Github PAT does not have the right scopes, but unclear what they should be

[HughParsonage]

I have run rhub::rhub_doctor() and receive the following error:

✖ Does your GitHub PAT have the right scopes?

The answer to this question is "I don't know". Can the error message specify the scopes that are required?

[gaborcsardi]

Can you please show the full output?

[HughParsonage]

✔ Found R package at C:/Users/hughp/Documents/grattanInflators.
✔ Found git repository at C:/Users/hughp/Documents/grattanInflators.
✔ Found GitHub PAT.                                 
✔ Found repository on GitHub at <https://github.com/HughParsonage/grattanInflators>.
✖ Does your GitHub PAT have the right scopes?
Error: 
! Could not use the PAT to authenticate to GitHub
ℹ Make sure that the URL and your PAT are correct.
Type .Last.error to see the more details.

[gaborcsardi]

The problem is not with the scopes. rhub::rhub_doctor()was trying to check if the scopes are OK, but it completely failed to use the token to authenticate:

Error: 
! Could not use the PAT to authenticate to GitHub
ℹ Make sure that the URL and your PAT are correct.

[HughParsonage]

If I understand correctly, this is an esoteric error not related to the rhub package. If not, happy to assist with further debugging; otherwise, feel free to close.

Would the solution in any case be to generate another PAT?

[gaborcsardi]

Correct. You can try to see what's wrong with your current one, try calling.

gh::gh_whoami()
gh::gh_whoami(.token = "...")

(Put the pat in place of ... if gh does not find it automatically.)

If the second works but the first does not, then your PAT is ok, we just can't find it. Try setting it in gitcreds::gitcreds_set(). Or, if you are on Linux or setting does not work, then set it in the GITHUB_PAT env var.

[HughParsonage]

Thank you. I confirm the first gh_whoami() failed with an error. Resetting the credentials allowed rhub functions to work.

[gaborcsardi]

I'll keep this issue open, to improve the output of rhub_doctor() for the next release.

[sjentsch]

I have the same error but the solution above (#601 (comment)) doesn't work for me (gh::gh_whoami() runs without an error). Any other ideas?

The output from rhub_doctor() is:

✔ Found R package at /home/sjentsch/Documents/Computer/jamovi/R-packages/jmvReadWrite.
✔ Found git repository at /home/sjentsch/Documents/Computer/jamovi/R-packages/jmvReadWrite.
✔ Found GitHub PAT.
✔ Found repository on GitHub at <[email protected]:sjentsch/jmvReadWrite.git>.
✖ Does your GitHub PAT have the right scopes?
Error: 
! Could not use the PAT to authenticate to GitHub
ℹ Make sure that the URL and your PAT are correct.
Type .Last.error to see the more details.
> .Last.error
<rlib_error_3_1/rlib_error/error>
Error: 
! Could not use the PAT to authenticate to GitHub
ℹ Make sure that the URL and your PAT are correct.
---
Backtrace:
1. rhub::rhub_doctor()
2. rhub:::doctor_check_pat_scopes(resp$gql)
3. rhub:::throw(pkg_error(call. = FALSE, "Could not use the PAT to authenticate to GitHub", …

[gaborcsardi]

What's the output of gh::gh_whoami() and gh::gh_rate_limits() right after the error? (Omit the line that has parts of the PAT!)

[sjentsch]

> gh::gh_whoami()
{
  "name": "Sebastian Jentschke",
  "login": "sjentsch",
  "html_url": "https://github.com/sjentsch",
} 
> gh::gh_rate_limits()
                          type limit used remaining               reset
1                         core  5000    9      4991 2024-05-22 20:06:49
2                       search    30    0        30 2024-05-22 19:40:56
3                      graphql  5000    3      4997 2024-05-22 20:17:47
4         integration_manifest  5000    0      5000 2024-05-22 20:39:56
5                source_import   100    0       100 2024-05-22 19:40:56
6         code_scanning_upload  1000    0      1000 2024-05-22 20:39:56
7  actions_runner_registration 10000    0     10000 2024-05-22 20:39:56
8                         scim 15000    0     15000 2024-05-22 20:39:56
9         dependency_snapshots   100    0       100 2024-05-22 19:40:56
10                   audit_log  1750    0      1750 2024-05-22 20:39:56
11                 code_search    10    0        10 2024-05-22 19:40:56
   mins_left
1       26.9
2        1.0
3       37.8
4       60.0
5        1.0
6       60.0
7       60.0
8       60.0
9        1.0
10      60.0
11       1.0

Thanks for your help!

[gaborcsardi]

✔ Found repository on GitHub at <[email protected]:sjentsch/jmvReadWrite.git>.

Sorry, only HTTPS git remotes work currently.

[sjentsch]

No, this isn't the problem, unfortunately. I get the same error mesage when I change the remote to https.

> rhub::rhub_doctor()
✔ Found R package at /home/sjentsch/Documents/Computer/jamovi/R-packages/jmvReadWrite.
✔ Found git repository at /home/sjentsch/Documents/Computer/jamovi/R-packages/jmvReadWrite.
✔ Found GitHub PAT.
✔ Found repository on GitHub at <https://github.com/sjentsch/jmvReadWrite.git>.
✖ Does your GitHub PAT have the right scopes?
Error: 
! Could not use the PAT to authenticate to GitHub
ℹ Make sure that the URL and your PAT are correct.
Type .Last.error to see the more details.
> .Last.error
<rlib_error_3_1/rlib_error/error>
Error: 
! Could not use the PAT to authenticate to GitHub
ℹ Make sure that the URL and your PAT are correct.
---
Backtrace:
1. rhub::rhub_doctor()
2. rhub:::doctor_check_pat_scopes(resp$gql)
3. rhub:::throw(pkg_error(call. = FALSE, "Could not use the PAT to authenticate to GitHub", …

[gaborcsardi]

What do you get for this?

gitcreds::gitcreds_get("https://github.com/sjentsch/jmvReadWrite.git")

If you look at

gitcreds::gitcreds_get("https://github.com/sjentsch/jmvReadWrite.git")$password

do you see the correct token? E.g. does

gh::gh_whoami(
  .token = gitcreds::gitcreds_get("https://github.com/sjentsch/jmvReadWrite.git")$password
)

work correctly?

[sjentsch]

They all seem to work apart from that the first command returns NAs for protocol host and username. I won't post the output from the second command (and removed the token line from the third), but I ensured that the second command shows the correct PAT.

> gitcreds::gitcreds_get("https://github.com/sjentsch")
<gitcreds>
  protocol: NA
  host    : NA
  username: NA
  password: <-- hidden -->
> gh::gh_whoami(                                       
  .token = gitcreds::gitcreds_get("https://github.com/sjentsch/jmvReadWrite.git")$password
)
{
  "name": "Sebastian Jentschke",
  "login": "sjentsch",
  "html_url": "https://github.com/sjentsch",
} 

[gaborcsardi]

What's the output of this from the command line, int the directory of the package?

git remote -v 

[sjentsch]

origin	https://github.com/sjentsch/jmvReadWrite.git (fetch)
origin	[email protected]:sjentsch/jmvReadWrite.git (push)

I had also tried setting both fetch and push to https, but that didn't work either and git push is more convenient via ssh.

[sjentsch]

It appears as if the resp (obtained from synchronize in rhub_doctor does contain gql -> headers but that headers doesn't contain x-oauth-scopes. Any idea why?

[gaborcsardi]

IDK, but that might be enough for me to fix this.

I guess you are on Linux, that's why ssh is more convenient?

[sjentsch]

Yes, I am on Linux.

Strangely enough, if I use curl -sS -f -I -H "Authorization: token ${GITHUB_TOKEN}" https://api.github.com with the same token, I get x-oauth-scopes: repo

Would it help if I send you the resp variable that I got back? Preferrably on a more secure channel than here.

[gaborcsardi]

Do you have a proxy that might alter the headers?

Yes, if you think that the response headers could be informative, please send them via email. I don't think they actually contain any sensitive information.

[bradleyjeck]

Hi Gabor - thanks a lot for rhub, it makes a huge difference for package development! Especially tracking down compilation errors on the different flavors.

I was also having trouble with PAT scopes. It didn't work with a new fine-grained tokens, but rhub_doctor() worked with the classic personal access token.

[gaborcsardi]

Yes, unfortunately it seems that there is no way to query the scopes of a fine-grained token, so we'll need to drop that check for fine grained tokens. rhub_check() should still work fine, though, assuming you have the right scopes.

[MatthieuStigler]

I had the same problem with a fine-grained token, switching to a classic token fixed it.

On the other side, I am unclear on which scopes to choose for the classic token, is it detailed somewhere in the documentation which scopes should be granted?

Thanks!

[gaborcsardi]

Seems like on "repo"` is needed:

rhub/R/doctor.R

Lines 165 to 174 in f4c7367

	if (!"repo" %in% scopes) {
	cli::cli_status_clear(pid, result = "failed")
	throw(pkg_error(
	call. = FALSE,
	"Your PAT does not have a {.code repo} scope.",
	i = "Without a {.code repo} scope R-hub cannot start jobs on GitHub.",
	i = "Change the scopes of the PAT on the GitHub web page, or create
	a new PAT."
	))
	}

[MatthieuStigler]

great, thanks! I had added the workflow scope, I had assumed it would be necessary?

Maybe it would be worth amending the documentation in https://blog.r-hub.io/2024/04/11/rhub2/#requirements along with (suggested changes in bold):

Third, you need a GitHub Personal Access Token (PAT) with the repo scopes and you need to store it in the git credential store on your machine. Classic tokens should be used as fine-grained tokens currently do not work.

[gaborcsardi]

Maybe it would be worth amending the documentation

Sure, a PR is most welcome! (But no pressure, really! :D)