`GitHub::too_many_open_prs()` errors without SSO access

elijaholmos commented 1 month ago

`brew doctor` output

Your system is ready to brew.

Verification

[X] My "brew doctor output" above says Your system is ready to brew. and am still able to reproduce my issue.
[X] I ran brew update twice and am still able to reproduce my issue.
[X] This issue's title and/or description do not reference a single formula e.g. brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.

`brew config` output

HOMEBREW_VERSION: 4.4.2-21-gf921bb4
ORIGIN: https://github.com/Homebrew/brew
HEAD: f921bb4e345e083f4966c9e64b608b584c2a646a
Last commit: 9 hours ago
Core tap JSON: 23 Oct 02:40 UTC
Core cask tap HEAD: eb5869f78774b7c7f31a1d65162de6b537a51f02
Core cask tap last commit: 71 minutes ago
Core cask tap JSON: 23 Oct 02:43 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_GITHUB_API_TOKEN: set
HOMEBREW_MAKE_JOBS: 10
HOMEBREW_SORBET_RUNTIME: set
Homebrew Ruby: 3.3.5 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.3.5/bin/ruby
CPU: 10-core 64-bit arm_firestorm_icestorm
Clang: 16.0.0 build 1600
Git: 2.39.5 => /Library/Developer/CommandLineTools/usr/bin/git
Curl: 8.7.1 => /usr/bin/curl
macOS: 15.0-arm64
CLT: 16.0.0.0.1.1724870825
Xcode: N/A
Rosetta 2: false

What were you trying to do (and why)?

I was trying to update the cask of https://github.com/alacritty/alacritty, since the developers recently published a new GitHub release. As a first-time Homebrew contributor, I discovered the brew bump-cask-pr command and thought it would work perfectly as a simple solution for me to make the required cask changes. During this process, I was prompted to generate a GitHub personal access token for the Homebrew CLI, which I did.

What happened (include all command output)?

After generating a GitHub Personal Access Token and storing it in the HOMEBREW_GITHUB_API_TOKEN env variable, the command brew bump-cask-pr alacritty yielded the following error:

Error: FORBIDDEN: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to an organization within this enterprise.

What did you expect to happen?

I expected the version of cask alacritty to be updated to 0.14.0, a commit to be created on my local machine in my fork, that commit pushed to origin, and a pull request from my fork into upstream to be automatically opened.

Step-by-step reproduction instructions (by running `brew` commands)

1. Using a GitHub account which is part of at least Enterprise Organization which uses SAML SSO, generate a new Personal Access Token using the link provided by the Homebrew CLI: https://github.com/settings/tokens/new?scopes=gist,repo,workflow&description=Homebrew
2. Leave all the scopes as default and pick any expiration timeframe
3. Click generate token. Copy the token and store it in the `HOMEBREW_GITHUB_API_TOKEN` env variable
4. Attempt to use a Homebrew CLI command which invokes the `GitHub::too_many_open_prs()` method. It is expected to yield the following error: `Error: FORBIDDEN: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to an organization within this enterprise.`

elijaholmos commented 1 month ago

I did a bit of research on my own and discovered the following:

Once I properly configure SSO for the GitHub Personal Access Token being used by Homebrew, the error goes away
Testing with two different tokens against the public GitHub GraphQL API, the following results were observed:
- Token 1 (SSO access) - totalCount is 17 and zero errors
- Token 2 (no SSO access) - totalCount is 17 and one errors

(all personal access tokens used in tests were deleted before posting this comment)

The count of PRs is the same with and without SSO access enabled on my GitHub Personal Access token. However, GitHub returns a null node to represent the inaccessible (but still existent) PR:

Not sure which direction the maintainers want to take with this bug. However, if only the totalCount is being considered when fetching all of a user's pull requests, perhaps any errors returned with the API response can be ignored so long as the totalCount field is present?

Bo98 commented 1 month ago

I'm OK with either:

Changing to a different API that doesn't need to go over non-Homebrew repositories (though maybe such API doesn't exist)
Ignoring any SSO (i.e. extensions contains saml_failure) errors for that specific API call only. SAML errors for other API calls are likely genuine and should continue to error.

MikeMcQuaid commented 1 month ago

Ignoring any SSO (i.e. extensions contains saml_failure) errors for that specific API call only. SAML errors for other API calls are likely genuine and should continue to error.

Yes, let's do this.

github-actions[bot] commented 3 weeks ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

Homebrew / brew