@semantic-release/github 10.1.7 → 10.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/lib/definitions/errors.js +15 -3
  2. package/lib/verify.js +15 -2
  3. package/package.json +2 -2
package/lib/definitions/errors.js CHANGED
@@ -178,12 +178,24 @@ If you are using [GitHub Enterprise](https://enterprise.github.com) please make
178
178
 
179
179
  export function EGHNOPERMISSION({ owner, repo }) {
180
180
  return {
181
- message: `The GitHub token doesn't allow to push on the repository ${owner}/${repo}.`,
181
+ message: `The GitHub token doesn't allow to push to and maintain the repository ${owner}/${repo}.`,
182
182
  details: `The user associated with the [GitHub token](${linkify(
183
183
  "README.md#github-authentication",
184
- )}) configured in the \`GH_TOKEN\` or \`GITHUB_TOKEN\` environment variable must allows to push to the repository ${owner}/${repo}.
184
+ )}) configured in the \`GH_TOKEN\` or \`GITHUB_TOKEN\` environment variable must have permission to push to and maintain the repository ${owner}/${repo}.
185
185
 
186
- Please make sure the GitHub user associated with the token is an [owner](https://help.github.com/articles/permission-levels-for-a-user-account-repository/#owner-access-on-a-repository-owned-by-a-user-account) or a [collaborator](https://help.github.com/articles/permission-levels-for-a-user-account-repository/#collaborator-access-on-a-repository-owned-by-a-user-account) if the repository belong to a user account or has [write permissions](https://help.github.com/articles/managing-team-access-to-an-organization-repository) if the repository [belongs to an organization](https://help.github.com/articles/repository-permission-levels-for-an-organization).`,
186
+ Please make sure the GitHub user associated with the token is an [owner](https://help.github.com/articles/permission-levels-for-a-user-account-repository/#owner-access-on-a-repository-owned-by-a-user-account) or a [collaborator](https://help.github.com/articles/permission-levels-for-a-user-account-repository/#collaborator-access-on-a-repository-owned-by-a-user-account) if the repository belongs to a user account or has [write permissions](https://help.github.com/articles/managing-team-access-to-an-organization-repository) if the repository [belongs to an organization](https://help.github.com/articles/repository-permission-levels-for-an-organization).`,
187
+ };
188
+ }
189
+
190
+ export function EGHNOSCOPE({ scopes }) {
191
+ return {
192
+ message: `The GitHub token doesn't have the necessary OAuth scopes to write contents, issues, and pull requests.`,
193
+ details: `The [GitHub token](${linkify(
194
+ "README.md#github-authentication",
195
+ )}) configured in the \`GH_TOKEN\` or \`GITHUB_TOKEN\` environment variable must have the correct scopes.
196
+ ${scopes ? `\nThe token you used has scopes: ${scopes.join(", ")}\n` : ""}
197
+ For classic PATs, make sure the token has the \`repo\` scope if the repository is private, or \`public_repo\` scope otherwise.
198
+ For fine-grained PATs, make sure the token has the \`content: write\`, \`issues: write\`, and \`pull_requests: write\` scopes on the repository.`,
187
199
  };
188
200
  }
189
201
 
package/lib/verify.js CHANGED
@@ -105,8 +105,21 @@ export default async function verify(pluginConfig, context, { Octokit }) {
105
105
  );
106
106
  try {
107
107
  const {
108
- data: { permissions, clone_url },
108
+ headers,
109
+ data: { private: _private, permissions, clone_url },
109
110
  } = await octokit.request("GET /repos/{owner}/{repo}", { repo, owner });
111
+
112
+ // GitHub only returns this header if the token is a classic PAT
113
+ if (headers?.["x-oauth-scopes"]) {
114
+ const scopes = headers["x-oauth-scopes"].split(/\s*,\s*/g);
115
+ if (
116
+ !scopes.includes("repo") &&
117
+ (_private || !scopes.includes("public_repo"))
118
+ ) {
119
+ errors.push(getError("EGHNOSCOPE", { scopes }));
120
+ }
121
+ }
122
+
110
123
  // Verify if Repository Name wasn't changed
111
124
  const parsedCloneUrl = parseGithubUrl(clone_url);
112
125
  if (
@@ -122,7 +135,7 @@ export default async function verify(pluginConfig, context, { Octokit }) {
122
135
  // Do not check for permissions in GitHub actions, as the provided token is an installation access token.
123
136
  // octokit.request("GET /repos/{owner}/{repo}", {repo, owner}) does not return the "permissions" key in that case.
124
137
  // But GitHub Actions have all permissions required for @semantic-release/github to work
125
- if (!env.GITHUB_ACTION && !permissions?.push) {
138
+ if (!env.GITHUB_ACTION && !(permissions?.push && permissions?.maintain)) {
126
139
  // If authenticated as GitHub App installation, `push` will always be false.
127
140
  // We send another request to check if current authentication is an installation.
128
141
  // Note: we cannot check if the installation has all required permissions, it's
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@semantic-release/github",
3
3
  "description": "semantic-release plugin to publish a GitHub release and comment on released Pull Requests/Issues",
4
- "version": "10.1.7",
4
+ "version": "10.2.0",
5
5
  "type": "module",
6
6
  "author": "Pierre Vanduynslager (https://twitter.com/@pvdlg_)",
7
7
  "ava": {
@@ -127,5 +127,5 @@
127
127
  "github>semantic-release/.github:renovate-config"
128
128
  ]
129
129
  },
130
- "packageManager": "npm@10.8.2"
130
+ "packageManager": "npm@10.8.3"
131
131
  }