Setting a team reviewer requires unexpected permissions


#1

Hi team,

First up, thanks for everything you do at GitHub.

My app, Dependabot, creates pull requests and sometimes wants to set reviewers for those PRs. In some cases, those reviewers are a team, not an individual, and when they are I get the following response from the API:

{"message":"Validation Failed","errors":["Could not resolve to a node with the global id of 'MDQ6VGVhbTIzMzU0Mjc='."],"documentation_url":"https://developer.github.com/v3/pulls/review_requests/#create-a-review-request"}

I’m told by @izuzak that this error will soon become a more descriptive one telling me that I need to have members read permissions in order to set a team-reviewer on a PR.

Can I implore you to not require that additional permission on this endpoint?

  1. I can already get the names of teams associated with a pull request by requesting a PR and checking the requested_teams attribute, so it doesn’t look like you’re that worried about apps knowing the names of teams within an organisation (note that I’m not talking about being able to discover their members).
  2. Requiring this permissions means that my app, and any others that want to create reviewers, need to ask for a new permissions category that we’re barely going to use (I have no interest in knowing which users are in which teams - just in adding a team reviewer name, which I was told by a user, to my pull requests)

Presumably your thinking around this is that I might use the create review endpoint to enumerate all of the teams in an organisation, and by doing so gain some information I shouldn’t have? Like the presence of “secret” teams or something like that? I don’t think that’s really a problem, and since (1) allows me to see all the teams that are ever actually used are you’re actually getting any protection here?

On the other hand, requiring this additional permission is causing real pain for my app. I really don’t want Dependabot to have to ask for more permissions if it’s basically not going to use them.


#2

Quick bump, as I’d love a comment from someone at GitHub on this one.


#3

:cry: ​​​​​​​


#4

@greysteil :wave: I’ve taken your feedback back to engineering, unfortuntely I can’t give you an answer right now, but trying to find one :blush:


#5

Hero, thanks @vroldanbet. Let me know any feedback :slightly_smiling_face:


#6

I ran into this while implementing an internal bot myself. It made no sense as to why I needed to have this permission when I don’t care about return data, it’s simply requesting a review.