search

Homebrew / brew

🍺 The missing package manager for macOS (or Linux)
https://brew.sh
BSD 2-Clause "Simplified" License
41.18k stars 9.67k forks source link

`GitHub::too_many_open_prs()` errors without SSO access #18610

Open elijaholmos opened 4 hours ago

elijaholmos commented 4 hours ago

brew doctor output

Your system is ready to brew.

Verification

brew config output

HOMEBREW_VERSION: 4.4.2-21-gf921bb4
ORIGIN: https://github.com/Homebrew/brew
HEAD: f921bb4e345e083f4966c9e64b608b584c2a646a
Last commit: 9 hours ago
Core tap JSON: 23 Oct 02:40 UTC
Core cask tap HEAD: eb5869f78774b7c7f31a1d65162de6b537a51f02
Core cask tap last commit: 71 minutes ago
Core cask tap JSON: 23 Oct 02:43 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_GITHUB_API_TOKEN: set
HOMEBREW_MAKE_JOBS: 10
HOMEBREW_SORBET_RUNTIME: set
Homebrew Ruby: 3.3.5 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.3.5/bin/ruby
CPU: 10-core 64-bit arm_firestorm_icestorm
Clang: 16.0.0 build 1600
Git: 2.39.5 => /Library/Developer/CommandLineTools/usr/bin/git
Curl: 8.7.1 => /usr/bin/curl
macOS: 15.0-arm64
CLT: 16.0.0.0.1.1724870825
Xcode: N/A
Rosetta 2: false

What were you trying to do (and why)?

I was trying to update the cask of https://github.com/alacritty/alacritty, since the developers recently published a new GitHub release. As a first-time Homebrew contributor, I discovered the brew bump-cask-pr command and thought it would work perfectly as a simple solution for me to make the required cask changes. During this process, I was prompted to generate a GitHub personal access token for the Homebrew CLI, which I did.

What happened (include all command output)?

After generating a GitHub Personal Access Token and storing it in the HOMEBREW_GITHUB_API_TOKEN env variable, the command brew bump-cask-pr alacritty yielded the following error:

Error: FORBIDDEN: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to an organization within this enterprise.

What did you expect to happen?

I expected the version of cask alacritty to be updated to 0.14.0, a commit to be created on my local machine in my fork, that commit pushed to origin, and a pull request from my fork into upstream to be automatically opened.

Step-by-step reproduction instructions (by running brew commands)

1. Using a GitHub account which is part of at least Enterprise Organization which uses SAML SSO, generate a new Personal Access Token using the link provided by the Homebrew CLI: https://github.com/settings/tokens/new?scopes=gist,repo,workflow&description=Homebrew
2. Leave all the scopes as default and pick any expiration timeframe
3. Click generate token. Copy the token and store it in the `HOMEBREW_GITHUB_API_TOKEN` env variable
4. Attempt to use a Homebrew CLI command which invokes the `GitHub::too_many_open_prs()` method. It is expected to yield the following error: `Error: FORBIDDEN: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to an organization within this enterprise.`
elijaholmos commented 4 hours ago

I did a bit of research on my own and discovered the following:

(all personal access tokens used in tests were deleted before posting this comment)

The count of PRs is the same with and without SSO access enabled on my GitHub Personal Access token. However, GitHub returns a null node to represent the inaccessible (but still existent) PR:

image

Not sure which direction the maintainers want to take with this bug. However, if only the totalCount is being considered when fetching all of a user's pull requests, perhaps any errors returned with the API response can be ignored so long as the totalCount field is present?

Bo98 commented 3 hours ago

I'm OK with either:

MikeMcQuaid commented 5 minutes ago
  • Ignoring any SSO (i.e. extensions contains saml_failure) errors for that specific API call only. SAML errors for other API calls are likely genuine and should continue to error.

Yes, let's do this.