Document which scopes are needed for owners verification

mszostok / codeowners-validator

The GitHub CODEOWNERS file validator

Apache License 2.0

217 stars 47 forks source link

Document which scopes are needed for owners verification #58

Open ZacSweers opened 3 years ago

ZacSweers commented 3 years ago

Description

Consider documenting which scopes are needed for the github action to validate owner teams. This may actually also be a bug report for the action

Reasons

It's not currently documented and it's not clear to me which ones should be selected.

In fact, the URL it's trying doesn't appear correct to me 🤔

https://api.github.com/repos/<org>/<repo>/teams?per_page=100

Shouldn't this use the org/teams endpoint? https://docs.github.com/en/free-pro-team@latest/rest/reference/teams#list-teams

https://api.github.com/orgs/<org>/teams

mszostok commented 3 years ago

Hi @ZacSweers

the GitHub token was already described some time ago here: https://github.com/mszostok/codeowners-validator/blob/master/docs/gh-token.md

Regarding the endpoint problem that you mentioned. I'm using the endpoint under the repos URL as I need to know that a given team is assigned to the proper repos. I'm not interested in all teams and using the https://api.github.com/orgs/<org>/teams requires to call another endpoint to check the assigned repos and that increase the number of calls against the GitHub which I want to keep minimal

ZacSweers commented 3 years ago

Hmm, when I tried this we always get back an empty list. Let me see if I can debug with some manual querying on the API to repro

dkuebric commented 3 years ago

From some experimentation, even with the permissions specified in the doc above, it looks like the user with the token either needs to be an organization owner or have admin access to the repo in question.

I'm not sure how to verify the exact scopes required for this operation in the GH docs (eg. can't find this documented).

Does this sound right to you @mszostok ? It doesn't seem like it should require admin access to list the teams for a repo, so I may be missing something.

photonbit commented 3 years ago

I had the same issue. I can't list teams in the repo, and the tests for this seem to be failing with the same 404 error. After consulting the documentation from the API seems like there is no error, but it is not working for public repositories either. After doing this change it is working for the private repo case I am working on: https://github.com/photonbit/codeowners-validator/commit/f145b6563e0e71f503213dbf5fab2318350ec8f9