sync should check if it has repo permissions first.

[jamielennox]

We run actions-sync with a service account, the account has permissions on the main actions repo but we also use it for syncing actions for teams.

What we tried to do is have someone on the team create the empty repo in the desired org, provide the service account write access to the repo and then run sync. However this fails with messages like:

error creating github repository `XXX/YYY`: error creating repository XXX/YYY: POST https://org/api/v3/orgs/XXX/repos: 403 You need admin access to the organization before adding a repository to it. []
##[error]Process completed with exit code 1.

Because the logic is trying to use that token to query if the repo exists via the github api, which it doesn't have permissions to do.

To reduce the permissions needed here the first check should really be direct to the repo to see if we can simply use it rather than have to check and create it.

[ajaykn]

Thanks @jamielennox Yeah currently tool tries to create the repo and if it exists then we fetch it. I agree, we need to first fetch the repo and if it not exists then try creating it.

https://github.com/actions/actions-sync/blob/main/src/push.go#L149-L154

        ghRepo, resp, err := client.Repositories.Create(ctx, createRepoOrgName, repo)
	if err == nil {
		fmt.Printf("Created repo `%s/%s`\n", ownerName, repoName)
	} else if resp != nil && resp.StatusCode == 422 {
		ghRepo, _, err = client.Repositories.Get(ctx, ownerName, repoName)
	}

We have added this to our backlog and will prioritize it accordingly.

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity.