labeler icon indicating copy to clipboard operation
labeler copied to clipboard
verified publisher icon srvaroa

author-in-team 404ing despite being a member of the team

Open himynameisdave opened this issue 1 year ago • 8 comments

The author-in-team doesn't quite work how I'd expect it to. Despite the author being a member of the given team, I am noticing in the logs that it 404ing on the team membership API check...

2024/11/21 22:29:06 [Author can merge] skip, author-can-merge doesn't have a valid value in config
2024/11/21 22:29:06 [Author is member of team] skip, GET https://api.github.com/orgs/{REPO_ORG}/teams/{MY_TEAM}/memberships/himynameisdave: 404 Not Found []

I am for sure on this team, but I'm wondering if maybe we have something misconfigured?

himynameisdave avatar Nov 22 '24 19:11 himynameisdave

Same issue here. If I open the API URL in a browser, I get:

{
  "message": "Requires authentication",
  "documentation_url": "https://docs.github.com/rest/teams/members#get-team-membership-for-a-user",
  "status": "401"
}

If I try it using the gh api command line to make an authenticated API request, I get the response that I expect:

{
  "state": "active",
  "role": "member",
  "url": "https://api.github.com/organizations/{org_id}/team/{team_id}/memberships/{username}"
}

It seems something is still wrong with the API request that labeler is making

swrobel avatar Nov 25 '24 23:11 swrobel

Thanks! I'll try to take a look into this ASAP

srvaroa avatar Nov 27 '24 12:11 srvaroa

@srvaroa checking in to see if you've had any luck with this one

swrobel avatar Jan 22 '25 02:01 swrobel

Thanks @swrobel & @himynameisdave I've been testing the action locally and it does look like it works at least for the org/team I can have access to.

I am suspicious of the org/team that are being passed on to the url OR that repo_org and team are not actually the same.

Can you confirm that repo_org and my_team are both the right names that you expect, and that my_team's org is the same as repo_org?

2024/11/21 22:29:06 [Author is member of team] skip, GET https://api.github.com/orgs/{REPO_ORG}/teams/{MY_TEAM}/memberships/himynameisdave: 404 Not Found []

I can add some extra logs to see if we can spot what's messing things up

Thanks!

srvaroa avatar Jan 23 '25 19:01 srvaroa

We also see this issue and I can confirm that the URL that is debugged looks correct, and I also get a success message when accessing that endpoint over gh api

{
  "state": "active",
  "role": "member",
  "url": "https://api.github.com/organizations/612628/team/9839939/memberships/keulinho"
}

Maybe it's a permission thing that the API returns 404 from within the action?

keulinho avatar Jan 28 '25 16:01 keulinho

From the docs: https://docs.github.com/de/rest/teams/members?apiVersion=2022-11-28#get-team-membership-for-a-user

I see:

To get a user's membership with a team, the team must be visible to the authenticated user.

Maybe that is the issue? Because the team is not visible for GH action user 🤔

keulinho avatar Jan 28 '25 16:01 keulinho

looks like the automatic action token has no access to org level information, and it can not easily be changed (I tested permissions: read-all, same result).

The only "workaround" could be to create a custom token and use that instead of the automatic action token, see https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#granting-additional-permissions

keulinho avatar Jan 28 '25 16:01 keulinho

Thanks @keulinho, this makes sense, I tested locally with a personal access token which does have permissions to org level data.

@swrobel @himynameisdave unless you have a better suggestion I'll fix via documentation and close?

srvaroa avatar Jan 29 '25 09:01 srvaroa