- Developers Team
       |--- Developer Member 1
       |--- Developer Member 2
       |--- Developer Member n

Is the repository private?

Yes it is private.

[peter-evans]

I'll try and find some time to reproduce the problem and see if I can find a workaround. I'm fairly sure this is not a problem with the action itself, it's likely to be a permissions related issue with the GitHub API. One thing you could try is using a PAT instead of the default GITHUB_TOKEN. You could also experiment with a top-level (not nested) team to see if that makes a difference.

[peter-evans]

I managed to setup an org and teams in the same way and reproduced the error. I'll see if I can figure out what the issue is and any workaround.

[peter-evans]

So it seems to be permissions related, but I’m not sure if it's intentional. It might be a GitHub API bug. The problem seems to be that the default GITHUB_TOKEN does not have permission to request a review from a team. It doesn't appear to matter whether the repository is private or not, or whether the team is nested or not.

Here is how you can work around it:

1. Create a new GitHub account that will act as a machine user.
2. Add the machine user to a team that has write access for the repository.
3. Log into the machine user account and create a repo scoped PAT.
4. Copy the generated PAT to a secret in your repository.
5. Use the secret instead of the default GITHUB_TOKEN when running create-pull-request action.

[jchoksijudopay]

Sorry for the delay in providing feedback. Using a PAT as a workaround works for us. Thank you very much for looking into the matter.

[thulasidassrinivasan]

@peter-evans - I am facing the same issue even if I use PAT token.

Below fails
- name: Create Pull Request uses: peter-evans/create-pull-request@v4 with: token: ${{ secrets.user_GITHUB_TOKEN }} branch: update-flux branch-suffix: short-commit-hash commit-message: Update to ${{ steps.update.outputs.flux_version }} title: Update to ${{ steps.update.outputs.flux_version }} body: | ${{ steps.update.outputs.flux_version }} delete-branch: true author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> team-reviewers: | admin

Below works
- name: Create Pull Request uses: peter-evans/create-pull-request@v4 with: token: ${{ secrets.user_GITHUB_TOKEN }} branch: update-flux branch-suffix: short-commit-hash commit-message: Update to ${{ steps.update.outputs.flux_version }} title: Update to ${{ steps.update.outputs.flux_version }} body: | ${{ steps.update.outputs.flux_version }} delete-branch: true author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> reviewers: thulasidassrinivasan

What am I doing wrong ? Could you Please help?

[loujr]

Was able to reproduce the following error using a GitHub App for this endpoint - the issue is permissions.

{
  "message": "Validation Failed",
  "errors": [
    "Could not resolve to a node with the global id of 'T_kwDOBnBNDs4AYoNE'."
  ],
  "documentation_url": "https://docs.github.com/rest/reference/pulls#request-reviewers-for-a-pull-request"
}

For this endpoint to be successful the following permissions must be enabled on GitHub Apps:

Read access to metadata
Read and write access to members, pull requests, and team discussions

[shivajipotnuru]

I'm also facing the same issue with my new GitHub app,

I have given the required permissions for the app, but still I'm getting this error.

@loujr please let me know , if you are able to fix this issue?

[vilesa1]

if that helps anyone, make sure as a itemId you do not use the itemId you see in github webapp url, but rather its true node ID starting with PVTI_
you can find this ID here: https://docs.github.com/en/issues/planning-and-tracking-with-projects/automating-your-project/using-the-api-to-manage-projects?tool=curl#finding-information-about-items-in-a-project