sanderginn
commented
1 year ago Looks like fine-grained PATs are now supported by the GraphQL API. I'll have to run a little experiment to see whether the error surfaced in the UI is just passed through from the GQL API or whether we perform up-front validation (seems unlikely to me).
My guess would be that this is automatically resolved now due to the API changes, but I'll validate this first.
https://github.com/sourcegraph/accounts/issues/8366 See these threads from the Slack support channel on 3/6/23 (https://sourcegraph.slack.com/archives/C03P5NYGF2T/p1678121969118649, https://sourcegraph.slack.com/archives/C03P5NYGF2T/p1678127205995309):
We have a (surmountable!) blocker with using Batch Changes:We use SSH Certificate Authentication with GitHub. Engineers don't generate and upload SSH keys. Instead keys are generated (and signed) just-in-time for them by a service that, then, has close to realtime control over access. Our GitHub org trusts the CA that signs the certs instead of the uploaded key material.As a result, if a user tries to clone a repo with a Classic PAT, they get this error:
$ git clone https://x-access-token:$/[CLASSIC_PAT@github.com](mailto:CLASSIC_PAT@github.com)/squareup/REPO.git remote: This repository requires SSH certificate authentication. Contact the owner to receive a certificate. So when users follow your instructions to create a PAT and add it to the Code host tokens under Batch Changes settings, they get this error when trying to publish a changeset:
$ git -c credential.helper= -c protocol.version=2 push --force https://@github.com/squareup/appseceng-test-cash-toolbox 648f69cef393a917f157570638dacaa0a096b5ef:refs/heads/lsc/20230303-owner-owl-cleanup
remote: This repository requires SSH certificate authentication. Contact the owner to receive a certificate.
fatal: unable to access 'https://github.com/squareup/appseceng-test-cash-toolbox/': The requested URL returned error: 403
There are (at least) two kinds of tokens that we can use to clone repos over HTTP instead of SSH:
Fine-grained PATs (PATv2) Installation access tokens for GitHub Apps (IAT) However, the Code host tokens UI rejects a PATv2 value with this error:
request to http://github-proxy/graphql returned status 401: Personal access tokens with fine grained access do not support the GraphQL API That leaves us with IATs which, unfortunately, have a maximum shelf life of 1 hour.Do you have a recommendation in this scenario?The personal Code host tokens UI rejected a PATv2 but the site-wide Costs hosts UI accepted one. Its "Test connection" feature doesn't use the graphql endpoint to test the connection. Meanwhile, the command that's failing — git push — would work just fine with a PATv2. Is the personal Code host tokens UI too narrowly constrained? Could a PATv2 work for the ability to manipulate changesets?