@nzpr/kb 0.1.8 → 0.1.9

package/README.md

@@ -176,15 +176,18 @@ export KB_GITHUB_REPO=owner/repo
 export GITHUB_TOKEN=...
 ```
 
-Publishing is allowed when the provided `GITHUB_TOKEN` has write access to `KB_GITHUB_REPO`. Normal readers do not need GitHub credentials.
+Publishing is allowed when the provided `GITHUB_TOKEN` can read `KB_GITHUB_REPO`. Normal readers do not need GitHub credentials.
 
 When `kb init-repo` is given `--repo`, it uses the same token to:
 
 - enable issues in the target repo
+- set GitHub Actions workflow permissions to write and allow Actions to create PRs
 - create or update the `kb-entry` and `kb-approved` labels
 - write repository secrets and variables
 - verify and initialize the target database schema if `--database-url` is provided
 
+For the GitHub setup step, that token must have repository admin access. A plain write token is not enough for Actions settings and repo secrets.
+
 If you run `kb init-repo` without the repo or database inputs, it still scaffolds the knowledge repo and prints exactly which remote bootstrap inputs are still pending.
 
 ## Quick Start

package/lib/cli.js

@@ -322,10 +322,10 @@ async function requirePublishAccess({ repo, token, apiBaseUrl }) {
   if (!permissions) {
     return;
   }
-  if (permissions.admin || permissions.maintain || permissions.push) {
+  if (permissions.admin || permissions.maintain || permissions.push || permissions.triage || permissions.pull) {
     return;
   }
-  throw new Error(`GITHUB_TOKEN does not have write access to ${repo}`);
+  throw new Error(`GITHUB_TOKEN does not have repository access to ${repo}`);
 }
 
 function printRepoConfiguration(configuration) {
@@ -349,7 +349,8 @@ function printRepoConfiguration(configuration) {
   console.log("");
   console.log("publish workflow auth:");
   console.log("  KB_GITHUB_REPO is set automatically to github.repository in the scaffolded workflow");
-  console.log("  GITHUB_TOKEN is provided automatically by GitHub Actions and must have contents:write")
+  console.log("  GITHUB_TOKEN is provided automatically by GitHub Actions and only needs repository read access for publish");
+  console.log("  the token used for kb init-repo itself must have admin access if you want the CLI to configure repo Actions settings")
 }
 
 function printInitRepoStatus(result) {

package/lib/repo-init.js

@@ -226,6 +226,19 @@ async function configureKnowledgeRepo({
   variables,
   runGitHubCommand
 }) {
+  const repository = await fetchGitHubRepositoryMetadata({
+    repo,
+    githubToken,
+    runGitHubCommand
+  });
+  const permissions = repository.permissions ?? null;
+
+  if (!permissions?.admin) {
+    throw new Error(
+      `GITHUB_TOKEN must have admin access to ${repo} so init-repo can configure Actions workflow permissions, PR creation, labels, and repo secrets`
+    );
+  }
+
   await runGitHubCommand(["repo", "edit", repo, "--enable-issues"], { githubToken });
   const actions = await ensureGitHubActionsPermissions({
     repo,
@@ -275,7 +288,11 @@ async function configureKnowledgeRepo({
 async function ensureGitHubActionsPermissions({ repo, githubToken, runGitHubCommand }) {
   const actionsPermissions = await runGitHubJson(
     ["api", `repos/${repo}/actions/permissions`],
-    { githubToken, runGitHubCommand }
+    {
+      githubToken,
+      runGitHubCommand,
+      notFoundMessage: buildActionsAdminError(repo)
+    }
   );
 
   if (actionsPermissions.enabled === false) {
@@ -296,7 +313,11 @@ async function ensureGitHubActionsPermissions({ repo, githubToken, runGitHubComm
 
   const workflowPermissions = await runGitHubJson(
     ["api", `repos/${repo}/actions/permissions/workflow`],
-    { githubToken, runGitHubCommand }
+    {
+      githubToken,
+      runGitHubCommand,
+      notFoundMessage: buildActionsAdminError(repo)
+    }
   );
 
   if (
@@ -326,9 +347,28 @@ async function ensureGitHubActionsPermissions({ repo, githubToken, runGitHubComm
   };
 }
 
-async function runGitHubJson(args, { githubToken, runGitHubCommand }) {
-  const output = await runGitHubCommand(args, { githubToken });
-  return JSON.parse(output);
+async function fetchGitHubRepositoryMetadata({ repo, githubToken, runGitHubCommand }) {
+  return runGitHubJson(["api", `repos/${repo}`], {
+    githubToken,
+    runGitHubCommand
+  });
+}
+
+function buildActionsAdminError(repo) {
+  return `GitHub token could not read or update Actions settings for ${repo}; use a token with repository admin access and rerun init-repo`;
+}
+
+async function runGitHubJson(args, { githubToken, runGitHubCommand, notFoundMessage = null }) {
+  try {
+    const output = await runGitHubCommand(args, { githubToken });
+    return JSON.parse(output);
+  } catch (error) {
+    const message = String(error?.message ?? error);
+    if (notFoundMessage && /404|Not Found/i.test(message)) {
+      throw new Error(notFoundMessage);
+    }
+    throw error;
+  }
 }
 
 async function defaultVerifyDatabaseReady({ databaseUrl }) {
@@ -475,7 +515,7 @@ function renderPublishWorkflow({ docsRootRelative }) {
     "  publish:",
     "    runs-on: ubuntu-latest",
     "    permissions:",
-    "      contents: write",
+    "      contents: read",
     "    concurrency:",
     "      group: kb-publish",
     "      cancel-in-progress: false",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nzpr/kb",
-  "version": "0.1.8",
+  "version": "0.1.9",
   "description": "Knowledge base CLI for proposing, publishing, and querying curated agent knowledge.",
   "repository": {
     "type": "git",