Setting a team reviewer requires unexpected permissions


Hi team,

First up, thanks for everything you do at GitHub.

My app, Dependabot, creates pull requests and sometimes wants to set reviewers for those PRs. In some cases, those reviewers are a team, not an individual, and when they are I get the following response from the API:

{"message":"Validation Failed","errors":["Could not resolve to a node with the global id of 'MDQ6VGVhbTIzMzU0Mjc='."],"documentation_url":""}

I’m told by @izuzak that this error will soon become a more descriptive one telling me that I need to have members read permissions in order to set a team-reviewer on a PR.

Can I implore you to not require that additional permission on this endpoint?

  1. I can already get the names of teams associated with a pull request by requesting a PR and checking the requested_teams attribute, so it doesn’t look like you’re that worried about apps knowing the names of teams within an organisation (note that I’m not talking about being able to discover their members).
  2. Requiring this permissions means that my app, and any others that want to create reviewers, need to ask for a new permissions category that we’re barely going to use (I have no interest in knowing which users are in which teams - just in adding a team reviewer name, which I was told by a user, to my pull requests)

Presumably your thinking around this is that I might use the create review endpoint to enumerate all of the teams in an organisation, and by doing so gain some information I shouldn’t have? Like the presence of “secret” teams or something like that? I don’t think that’s really a problem, and since (1) allows me to see all the teams that are ever actually used are you’re actually getting any protection here?

On the other hand, requiring this additional permission is causing real pain for my app. I really don’t want Dependabot to have to ask for more permissions if it’s basically not going to use them.


Quick bump, as I’d love a comment from someone at GitHub on this one.


:cry: ​​​​​​​


@greysteil :wave: I’ve taken your feedback back to engineering, unfortuntely I can’t give you an answer right now, but trying to find one :blush:


Hero, thanks @vroldanbet. Let me know any feedback :slightly_smiling_face:


I ran into this while implementing an internal bot myself. It made no sense as to why I needed to have this permission when I don’t care about return data, it’s simply requesting a review.


@vroldanbet - were you able to get an answer on this one? It’s still a thorn in my side - means I’m disappointing my users by not being able to set team reviewers on Dependabot PRs after they’re asked me to and given me the name of the team they want to assign.


I’ve also recently realised that I get this error if trying to update the non-team reviewers on a PR that has team reviewers assigned. That’s really irritating, and suggests to me that this is just a bug, rather than a permissions issue.


@greysteil we are a bit slow replying due to off-site meetings during this week, apologies for that. We’ve had a couple conversations about this one, and it is unfortunately not trivial. Just wanted to give heads up, we don’t have a solution yet but conversations are taking place. Sorry for the inconvenience :pray:


Thanks for following up, @vroldanbet. I’m a dependabot user and it would better match our workflow if we could request a team as a reviewer.