GitHub token permissions should be checked prior to packaging #154
Comments
|
Personally, I think it should spit out a warning, but then just skip GitHub, and still upload to whatever else its going to upload to. |
|
My concern with it just being a warning would be that people likely aren't routinely checking their workflow outputs - so in effect it'll just have silently failed to upload to GitHub until the point they find out that the last |
|
Its likely only going to affect new projects, in which case you should check your workflow. What if I don't want my token to have write access? |
|
The answer I would have given to that would be the same advice I'd give to someone who didn't want to upload to any other platform - simply don't provide the token. Unfortunately there's a sole usage of |
The github token is for publishing a release, for what reason would you add the token to the packager environment if it was read-only?
It is used to print the "previous releases" github link, I suppose I could just check the remotes instead of being lazy, so not much of an issue there. (would also "fix" a use case for a r/o token)
Being the last task the script does, checking then erroring would still effectively do this. So the error would basically be switching from "Resource not available to integration" to something custom |
Given the recent confusion in both #152 and #153, it feels like it would be sensible for the packager to check if the supplied
GITHUB_OAUTHtoken (if present) actually has the necessary permissions to publish a release to the repository before packaging - if it doesn't, then it can spit out a reasonably clear error about what needs to be done to fix it.Currently if the token lacks permissions you'll get an "Resource not available to integration" error at the point where the package is submitted for publishing - which occurs after it's already been published elsewhere - so fixing the issue after it's occurred is a bit annoying.
The text was updated successfully, but these errors were encountered: