search

Mic92 / nixpkgs-review

Review pull-requests on https://github.com/NixOS/nixpkgs
MIT License
350 stars 59 forks source link

HTTP Error 403 Forbidden on `nix-review post-result` #386

Open KiaraGrouwstra opened 5 months ago

KiaraGrouwstra commented 5 months ago

this is the first time i'm trying nixpkgs-review, and its GET-like command comments works fine for me. using commands like post-result tho yields me an HTTP Forbidden error:

$ nix-review post-result
Posting result comment on https://github.com/NixOS/nixpkgs/pull/261805
Traceback (most recent call last):
  File "/nix/store/7llgaybxglfs6h2fr5w2pxjfwc8z0k8q-nixpkgs-review-2.10.3/bin/.nix-review-wrapped", line 9, in <module>
    sys.exit(main())
             ^^^^^^
  File "/nix/store/7llgaybxglfs6h2fr5w2pxjfwc8z0k8q-nixpkgs-review-2.10.3/lib/python3.11/site-packages/nixpkgs_review/__init__.py", line 10, in main
    cli.main(command, args)
  File "/nix/store/7llgaybxglfs6h2fr5w2pxjfwc8z0k8q-nixpkgs-review-2.10.3/lib/python3.11/site-packages/nixpkgs_review/cli/__init__.py", line 334, in main
    return cast(str, args.func(args))
                     ^^^^^^^^^^^^^^^
  File "/nix/store/7llgaybxglfs6h2fr5w2pxjfwc8z0k8q-nixpkgs-review-2.10.3/lib/python3.11/site-packages/nixpkgs_review/cli/post_result.py", line 26, in post_result_command
    github_client.comment_issue(pr, report_text)
  File "/nix/store/7llgaybxglfs6h2fr5w2pxjfwc8z0k8q-nixpkgs-review-2.10.3/lib/python3.11/site-packages/nixpkgs_review/github.py"
, line 44, in comment_issue
    return self.post(
           ^^^^^^^^^^
  File "/nix/store/7llgaybxglfs6h2fr5w2pxjfwc8z0k8q-nixpkgs-review-2.10.3/lib/python3.11/site-packages/nixpkgs_review/github.py", line 36, in post
    return self._request(path, "POST", data)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/7llgaybxglfs6h2fr5w2pxjfwc8z0k8q-nixpkgs-review-2.10.3/lib/python3.11/site-packages/nixpkgs_review/github.py", line 29, in _request
    with urllib.request.urlopen(req) as resp:
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/asiphbpiy2gmidfm3xbwcikayhs66289-python3-3.11.7/lib/python3.11/urllib/request.py", line 216, in urlopen
    return opener.open(url, data, timeout)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/asiphbpiy2gmidfm3xbwcikayhs66289-python3-3.11.7/lib/python3.11/urllib/request.py", line 525, in open
    response = meth(req, response)
               ^^^^^^^^^^^^^^^^^^^
  File "/nix/store/asiphbpiy2gmidfm3xbwcikayhs66289-python3-3.11.7/lib/python3.11/urllib/request.py", line 634, in http_response
    response = self.parent.error(
               ^^^^^^^^^^^^^^^^^^
  File "/nix/store/asiphbpiy2gmidfm3xbwcikayhs66289-python3-3.11.7/lib/python3.11/urllib/request.py", line 563, in error
    return self._call_chain(*args)
           ^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/asiphbpiy2gmidfm3xbwcikayhs66289-python3-3.11.7/lib/python3.11/urllib/request.py", line 496, in _call_chain
    result = func(*args)
             ^^^^^^^^^^^
  File "/nix/store/asiphbpiy2gmidfm3xbwcikayhs66289-python3-3.11.7/lib/python3.11/urllib/request.py", line 643, in http_error_default
    raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 403: Forbidden

i've tried passing account credentials in different ways; by env var, by gh or by --token.

version:

$ nix-review --version
nixpkgs-review 2.10.3

my github token has the rights to access all repos (read/write), with no other special settings.

would there be a good way to debug this?

Mic92 commented 5 months ago

Check if your GITHUB_TOKEN is expired in $HOME/.config/hub or $HOME/.config/gh/config.yml

KiaraGrouwstra commented 5 months ago

i used a fresh github token.

my gh auth login did complain about gh/config.yml being read-only (being symlinked by nix), tho with such login succeeding to let gh use the credential led me to believe this might have worked.

that doesn't explain to me tho why passing the token by env var (on both nix-review pr <number> and nix-review post-result) or by --token would fail as well tho.

Mic92 commented 4 months ago

If you create a new token manually here: https://github.com/settings/tokens with the permissions to create issue commends, does it work than?

KiaraGrouwstra commented 4 months ago

giving the token (passing by env var) read/write permissions on issues and PRs doesn't seem to change anything for me. i gotta say i'm not sure on precedence rules tho, so i'm not sure if this is actually the token it's using.

Mic92 commented 4 months ago

If you pass it via --token than it overwrites anything else. Environment variables have higher precedence over configuration files.

KiaraGrouwstra commented 4 months ago

thanks, retried using --token just in case, but same result

siraben commented 3 months ago
Screenshot 2024-03-28 at 23 43 52

I've been having this issue too, with a token with these permissions. Tried --token but also didn't work. Got HTTP error 403: Forbidden.

siraben commented 3 months ago

When I use a classic personal access token with repo permissions, it works. So it looks like fine-grained tokens might not be supported yet, or I am not selecting the right permissions scopes.

KiaraGrouwstra commented 1 month ago

the classic token works for me as well. perhaps we could clarify that in the docs?

siraben commented 1 month ago

@Mic92