Using hub from GitHub Actions

[rtimush]

When hub api is called from a GitHub Action with a GITHUB_TOKEN available without any additional configuration it fails with "Bad credentials".

Command:

HUB_VERBOSE=true hub api /repos/rtimush/test/git/refs

Output:

$ git rev-parse -q --git-dir
$ git remote -v
$ git config --get-all hub.host
> GET https://api.github.com/user
> Authorization: token [REDACTED]
> Accept: application/vnd.github.v3+json;charset=utf-8
< HTTP 403
{"message":"Resource not accessible by integration","documentation_url":"https://developer.github.com/v3/users/#get-the-authenticated-user"}
> GET https://api.github.com/repos/rtimush/test/git/refs
> Authorization: token 
> Accept: application/vnd.github.v3+json;charset=utf-8
< HTTP 401
{"message":"Bad credentials","documentation_url":"https://developer.github.com/v3"}
{"message":"Bad credentials","documentation_url":"https://developer.github.com/v3"}

[rtimush]

The workaround I found is to write GITHUB_TOKEN to ~/.config/hub and to unset the environment variable. Then hub doesn't call /user API and uses the token directly.

[mislav]

Thank you @rtimush; this is useful information. I was not aware of the "Resource not accessible by integration" API limitation. I shall file this as a bug and will think about how to avoid automatically querying /user when GITHUB_TOKEN is provided. Hub uses this endpoint solely to get the username of the currenly authenticated actor— maybe we can get that information another way?

[mislav]

@rtimush For clarity, can you tell us more what kind of action uses hub and how you set it up roughly? Thank you

[rtimush]

The action I'm trying to create is a script that reacts on push events, and issues a couple of hub api calls first creating git references for the already existing commits, and then creating pull requests from them. Basically, I am using hub as a smarter curl.

[ghost]

I'd like to add that we're running into the same issue.
Specifically we are trying to use hub release to push some artifacts to our releases from our CI during post build steps.
But in testing, it seems any of the hub non-git commands are returning a 403.

$ hub release show v2.60.0
$ git rev-parse -q --git-dir
$ git remote -v
$ git config --get-all hub.host
> GET https://api.github.com/user
> Authorization: token [REDACTED]
> Accept: application/vnd.github.v3+json;charset=utf-8
< HTTP 403
{"message":"Resource not accessible by integration","documentation_url":"https://developer.github.com/v3/users/#get-the-authenticated-user"}
> GET https://api.github.com/repos/.../releases?per_page=100
> Authorization: token
> Accept: application/vnd.github.v3+json;charset=utf-8
< HTTP 401
{"message":"Bad credentials","documentation_url":"https://developer.github.com/v3"}
Error fetching releases: Unauthorized (HTTP 401)
Bad credentials

It also would be helpful if hub failed on the 403. We were getting just the 401 without setting verbose, which lead us down a hole of checking our token creation and integration permissions.

[mislav]

You may now work around this by upgrading hub to v2.12.3 and setting the GITHUB_USER environment variable. This value is seldom used for any command, so you can even set it to a dummy value (the recommended value is the owner of the current repo, even if it's an org).

Let me know how using hub from Actions goes! 🙌

[rtimush]

Everything looks good now, thanks!