packager icon indicating copy to clipboard operation
packager copied to clipboard

Published 20 hours ago verified publisher icon BigWigsMods

GitHub token permissions should be checked prior to packaging

Open Meorawr opened this issue 1 year ago • 5 comments

Given the recent confusion in both #152 and #153, it feels like it would be sensible for the packager to check if the supplied GITHUB_OAUTH token (if present) actually has the necessary permissions to publish a release to the repository before packaging - if it doesn't, then it can spit out a reasonably clear error about what needs to be done to fix it.

Currently if the token lacks permissions you'll get an "Resource not available to integration" error at the point where the package is submitted for publishing - which occurs after it's already been published elsewhere - so fixing the issue after it's occurred is a bit annoying.

Meorawr avatar Feb 26 '23 16:02 Meorawr

Personally, I think it should spit out a warning, but then just skip GitHub, and still upload to whatever else its going to upload to.

Nevcairiel avatar Feb 27 '23 15:02 Nevcairiel

My concern with it just being a warning would be that people likely aren't routinely checking their workflow outputs - so in effect it'll just have silently failed to upload to GitHub until the point they find out that the last n tags weren't published as releases.

Meorawr avatar Feb 27 '23 15:02 Meorawr

Its likely only going to affect new projects, in which case you should check your workflow. What if I don't want my token to have write access?

Nevcairiel avatar Feb 27 '23 18:02 Nevcairiel

The answer I would have given to that would be the same advice I'd give to someone who didn't want to upload to any other platform - simply don't provide the token.

Unfortunately there's a sole usage of $github_token in changelog generation for... something, so that would probably need thinking about.

Meorawr avatar Feb 27 '23 18:02 Meorawr

Its likely only going to affect new projects, in which case you should check your workflow. What if I don't want my token to have write access?

The github token is for publishing a release, for what reason would you add the token to the packager environment if it was read-only?

Unfortunately there's a sole usage of $github_token in changelog generation for... something, so that would probably need thinking about.

It is used to print the "previous releases" github link, I suppose I could just check the remotes instead of being lazy, so not much of an issue there. (would also "fix" a use case for a r/o token)

Personally, I think it should spit out a warning, but then just skip GitHub, and still upload to whatever else its going to upload to.

Being the last task the script does, checking then erroring would still effectively do this. So the error would basically be switching from "Resource not available to integration" to something custom

nebularg avatar Feb 27 '23 23:02 nebularg