CLI Refuses to show Repos for SSO Organization

[jpulec]

Describe the bug

Ever since my organization enabled SSO, I can't see any of the repos associated with it from the github CLI. When running gh repo list, only my personal repos are displayed. Even after reauthing via gh auth refresh and via gh logout I don't seem to have access to the repos that are part of the SSO org.

Steps to reproduce the behavior

1. Enable SSO for an organization
2. Try to list repos via gh repo list
3. Only personal repos shown

Logs

CLI Version: 2.30.0 OS: Arch Linux 6.3.7-arch1-1 x86_64

[alex-statsig]

My organization is not using SSO, but we just started running into a similar issue today (gh repo list only include personal repositories, not those in the organization). This is causing all other gh commands on our org to fail (pr list etc.), causing big issues with our development workflows

[creachadair]

I've been running into this also, starting a couple hours ago. It appears to affect both the mobile app and the gh command-line tool (anything using the GraphQL API maybe?)

The symptoms so far appear to be that you can't see private repositories owned by an organization of which you are a member (I've tested it with two of the orgs I belong to which own private repositories).

When trying to view details for a private repo, the CLI reports errors like:

GraphQL: Could not resolve to a Repository with the name '<repo-name>'. (repository)

Running the command with GH_DEBUG=api shows that it is in fact using the correct repo name, but the API reports an error.

[alex-statsig]

Interestingly running gh org list does include the organization, but gh repo list does not include any of its repositories (public or private)

[austospumanto]

Same as @alex-statsig and @creachadair: non-SSO organization, gh no longer showing private repos owned by org. Tried reinstalling gh via brew, redoing gh auth login, etc. -- nothing worked. In case it's helpful, here is the output I get from running GH_DEBUG=api gh pr list in my repository directory on my laptop:

~/<repo_name> $ GH_DEBUG=api gh pr list
[git remote -v]
[git config --get-regexp ^remote\..*\.gh-resolved$]
* Request at 2023-06-16 15:14:56.079036 -0700 PDT m=+0.019605209
* Request to https://api.github.com/graphql
> POST /graphql HTTP/1.1
> Host: api.github.com
> Accept: application/vnd.github.merge-info-preview+json, application/vnd.github.nebula-preview
> Authorization: token ***
> Content-Length: 953
> Content-Type: application/json; charset=utf-8
> Graphql-Features: merge_queue
> Time-Zone: America/Los_Angeles
> User-Agent: GitHub CLI 2.30.0

GraphQL query:
fragment pr on PullRequest{number,title,state,url,headRefName,headRepositoryOwner{id,login,...on User{name}},isCrossRepository,isDraft,createdAt}
    query PullRequestList(
      $owner: String!,
      $repo: String!,
      $limit: Int!,
      $endCursor: String,
      $baseBranch: String,
      $headBranch: String,
      $state: [PullRequestState!] = OPEN
    ) {
      repository(owner: $owner, name: $repo) {
        pullRequests(
          states: $state,
          baseRefName: $baseBranch,
          headRefName: $headBranch,
          first: $limit,
          after: $endCursor,
          orderBy: {field: CREATED_AT, direction: DESC}
        ) {
          totalCount
          nodes {
            ...pr
          }
          pageInfo {
            hasNextPage
            endCursor
          }
        }
      }
    }
GraphQL variables: {"limit":30,"owner":"<org_name>","repo":"<repo_name>","state":["OPEN"]}

< HTTP/2.0 200 OK
< Access-Control-Allow-Origin: *
< Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset
< Content-Security-Policy: default-src 'none'
< Content-Type: application/json; charset=utf-8
< Date: Fri, 16 Jun 2023 22:14:56 GMT
< Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
< Server: GitHub.com
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< Vary: Accept-Encoding, Accept, X-Requested-With
< X-Accepted-Oauth-Scopes: repo
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-Github-Media-Type: github.merge-info-preview; param=nebula-preview; format=json
< X-Github-Request-Id: ***
< X-Oauth-Client-Id: ***
< X-Oauth-Scopes: gist, read:org, repo, workflow
< X-Ratelimit-Limit: 5000
< X-Ratelimit-Remaining: 4979
< X-Ratelimit-Reset: 1686953962
< X-Ratelimit-Resource: graphql
< X-Ratelimit-Used: 21
< X-Xss-Protection: 0

{
  "data": {
    "repository": null
  },
  "errors": [
    {
      "type": "NOT_FOUND",
      "path": [
        "repository"
      ],
      "locations": [
        {
          "line": 11,
          "column": 4
        }
      ],
      "message": "Could not resolve to a Repository with the name '<org_name>/<repo_name>'."
    }
  ]
}

* Request took 278.724917ms
GraphQL: Could not resolve to a Repository with the name '<org_name>/<repo_name>'. (repository)

[beahues]

Having the same problem. There's a difference between "internal" and "private" repos in my organisation. It seems to work for internal, but not private.

I tried a bunch of older releases to see if it was a regression in gh, but they all report the same thing, so it feels like an API issue.

[bewuethr]

As a verbose 👍🏻, we are an SSO-enabled (but not mandatory) org, and I don't have SSO enabled. I can't interact with private repos any longer, but with internal and public ones. Trying to do anything with a private repo gives me an error

GraphQL: Could not resolve to a Repository with the name 'ORG/REPO'. (repository)

gh repo list ORG --visibility internal

and

gh repo list ORG --visibility private

have identical responses, i.e., all the private repos are missing.

I believe SSO is a red herring.

Edit: FWIW, the same request as shown by GH_DEBUG=api used in the GraphQL Explorer is successful, so this is specific to the GitHub CLI for me.

[austospumanto]

Edit: FWIW, the same request as shown by GH_DEBUG=api used in the GraphQL Explorer is successful, so this is specific to the GitHub CLI for me.

@bewuethr Is the GraphQL Explorer using the same token that your GitHub CLI uses? I think you can print out the token that your GitHub CLI uses with gh auth token.

[bewuethr]

@bewuethr Is the GraphQL Explorer using the same token that your GitHub CLI uses? I think you can print out the token that your GitHub CLI uses with gh auth token.

I don't think so, the explorer registers itself as an OAuth app with my GitHub account. I could try and make the identical API call using curl and the same token as the CLI uses, though.

[StevenJL]

I am also reporting that I have this problem as well.

[austospumanto]

I don't think so, the explorer registers itself as an OAuth app with my GitHub account.

Yeah that seems to be the case - it registered itself as an OAuth app with my GitHub account as well when I was setting it up. Can confirm that the same query worked for me as well on the Explorer.

I could try and make the identical API call using curl and the same token as the CLI uses, though.

I'd be interested to see the result of this.

[beahues]

@bewuethr

gh repo list ORG --visibility internal

and

gh repo list ORG --visibility private

have identical responses, i.e., all the private repos are missing.

This is a different bug of #5942 🤣, I was just saying it worked on one type for me but not the other.

[BryantUng-at]

I'm seeing this problem too!

[dannyskoog]

Same here. Started having this problem out of the blue just now

[beahues]

Just started working for me again! How strange.

[weirdan]

https://www.githubstatus.com/incidents/psdymfgt6p7q

[samcoe]

Thanks everyone for writing in! As @weirdan pointed out there was a platform problem that was causing this issue. The platform issue should be resolved now but I will leave this issue open for a little while longer so that it is easily discoverable for people who are still encountering it while the fix propagates through the GitHub servers.