Clear up --with-token fine grained PAT usage #10186
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
Tip: Turn on automatic Copilot reviews for this repository to get quick feedback on every pull request. Learn more
williammartin
force-pushed
the
wm/clear-up-fine-grained-pats-auth-login
branch
from
ac0d823 to
3695bda
Compare
andyfeller
reviewed
Jan 6, 2025
pkg/cmd/auth/login/login.go
Outdated
Comment on lines
72
to
75
| The minimum required scopes for the token are: %[1]srepo%[1]s, %[1]sread:org%[1]s, and %[1]sgist%[1]s. Although | ||
| it is possible to pass a fine-grained personal access token to %[1]s--with-token%[1]s, it should be done with | ||
| care, as the inherent scoping to certain resources may cause confusing behaviour when interacting with other | ||
| resources. Favour setting %[1]sGH_TOKEN$%[1]s for fine-grained personal access token usage. |
There was a problem hiding this comment.
I appreciate the fine line being walked here:
- FGPAT are supported in the general sense
- Understanding all of the fine-grained permissions and how they relate to the various commands has not been done nor is it documented
That said, are we committing to resolving any bug raised regarding FGPAT behavior given they are still in public preview?
There was a problem hiding this comment.
Minor nit that isn't the end of the world, but simplifying the language a little by warning users upfront in case someone only reads the first part and not the latter:
Suggested change
| The minimum required scopes for the token are: %[1]srepo%[1]s, %[1]sread:org%[1]s, and %[1]sgist%[1]s. Although | |
| it is possible to pass a fine-grained personal access token to %[1]s--with-token%[1]s, it should be done with | |
| care, as the inherent scoping to certain resources may cause confusing behaviour when interacting with other | |
| resources. Favour setting %[1]sGH_TOKEN$%[1]s for fine-grained personal access token usage. | |
| The minimum required scopes for the token are: %[1]srepo%[1]s, %[1]sread:org%[1]s, and %[1]sgist%[1]s. | |
| Take care when passing a fine-grained personal access token to %[1]s--with-token%[1]s | |
| as the inherent scoping to certain resources may cause confusing behaviour when interacting with other | |
| resources. Favour setting %[1]sGH_TOKEN$%[1]s for fine-grained personal access token usage. |
There was a problem hiding this comment.
That said, are we committing to resolving any bug raised regarding FGPAT behavior given they are still in public preview?
I dunno. I think my position is that we will try to support any use of fine-grained tokens that currently works in the API, and we will make some attempts towards making life more pleasant for our users in the cases they don't. In general it feels like "the right thing to do" to help our users user safer options.
It also seems like GitHub the business has tokens in public preview (i.e. more than just the team that owns them) and so we would want to support them as if we owned them.
There was a problem hiding this comment.
In practice it's hard to imagine Fine Grained PATs being walked back in any fundamental way. They have been in public preview for so long, I imagine there is a lot of reliance on them.
Co-authored-by: Andy Feller <andyfeller@github.com>
andyfeller
approved these changes
Jan 6, 2025
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Feb 4, 2025
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [cli/cli](https://github.com/cli/cli) | minor | `v2.65.0` -> `v2.66.1` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>cli/cli (cli/cli)</summary> ### [`v2.66.1`](https://github.com/cli/cli/releases/tag/v2.66.1): GitHub CLI 2.66.1 [Compare Source](cli/cli@v2.66.0...v2.66.1) #### Hotfix: `gh pr view` fails with provided URL This addresses a regression in `gh pr view` was reported in [#​10352](cli/cli#10352). This regression was due to a change in `v2.66.0` that no longer allowed `gh pr` subcommands to execute properly outside of a git repo. #### What's Changed - Hotfix: `gh pr view` fails with provided URL by [@​jtmcg](https://github.com/jtmcg) in cli/cli#10354 **Full Changelog**: cli/cli@v2.66.0...v2.66.1 ### [`v2.66.0`](https://github.com/cli/cli/releases/tag/v2.66.0): GitHub CLI 2.66.0 [Compare Source](cli/cli@v2.65.0...v2.66.0) #### `gh pr view` and `gh pr status` now respect common triangular workflow configurations Previously, `gh pr view` and `gh pr status` would fail for pull request's (MR) open in triangular workflows. This was due to `gh` being unable to identify the MR's corresponding remote and branch refs on GitHub. Now, `gh pr view` and `gh pr status` should successfully identify the MR's refs when the following common git configurations are used: - [`branch.<branchName>.pushremote`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-branchltnamegtpushRemote) is set - [`remote.pushDefault`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-remotepushDefault) is set Branch specific configuration, the former, supersedes repo specific configuration, the latter. Additionally, if the [`@{push}` revision syntax](https://git-scm.com/docs/gitrevisions#Documentation/gitrevisions.txt-emltbranchnamegtpushemegemmasterpushemempushem) for git resolves for a branch, `gh pr view` and `gh pr status` should work regardless of additional config settings. For more information, see - cli/cli#9363 - cli/cli#9364 - cli/cli#9365 - cli/cli#9374 #### `gh secret list`, `gh secret set`, and `gh secret delete` now require repository selection when multiple `git` remotes are present Previously, `gh secret list`, `gh secret set`, and `gh secret delete` would determine which remote to target for interacting with GitHub Actions secrets. Remotes marked as default using `gh repo set-default` or through other `gh` commands had higher priority when figuring out which repository to interact with. This could have unexpected outcomes when using `gh secret` commands with forked repositories as the upstream repository would generally be selected. Now, `gh secret` commands require users to disambiguate which repository should be the target if multiple remotes are present and the `-R, --repo` flag is not provided. For more information, see cli/cli#4688 #### Extension update notices now notify once every 24 hours per extension and can be disabled Previously, the GitHub CLI would notify users about newer versions every time an extension was executed. This did not match GitHub CLI notices, which only notified users once every 24 hours and could be disabled through an environment variable. Now, extension update notices will behave similar to GitHub CLI notices. To disable extension update notices, set the `GH_NO_EXTENSION_UPDATE_NOTIFIER` environment variable. For more information, see cli/cli#9925 #### What's Changed ##### ✨ Features - Draft for discussing testing around extension update checking behavior by [@​andyfeller](https://github.com/andyfeller) in cli/cli#9985 - Make extension update check non-blocking by [@​andyfeller](https://github.com/andyfeller) in cli/cli#10239 - Ensure extension update notices only notify once within 24 hours, provide ability to disable all extension update notices by [@​andyfeller](https://github.com/andyfeller) in cli/cli#9934 - feat: make the extension upgrade fancier by [@​nobe4](https://github.com/nobe4) in cli/cli#10194 - fix: padded display by [@​nobe4](https://github.com/nobe4) in cli/cli#10216 - Update `gh attestation` attestation bundle fetching logic by [@​malancas](https://github.com/malancas) in cli/cli#10185 - Require repo disambiguation for secret commands by [@​williammartin](https://github.com/williammartin) in cli/cli#10209 - show error message for rerun workflow older than a month ago by [@​iamrajhans](https://github.com/iamrajhans) in cli/cli#10227 - Update `gh attestation verify` table output by [@​malancas](https://github.com/malancas) in cli/cli#10104 - Enable MSI building for Windows arm64 by [@​dennisameling](https://github.com/dennisameling) in cli/cli#10297 - feat: Add support for creating autolink references by [@​hoffm](https://github.com/hoffm) in cli/cli#10180 - Find MRs using `@{push}` by [@​Frederick888](https://github.com/Frederick888) in cli/cli#9208 - feat: Add support for viewing autolink references by [@​hoffm](https://github.com/hoffm) in cli/cli#10324 - Update `gh attestation` bundle fetching logic by [@​malancas](https://github.com/malancas) in cli/cli#10339 ##### 🐛 Fixes - gh gist delete: prompt for gist id by [@​danochoa](https://github.com/danochoa) in cli/cli#10154 - Better handling for waiting for codespaces to become ready by [@​cmbrose](https://github.com/cmbrose) in cli/cli#10198 - Fix: `gh gist view` and `gh gist edit` prompts with no TTY by [@​mateusmarquezini](https://github.com/mateusmarquezini) in cli/cli#10048 - Remove naked return values from `ReadBranchConfig` and `prSelectorForCurrentBranch` by [@​jtmcg](https://github.com/jtmcg) in cli/cli#10197 - Add job to deployment workflow to validate the tag name for a given release by [@​jtmcg](https://github.com/jtmcg) in cli/cli#10121 - \[gh run list] Stop progress indicator on failure from `--workflow` flag by [@​iamazeem](https://github.com/iamazeem) in cli/cli#10323 - Update deployment.yml by [@​andyfeller](https://github.com/andyfeller) in cli/cli#10340 ##### 📚 Docs & Chores - Add affected version heading to bug report issue form by [@​BagToad](https://github.com/BagToad) in cli/cli#10269 - chore: fix some comments by [@​petercover](https://github.com/petercover) in cli/cli#10296 - Update triage.md to reflect FR experiment outcome by [@​jtmcg](https://github.com/jtmcg) in cli/cli#10196 - Clear up --with-token fine grained PAT usage by [@​williammartin](https://github.com/williammartin) in cli/cli#10186 - Correct help documentation around template use in `gh issue create` by [@​andyfeller](https://github.com/andyfeller) in cli/cli#10208 - chore: fix some function names in comment by [@​zhuhaicity](https://github.com/zhuhaicity) in cli/cli#10225 - Tiny typo fix by [@​robmorgan](https://github.com/robmorgan) in cli/cli#10265 - add install instructions for Manjaro Linux by [@​AMS21](https://github.com/AMS21) in cli/cli#10236 - Update test to be compatible with latest Glamour v0.8.0 by [@​ottok](https://github.com/ottok) in cli/cli#10151 - Add more `gh attestation verify` integration tests by [@​malancas](https://github.com/malancas) in cli/cli#10102 #####Dependencies - Bump github.com/mattn/go-colorable from 0.1.13 to 0.1.14 by [@​dependabot](https://github.com/dependabot) in cli/cli#10215 - Bump github.com/sigstore/protobuf-specs from 0.3.2 to 0.3.3 by [@​dependabot](https://github.com/dependabot) in cli/cli#10214 - Bump github.com/gabriel-vasile/mimetype from 1.4.7 to 1.4.8 by [@​dependabot](https://github.com/dependabot) in cli/cli#10184 - Bump google.golang.org/protobuf from 1.36.2 to 1.36.3 by [@​dependabot](https://github.com/dependabot) in cli/cli#10250 - Bump golangci-linter and address failures to prepare for Go 1.24 strictness by [@​mikelolasagasti](https://github.com/mikelolasagasti) in cli/cli#10279 - Bump github.com/google/go-containerregistry from 0.20.2 to 0.20.3 by [@​dependabot](https://github.com/dependabot) in cli/cli#10257 - Bump actions/attest-build-provenance from 2.1.0 to 2.2.0 by [@​dependabot](https://github.com/dependabot) in cli/cli#10300 - Bump google.golang.org/protobuf from 1.36.3 to 1.36.4 by [@​dependabot](https://github.com/dependabot) in cli/cli#10306 - Upgrade sigstore-go to v0.7.0: fixes [#​10114](cli/cli#10114) formatting issue by [@​codysoyland](https://github.com/codysoyland) in cli/cli#10309 - Bump github.com/in-toto/attestation from 1.1.0 to 1.1.1 by [@​dependabot](https://github.com/dependabot) in cli/cli#10319 #### New Contributors Big thank you to our many new *and* longtime contributors making this release happen!! ❤️ ✨ - [@​zhuhaicity](https://github.com/zhuhaicity) made their first contribution in cli/cli#10225 - [@​danochoa](https://github.com/danochoa) made their first contribution in cli/cli#10154 - [@​robmorgan](https://github.com/robmorgan) made their first contribution in cli/cli#10265 - [@​iamrajhans](https://github.com/iamrajhans) made their first contribution in cli/cli#10227 - [@​AMS21](https://github.com/AMS21) made their first contribution in cli/cli#10236 - [@​petercover](https://github.com/petercover) made their first contribution in cli/cli#10296 - [@​ottok](https://github.com/ottok) made their first contribution in cli/cli#10151 - [@​dennisameling](https://github.com/dennisameling) made their first contribution in cli/cli#10297 - [@​iamazeem](https://github.com/iamazeem) made their first contribution in cli/cli#10323 - [@​Frederick888](https://github.com/Frederick888) made their first contribution in cli/cli#9208 **Full Changelog**: cli/cli@v2.65.0...v2.66.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xNDMuMCIsInVwZGF0ZWRJblZlciI6IjM5LjE0Ni40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Fixes #10131
Follow on from #10164
Clarify that Fine Grained PATs are usable but not advised when using
auth login --with-token.