search

r-hub / rhub

R-hub API client
https://r-hub.github.io/rhub/
Other
354 stars 53 forks source link

Github PAT does not have the right scopes, but unclear what they should be #601

Open HughParsonage opened 7 months ago

HughParsonage commented 7 months ago

I have run rhub::rhub_doctor() and receive the following error:

✖ Does your GitHub PAT have the right scopes?

The answer to this question is "I don't know". Can the error message specify the scopes that are required?

gaborcsardi commented 7 months ago

Can you please show the full output?

HughParsonage commented 7 months ago 
✔ Found R package at C:/Users/hughp/Documents/grattanInflators.
✔ Found git repository at C:/Users/hughp/Documents/grattanInflators.
✔ Found GitHub PAT.                                 
✔ Found repository on GitHub at <https://github.com/HughParsonage/grattanInflators>.
✖ Does your GitHub PAT have the right scopes?
Error: 
! Could not use the PAT to authenticate to GitHub
ℹ Make sure that the URL and your PAT are correct.
Type .Last.error to see the more details.
gaborcsardi commented 7 months ago

The problem is not with the scopes. rhub::rhub_doctor()was trying to check if the scopes are OK, but it completely failed to use the token to authenticate:

Error: 
! Could not use the PAT to authenticate to GitHub
ℹ Make sure that the URL and your PAT are correct.
HughParsonage commented 7 months ago

If I understand correctly, this is an esoteric error not related to the rhub package. If not, happy to assist with further debugging; otherwise, feel free to close.

Would the solution in any case be to generate another PAT?

gaborcsardi commented 7 months ago

Correct. You can try to see what's wrong with your current one, try calling.

gh::gh_whoami()
gh::gh_whoami(.token = "...")

(Put the pat in place of ... if gh does not find it automatically.)

If the second works but the first does not, then your PAT is ok, we just can't find it. Try setting it in gitcreds::gitcreds_set(). Or, if you are on Linux or setting does not work, then set it in the GITHUB_PAT env var.

HughParsonage commented 7 months ago

Thank you. I confirm the first gh_whoami() failed with an error. Resetting the credentials allowed rhub functions to work.

gaborcsardi commented 7 months ago

I'll keep this issue open, to improve the output of rhub_doctor() for the next release.

sjentsch commented 6 months ago

I have the same error but the solution above (https://github.com/r-hub/rhub/issues/601#issuecomment-2071882458) doesn't work for me (gh::gh_whoami() runs without an error). Any other ideas?

The output from rhub_doctor() is:

✔ Found R package at /home/sjentsch/Documents/Computer/jamovi/R-packages/jmvReadWrite.
✔ Found git repository at /home/sjentsch/Documents/Computer/jamovi/R-packages/jmvReadWrite.
✔ Found GitHub PAT.
✔ Found repository on GitHub at <git@github.com:sjentsch/jmvReadWrite.git>.
✖ Does your GitHub PAT have the right scopes?
Error: 
! Could not use the PAT to authenticate to GitHub
ℹ Make sure that the URL and your PAT are correct.
Type .Last.error to see the more details.
> .Last.error
<rlib_error_3_1/rlib_error/error>
Error: 
! Could not use the PAT to authenticate to GitHub
ℹ Make sure that the URL and your PAT are correct.
---
Backtrace:
1. rhub::rhub_doctor()
2. rhub:::doctor_check_pat_scopes(resp$gql)
3. rhub:::throw(pkg_error(call. = FALSE, "Could not use the PAT to authenticate to GitHub", …
gaborcsardi commented 6 months ago

What's the output of gh::gh_whoami() and gh::gh_rate_limits() right after the error? (Omit the line that has parts of the PAT!)

sjentsch commented 6 months ago 
> gh::gh_whoami()
{
  "name": "Sebastian Jentschke",
  "login": "sjentsch",
  "html_url": "https://github.com/sjentsch",
} 
> gh::gh_rate_limits()
                          type limit used remaining               reset
1                         core  5000    9      4991 2024-05-22 20:06:49
2                       search    30    0        30 2024-05-22 19:40:56
3                      graphql  5000    3      4997 2024-05-22 20:17:47
4         integration_manifest  5000    0      5000 2024-05-22 20:39:56
5                source_import   100    0       100 2024-05-22 19:40:56
6         code_scanning_upload  1000    0      1000 2024-05-22 20:39:56
7  actions_runner_registration 10000    0     10000 2024-05-22 20:39:56
8                         scim 15000    0     15000 2024-05-22 20:39:56
9         dependency_snapshots   100    0       100 2024-05-22 19:40:56
10                   audit_log  1750    0      1750 2024-05-22 20:39:56
11                 code_search    10    0        10 2024-05-22 19:40:56
   mins_left
1       26.9
2        1.0
3       37.8
4       60.0
5        1.0
6       60.0
7       60.0
8       60.0
9        1.0
10      60.0
11       1.0

Thanks for your help!

gaborcsardi commented 6 months ago 
✔ Found repository on GitHub at <git@github.com:sjentsch/jmvReadWrite.git>.

Sorry, only HTTPS git remotes work currently.

sjentsch commented 6 months ago

No, this isn't the problem, unfortunately. I get the same error mesage when I change the remote to https.

> rhub::rhub_doctor()
✔ Found R package at /home/sjentsch/Documents/Computer/jamovi/R-packages/jmvReadWrite.
✔ Found git repository at /home/sjentsch/Documents/Computer/jamovi/R-packages/jmvReadWrite.
✔ Found GitHub PAT.
✔ Found repository on GitHub at <https://github.com/sjentsch/jmvReadWrite.git>.
✖ Does your GitHub PAT have the right scopes?
Error: 
! Could not use the PAT to authenticate to GitHub
ℹ Make sure that the URL and your PAT are correct.
Type .Last.error to see the more details.
> .Last.error
<rlib_error_3_1/rlib_error/error>
Error: 
! Could not use the PAT to authenticate to GitHub
ℹ Make sure that the URL and your PAT are correct.
---
Backtrace:
1. rhub::rhub_doctor()
2. rhub:::doctor_check_pat_scopes(resp$gql)
3. rhub:::throw(pkg_error(call. = FALSE, "Could not use the PAT to authenticate to GitHub", …
gaborcsardi commented 6 months ago

What do you get for this?

gitcreds::gitcreds_get("https://github.com/sjentsch/jmvReadWrite.git")

If you look at 

gitcreds::gitcreds_get("https://github.com/sjentsch/jmvReadWrite.git")$password

do you see the correct token? E.g. does

gh::gh_whoami(
  .token = gitcreds::gitcreds_get("https://github.com/sjentsch/jmvReadWrite.git")$password
)

work correctly?

sjentsch commented 6 months ago

They all seem to work apart from that the first command returns NAs for protocol host and username. I won't post the output from the second command (and removed the token line from the third), but I ensured that the second command shows the correct PAT.

> gitcreds::gitcreds_get("https://github.com/sjentsch")
<gitcreds>
  protocol: NA
  host    : NA
  username: NA
  password: <-- hidden -->
> gh::gh_whoami(                                       
  .token = gitcreds::gitcreds_get("https://github.com/sjentsch/jmvReadWrite.git")$password
)
{
  "name": "Sebastian Jentschke",
  "login": "sjentsch",
  "html_url": "https://github.com/sjentsch",
}
gaborcsardi commented 6 months ago

What's the output of this from the command line, int the directory of the package?

git remote -v
sjentsch commented 6 months ago 
origin  https://github.com/sjentsch/jmvReadWrite.git (fetch)
origin  git@github.com:sjentsch/jmvReadWrite.git (push)

I had also tried setting both fetch and push to https, but that didn't work either and git push is more convenient via ssh.

sjentsch commented 6 months ago

It appears as if the resp (obtained from synchronize in rhub_doctor does contain gql -> headers but that headers doesn't contain x-oauth-scopes. Any idea why?

gaborcsardi commented 6 months ago

IDK, but that might be enough for me to fix this.

I guess you are on Linux, that's why ssh is more convenient?

sjentsch commented 6 months ago

Yes, I am on Linux.

Strangely enough, if I use curl -sS -f -I -H "Authorization: token ${GITHUB_TOKEN}" https://api.github.com with the same token, I get x-oauth-scopes: repo

Would it help if I send you the resp variable that I got back? Preferrably on a more secure channel than here.

gaborcsardi commented 6 months ago

Do you have a proxy that might alter the headers?

Yes, if you think that the response headers could be informative, please send them via email. I don't think they actually contain any sensitive information.

bradleyjeck commented 6 months ago

Hi Gabor - thanks a lot for rhub, it makes a huge difference for package development! Especially tracking down compilation errors on the different flavors.

I was also having trouble with PAT scopes. It didn't work with a new fine-grained tokens, but rhub_doctor() worked with the classic personal access token.

gaborcsardi commented 6 months ago

Yes, unfortunately it seems that there is no way to query the scopes of a fine-grained token, so we'll need to drop that check for fine grained tokens. rhub_check() should still work fine, though, assuming you have the right scopes.

MatthieuStigler commented 2 months ago

I had the same problem with a fine-grained token, switching to a classic token fixed it.

On the other side, I am unclear on which scopes to choose for the classic token, is it detailed somewhere in the documentation which scopes should be granted?

Thanks!

gaborcsardi commented 2 months ago

Seems like on "repo"` is needed: https://github.com/r-hub/rhub/blob/f4c7367e38ad88f12bb8f3be154964dbe288d3f4/R/doctor.R#L165-L174

MatthieuStigler commented 2 months ago

great, thanks! I had added the workflow scope, I had assumed it would be necessary?

Maybe it would be worth amending the documentation in https://blog.r-hub.io/2024/04/11/rhub2/#requirements along with (suggested changes in bold):

Third, you need a GitHub Personal Access Token (PAT) with the repo scopes and you need to store it in the git credential store on your machine. Classic tokens should be used as fine-grained tokens currently do not work.

gaborcsardi commented 2 months ago

Maybe it would be worth amending the documentation

Sure, a PR is most welcome! (But no pressure, really! :D)