Differentiate between an error in the owner/repo vs an error in the token with gh auth login --with-token

[topherbuckley]

Hello,

I'm trying to create an error for users of a project of mine that depends on the user having the $GITHUB_TOKEN env var set. If they do not have this set, the only error I get out from gh auth is:

GraphQL: Could not resolve to a Repository with the name <owner>/<repo>. (repository)

which is very misleading as the repo exists, I just intentionally removed some permissions from a token, or unset the token as a test for this. I thought I saw somewhere that if you use the API directly there are specific errors for this. Is that the case, and if so, how to replace gh auth login --with-token with such an API call? Otherwise, how can I differentiate between an error in the owner/repo vs an error in the token?

[williammartin]

Hi @topherbuckley, I don't fully understand your comment relating to gh auth. I don't think there's any auth command that tries to look up a repo. I suspect what you mean is that you're using some other command that tries to hit a repository? Which command would that be?

With regards the error:

GraphQL: Could not resolve to a Repository with the name <owner>/<repo>. (repository)

I understand that this might be misleading but if I understand your problem correctly, there's intentionality behind it. If a repository is not public, GitHub won't leak information about it's existence, as that in itself is not public information. There shouldn't be a way to distinguish "the repo doesn't exist" and "my token doesn't have permissions to see the repo". Cheers.

[williammartin]

Though I wonder if there's some hint we could take from the oauth scopes in some cases so even if we can't say "that repo exists but you don't have permission" we might be able to say "your token doesn't have the necessary scopes to access any repo, maybe you should check that". Even if that were possible, it wouldn't cover all your cases though.

[williammartin]

I thought I saw somewhere that if you use the API directly there are specific errors for this.

And I'm not sure exactly what you mean by this, sorry.

[topherbuckley]

@williammartin thank you for your speedy and informative replies.

I don't think there's any auth command that tries to look up a repo. I suspect what you mean is that you're using some other command that tries to hit a repository? Which command would that be?

My appologies, I should have included the actual commands for clarity. Here is the sequence of commands used:

$GITHUB_TOKEN | gh auth login --with-token
gh release download 0.1.1 -p <some-file> -R <owner>/<repo> -D <some-dir> --skip-existing

Actually with the 2nd command (not gh auth) I get the error:

GraphQL: Could not resolve to a Repository with the name /. (repository)

Sorry, that was misleading on my question.

I understand that this might be misleading but if I understand your problem correctly, there's intentionality behind it. If a repository is not public, GitHub won't leak information about it's existence, as that in itself is not public information. There shouldn't be a way to distinguish "the repo doesn't exist" and "my token doesn't have permissions to see the repo". Cheers.

I see! I had not thought of that.

we might be able to say "your token doesn't have the necessary scopes to access any repo, maybe you should check that".

Yes, I think that would work as I know the required scopes for this use case. Is there a way to check which scopes are permitted by a given token using gh? I currently have a check on if a GITHUB_TOKEN env var exists, and if not, throw an error, but would like to point out the error as accurately as possible so users can resolve it as easily as possible so having a list of missing permissions would be helpful (or at least a boolean to say permissions-sufficient or not) that way I can throw an error pointing out which permissions are needed and the user can check themselves.

[williammartin]

Cheers. With regards your last paragraph, can you share with me the exact permissions that your token has when you see this issue? I can then recreate your situation and do a little exploration on what options are available.

[topherbuckley]

Sure,

Just as an example, a toke with the following permissions would result in that issue:

These permissions would succeed (no issue):