A fixed set of roles is no longer appropriate for teams/add-or-update-repo-permissions-in-org

[Royston-Shufflebotham-i2]

Schema Inaccuracy

The schema specifies that the only legal values for the permission input field for teams/add-or-update-repo-permissions-in-org are pull, push, admin, maintain, triage. This used to be true, but with the advent of custom repository role names, any name is now possible.

https://docs.github.com/en/rest/teams/teams#add-or-update-team-repository-permissions

Note the text "In addition to the enumerated values, you can also specify a custom repository role name, if the owning organization has defined any."

Expected

The permissions property for the above endpoint should be of type string instead of a specific enumeration.

(Similar changes should be made for APIs which return repo-team permissions if they're actually correct. At time of writing I can set a custom permission role but when I attempt to read it I don't get back the correct permission name.)

[timrogers]

@Royston-Shufflebotham-i2 👋🏻 Thanks for reporting this. I'll pass on your feedback to the team that owns this API.

[Royston-Shufflebotham-i2]

Thanks @timrogers. Btw, how do I report an issue with the read API itself? I can set a custom permissions role for a team and repository through the REST API but neither the REST API nor the GraphQL actually return the custom role correctly.

[timrogers]

No worries! An issue in this repo seems like a reasonable place to report that too - or you’re welcome just to contact GitHub Support.

[timrogers]

If you flag it here, I can make sure it gets to the right team 😊

[hpsin]

Thanks for this report @Royston-Shufflebotham-i2 ! I've added this to our up-next work item where we're improving the Custom Roles APIs. We also have a tracking item for the team permissions item - to make sure, the bug you saw there is that it doesn't provide the custom role permission at all, not that it returns an actively incorrect custom role name, right?

[Royston-Shufflebotham-i2]

@hpsin What I saw was that after setting a team to have the permissions of a custom role which was based on push plus a few extra permissions, reading that role through the API simply returns push. It's as if the read API 'rounds down' to the nearest non-custom role. So I guess it somewhat depends on your definition of 'incorrect custom role name'.

Reading my notes I've just been reminded of another interesting issue in the GET /repos/{owner}/{repo}/teams read API: For a team permission of maintain (the regular non-custom role) I actually receive this through the read API:

    permission: 'push',
    permissions: {
      admin: false,
      maintain: true,
      push: true,
      triage: true,
      pull: true
    },

That is, the value of permission is wrong, but the boolean flags in permissions are fine.

[hpsin]

Thanks @Royston-Shufflebotham-i2 ! We'll be sure to include that in our upcoming fixes. Much obliged!

[christroger]

Both reports have been fixed in the current batch and should soon be live.

[tachang]

Does this mean the graphql endpoint should return custom role names now?

[hpsin]

Hi @tachang - at this time the custom roles team is focusing on improving our REST API to ensure we have a fully featured and correct API. Updates to the GraphQL API are not on our roadmap currently, unfortunately.