Access token should allow push if "Allow edits from maintainers" checked


#1

I’m developing a tool which is supposed to automatically “fix” PRs, when they are missing things.
Think of it as a linter, but when it knows how to fix a mistake, actually make a patch and submit the patch.

If I try to “update” an contributor PR by pushing an extra commit, with a temporary token given to my installation/integration, I would expect that when “allow edits from maintainers” is checked, my integration would also have access.

Though it seem to not be the case.

More precisely:

git clone https://x-access-token:14mafAkeToken....@github.com/pr-author/test-repo.git
cd test-repo
git checkout -b remote-ref origin/remote-ref
# ... change things...
# ... commit things...
git push origin remote-ref:remote-ref

fails on the last step

 ! [remote rejected] remote-ref -> remote-ref (permission denied)

The same code works of course if pr-author is the same repository than the integration…

Is that on purpose, or am I missing something ?


#2

Hi there, any news ?


#3

Hi there,

What permissions does your Integration have?

Is your Integration installed on the repository it is trying to push to? It wouldn’t have any access to a private repository unless it is installed there, and would still need the explicit permissions to write to the repository contents.


#4

Hi @keavy ! Thanks a lot for your response.

What permissions does your Integration have?

All of them. It is not a private repository though, it is a public one.

Is your Integration installed on the repository it is trying to push to? It wouldn’t have any access to a private repository unless it is installed there, and would still need the explicit permissions to write to the repository contents.

I understand that in the common use case. But I might have miss-explained myself.

See I have PublicRepoA , PublicForkUserB and IntegrationOnPublicRepoA.
I have checked that IntegrationOnPublicRepoA can push to any branch of PublicRepoA

  • UserB send a PullRequestX from PublicForkUserB/branchX to PublicRepoA
  • Even if maintainers of PublicRepoA are not collaborators on PublicForkUserB that are allowed to push on PublicForkUserB/branchX if the UserB has checked “Allow edit from maintainers”.
  • Maintainers can I think have the expectation that an integration can do everything they give it the right to do.
  • So it seem like if MaintainersA can push to PublicForkUserB/branchX , then an Integration that have at least the same right as MaintainersA can push to PublicForkUserB/branchX. Which it cant.

If I understand correctly the “Allow edit from maintainer” check if made to circumvent classical permission. Even if a branch is on a Repo where the pusher have no access the pusher is given extraordinary permission because this branch is the base of a PullRequest. I think it is reasonable that the pusher may not be a Human, but a Bot that act on behalf of a Human. So the bot shoudl be expected to have enough permissions to do so.

For my use case that kind of make the point of an integration moot, as I like to autofix Pep8 on pull-requests to the repositories I control. I would really like to do that, but the integration does not (seem) to give me the possibilities. the workaround would be to create a separate GitHub account, and use the credential as this account for my bot. And instead of turning on an integration I can add this account as a collaborator. That seem like defeating the point of an integration IIUC.

Apologies if I miss express myself, I’m not native english and I can be missing better words or terms.

Thanks !


#5

Hey, thanks for the request and for sharing your use case. This functionality is not currently planned, but we’ll consider the request as we move forward. I’ll leave this thread open as I’m curious to hear if others would find this beneficial or want to share further thoughts. Thanks!


#6

I am looking at building an app on top of the new Checks API. I would find it useful to have an option to automatically push a commit to a PR branch to fix certain issues where possible.


#7

Hey Keavy,

I think this functionality will be great for many tools that do linting on the repositories. Many linters provide quick fixes for issues they find and usually people manually fix them, it will be great to automate this process.


#8

@danielcompton @fkorotkov we just shipped something that enables just that, enjoy! https://developer.github.com/changes/2018-05-23-request-actions-on-checks/


#9

Awesome sauce! Will give it a try! Thank you!


#10

@keavy It still doesn’t give access to maintainer-edit-allowed forked repositories. Is there any way to accomplish it?