Closed mmaraya closed 1 year ago
I'm unable to replicate.
wget https://github.com/ossf/scorecard/releases/download/v4.10.2/scorecard_4.10.2_linux_amd64.tar.gz
tar xzfv scorecard_4.10.2_linux_amd64.tar.gz
./scorecard-linux-amd64 --repo=ossf-tests/scorecard-check-branch-protection-e2e --format=json
401 Bad credentials
Are you sure that the GITHUB_AUTH_TOKEN
you're using hasn't expired or been revoked?
Hi Spencer! Thanks for the quick response! I created two new PATs yesterday (one classic, the other fine-grained) and confirmed that they are still active just now. Both show as never being used. I couldn't get either PAT to work.
I suspect the problem was caused by using a GH account that did not have a verified email address (I wasn't comfortable creating a classic PAT against my main GH account). And the PAT has to be classic, not fine-grained. Everything's working again. Thanks for confirming that the issue was on my end. 💯
Update: it turns out that I did have a verified email address so that wasn't the problem. Apparently, GitHub returns a "Bad credentials" error if the PAT is not associated with the email address in ~/.gitconfig. If you have multiple GitHub identities, you can get around this by adding [includeIf "gitdir:~/<some other directory"]
directive at the end of ~/.gitconfig and having a new .gitconfig in that folder with the GitHub identity that is associated with your PAT.
Describe the bug Starting sometime after 2022-12-09, the command-line version of the Scorecard client returns this error message when running against any public GitHub repository:
I have exported a valid classic personal access token via $GITHUB_AUTH_TOKEN.
Reproduction steps Steps to reproduce the behavior:
$GITHUB_AUTH_TOKEN
has a valid value./scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2e
Expected behavior Prior to 2022-12-09, the scorecard CLI would execute correctly against any public GitHub repo (and without
$GITHUB_AUTH_TOKEN
)Additional context Add any other context about the problem here.