packager
packager copied to clipboard
GitHub token permissions should be checked prior to packaging
Given the recent confusion in both #152 and #153, it feels like it would be sensible for the packager to check if the supplied GITHUB_OAUTH
token (if present) actually has the necessary permissions to publish a release to the repository before packaging - if it doesn't, then it can spit out a reasonably clear error about what needs to be done to fix it.
Currently if the token lacks permissions you'll get an "Resource not available to integration" error at the point where the package is submitted for publishing - which occurs after it's already been published elsewhere - so fixing the issue after it's occurred is a bit annoying.
Personally, I think it should spit out a warning, but then just skip GitHub, and still upload to whatever else its going to upload to.
My concern with it just being a warning would be that people likely aren't routinely checking their workflow outputs - so in effect it'll just have silently failed to upload to GitHub until the point they find out that the last n
tags weren't published as releases.
Its likely only going to affect new projects, in which case you should check your workflow. What if I don't want my token to have write access?
The answer I would have given to that would be the same advice I'd give to someone who didn't want to upload to any other platform - simply don't provide the token.
Unfortunately there's a sole usage of $github_token
in changelog generation for... something, so that would probably need thinking about.
Its likely only going to affect new projects, in which case you should check your workflow. What if I don't want my token to have write access?
The github token is for publishing a release, for what reason would you add the token to the packager environment if it was read-only?
Unfortunately there's a sole usage of $github_token in changelog generation for... something, so that would probably need thinking about.
It is used to print the "previous releases" github link, I suppose I could just check the remotes instead of being lazy, so not much of an issue there. (would also "fix" a use case for a r/o token)
Personally, I think it should spit out a warning, but then just skip GitHub, and still upload to whatever else its going to upload to.
Being the last task the script does, checking then erroring would still effectively do this. So the error would basically be switching from "Resource not available to integration" to something custom