Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Various Codespace Secrets endpoints failing when using a Personal Access Token or GitHub App #3000

Open
robmonte opened this issue Nov 23, 2023 · 5 comments

Comments

@robmonte
Copy link

To preface this, I'm not sure if I'm simply doing something incorrectly, if there's an issue in the library, or if there's an issue in GitHub's API. I figure this is the best spot to start with.

I am getting several different kinds of errors when trying to use the Codespace Secrets feature via GitHub App. For example, when trying to access User secrets via the app, I get the following error when trying to obtain the User Codespace secrets public key:
https://api.github.com/user/codespaces/secrets/public-key: 403 Resource not accessible by integration
The permissions explained here say that the App needs the codespaces_user_secrets user permission. You can see in this screenshot that the permission is indeed set:
image

I also noticed updating permissions in the Account section of a GitHub App does not trigger the typical "app is requesting an update to its permissions." prompt that appears when Repository or Organization permissions are changed, so I'm leaning towards this being a GitHub-side issue.

 

Next, I am unable to start or stop a Codespace in a repository, once again as a GitHub App. This time I am able to authenticate and fully access the repository Codespace secrets as the GitHub App however. I get the following error when calling start:
https://api.github.com/user/codespaces/<random_gh_codespace_name>/start: 404 Not Found
The permissions explained here say that the App needs the codespaces_lifecycle_admin repository permission. You can see again in this screenshot that the permission is indeed set:
image

 

Lastly, the final issue with Codespace secrets. This time, it fails Personal Access Tokens (+it seems GitHub doesn't support Apps for these Org secrets at all). Like the first issue, when trying to obtain the public key of the Organization Codespace secrets it fails:
https://api.github.com/orgs/<org_name>/codespaces/secrets/public-key: 404 Not Found
The permissions explained here say that the Access Token needs the admin:org organization permission. You can see in the screenshot one final time that the permission is set:
image

I found it a bit strange this one supposedly doesn't require "organization codespace secrets" permissions to be set like the others all require, however adding that permission and in fact all permissions to the PAT still gives the same public key error.

 

My hunch is this is all likely on GitHub's side but as mentioned I figured I'd start here first, and I can point to this post as a later reference if I need to open up an issue with GitHub directly.

@gmlewis
Copy link
Collaborator

gmlewis commented Nov 24, 2023

Hmmm... thanks for the detailed writeup of the issues you are seeing.
I personally have not used Codespace secrets, and unfortunately don't know what the problem is.
From your description, it sounds like you are using things properly.

I'll leave this issue open in the hopes that someone else has tried the Codespace APIs.

Maybe @artificial-aidan who wrote the initial implementation in #2803 has some ideas.

@artificial-aidan
Copy link
Contributor

I didn't end up using the implementation in my companies product, so other than initial testing I don't have much info.

What I would do is replicate the same process with bare http calls and see if you get the same process. I think there is a logging setting in the Go library to print all http calls.

@gmlewis
Copy link
Collaborator

gmlewis commented Nov 24, 2023

Thanks, @artificial-aidan !

Along the same lines, this package is frequently helpful to debug the curl versions of API calls:
https://github.com/gmlewis/go-httpdebug

@robmonte
Copy link
Author

Thanks for the suggestions. I am seeing the same errors when using the curl commands directly, such as using a PAT for the organization codespace public key:
{"message":"Not Found","documentation_url":"https://docs.github.com/rest/codespaces/organization-secrets#get-an-organization-public-key"}

Providing an incorrect PAT changes the error message to "Bad credentials", so it seems to at least be recognizing that there is a valid token being provided and authorizing my request.

I'll see what options I have available regarding bringing this up with GitHub directly.

@stevehipwell
Copy link
Contributor

@robmonte did you get anything back from GitHub? This endpoint works correctly for my enterprise org but doesn;t work for my OSS one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants