@semantic-release/github 10.1.6 → 10.2.0

package/lib/definitions/errors.js

@@ -178,12 +178,24 @@ If you are using [GitHub Enterprise](https://enterprise.github.com) please make
 
 export function EGHNOPERMISSION({ owner, repo }) {
   return {
-    message: `The GitHub token doesn't allow to push on the repository ${owner}/${repo}.`,
+    message: `The GitHub token doesn't allow to push to and maintain the repository ${owner}/${repo}.`,
     details: `The user associated with the [GitHub token](${linkify(
       "README.md#github-authentication",
-    )}) configured in the \`GH_TOKEN\` or \`GITHUB_TOKEN\` environment variable must allows to push to the repository ${owner}/${repo}.
+    )}) configured in the \`GH_TOKEN\` or \`GITHUB_TOKEN\` environment variable must have permission to push to and maintain the repository ${owner}/${repo}.
 
-Please make sure the GitHub user associated with the token is an [owner](https://help.github.com/articles/permission-levels-for-a-user-account-repository/#owner-access-on-a-repository-owned-by-a-user-account) or a [collaborator](https://help.github.com/articles/permission-levels-for-a-user-account-repository/#collaborator-access-on-a-repository-owned-by-a-user-account) if the repository belong to a user account or has [write permissions](https://help.github.com/articles/managing-team-access-to-an-organization-repository) if the repository [belongs to an organization](https://help.github.com/articles/repository-permission-levels-for-an-organization).`,
+Please make sure the GitHub user associated with the token is an [owner](https://help.github.com/articles/permission-levels-for-a-user-account-repository/#owner-access-on-a-repository-owned-by-a-user-account) or a [collaborator](https://help.github.com/articles/permission-levels-for-a-user-account-repository/#collaborator-access-on-a-repository-owned-by-a-user-account) if the repository belongs to a user account or has [write permissions](https://help.github.com/articles/managing-team-access-to-an-organization-repository) if the repository [belongs to an organization](https://help.github.com/articles/repository-permission-levels-for-an-organization).`,
+  };
+}
+
+export function EGHNOSCOPE({ scopes }) {
+  return {
+    message: `The GitHub token doesn't have the necessary OAuth scopes to write contents, issues, and pull requests.`,
+    details: `The [GitHub token](${linkify(
+      "README.md#github-authentication",
+    )}) configured in the \`GH_TOKEN\` or \`GITHUB_TOKEN\` environment variable must have the correct scopes.
+${scopes ? `\nThe token you used has scopes: ${scopes.join(", ")}\n` : ""}
+For classic PATs, make sure the token has the \`repo\` scope if the repository is private, or \`public_repo\` scope otherwise.
+For fine-grained PATs, make sure the token has the \`content: write\`, \`issues: write\`, and \`pull_requests: write\` scopes on the repository.`,
   };
 }
 

package/lib/verify.js

@@ -105,11 +105,27 @@ export default async function verify(pluginConfig, context, { Octokit }) {
     );
     try {
       const {
-        data: { permissions, clone_url },
+        headers,
+        data: { private: _private, permissions, clone_url },
       } = await octokit.request("GET /repos/{owner}/{repo}", { repo, owner });
+
+      // GitHub only returns this header if the token is a classic PAT
+      if (headers?.["x-oauth-scopes"]) {
+        const scopes = headers["x-oauth-scopes"].split(/\s*,\s*/g);
+        if (
+          !scopes.includes("repo") &&
+          (_private || !scopes.includes("public_repo"))
+        ) {
+          errors.push(getError("EGHNOSCOPE", { scopes }));
+        }
+      }
+
       // Verify if Repository Name wasn't changed
       const parsedCloneUrl = parseGithubUrl(clone_url);
-      if (owner !== parsedCloneUrl.owner || repo !== parsedCloneUrl.repo) {
+      if (
+        `${owner}/${repo}`.toLowerCase() !==
+        `${parsedCloneUrl.owner}/${parsedCloneUrl.repo}`.toLowerCase()
+      ) {
         errors.push(
           getError("EMISMATCHGITHUBURL", { repositoryUrl, clone_url }),
         );
@@ -119,7 +135,7 @@ export default async function verify(pluginConfig, context, { Octokit }) {
       // Do not check for permissions in GitHub actions, as the provided token is an installation access token.
       // octokit.request("GET /repos/{owner}/{repo}", {repo, owner}) does not return the "permissions" key in that case.
       // But GitHub Actions have all permissions required for @semantic-release/github to work
-      if (!env.GITHUB_ACTION && !permissions?.push) {
+      if (!env.GITHUB_ACTION && !(permissions?.push && permissions?.maintain)) {
         // If authenticated as GitHub App installation, `push` will always be false.
         // We send another request to check if current authentication is an installation.
         // Note: we cannot check if the installation has all required permissions, it's

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@semantic-release/github",
   "description": "semantic-release plugin to publish a GitHub release and comment on released Pull Requests/Issues",
-  "version": "10.1.6",
+  "version": "10.2.0",
   "type": "module",
   "author": "Pierre Vanduynslager (https://twitter.com/@pvdlg_)",
   "ava": {
@@ -50,7 +50,7 @@
     "npm-run-all2": "6.2.2",
     "prettier": "3.3.3",
     "publint": "0.2.10",
-    "semantic-release": "24.0.0",
+    "semantic-release": "24.1.0",
     "sinon": "18.0.0",
     "tempy": "3.1.0"
   },
@@ -127,5 +127,5 @@
       "github>semantic-release/.github:renovate-config"
     ]
   },
-  "packageManager": "npm@10.8.2"
+  "packageManager": "npm@10.8.3"
 }