search

CircleCI-Public / github-cli-orb

Bring all of the power and flexibility of the GitHub CLI to your CI/CD pipeline.
https://circleci.com/developer/orbs/orb/circleci/github-cli
MIT License
8 stars 27 forks source link

`setup` command requires more scopes than necessary #13

Closed jasonkarns closed 2 years ago

jasonkarns commented 2 years ago

Orb version: 1.0.5

What happened:

step: - github-cli/setup

GH CLI installed
/usr/bin/gh

Authenticating GH CLI
github.com
  X github.com: the token in GITHUB_TOKEN is missing required scopes 'repo', 'read:org'

Exited with code exit status 1
CircleCI received exit code 1

https://app.circleci.com/pipelines/github/pgahq/coach-tools-backend/8091/workflows/8d041e01-362d-4155-9da8-54a0fd74466f/jobs/40666?invite=true#step-103-102

Expected behavior:

It should be possible to install the github-cli with this orb, without having specific scopes. We only use the github cli to create and report github Deployments. Per the principle of least privelege, we only provide repo_deployment scope to our circle contexts. This scope is sufficient to create Deployment records and to set their status accordingly. Unfortunately, this scope is not sufficient for gh auth status and so the setup command fails.

Additional Information:

It is admirable that this orb's setup command reports auth status and does some default configuration. However, it should be possible for users to only install the cli, if they so choose. Installation itself does not require any scopes. Our usage is known to work with the repo_deployment scope, we just need to install the cli.

ronkorving commented 2 years ago

This may be closed, but on the latest version (circleci/github-cli@2.1.0), I still had this problem.