fix: skip permission verification exception when Github Apps

[psalaberria002]

Similar to Github Actions, when using installation tokens from Github Apps the verification should be skipped.

Should we use a more generic flag for skipping the permission validation? e.g. SKIP_PERMISSIONS?

I will add the relevant docs to the Readme once I get the ok.

[gr2m]

where does the GITHUB_APP environment variable come from? If it's a custom environment variable that you set in your particular case, then I don't think we should add a check for it to semantic-release

[gr2m]

Can you share your semantic-release setup? I wonder how you create an installation access token and pass it to semantic release :)

[psalaberria002]

This is running in Jenkins with the new auth method for the Github plugin. See https://www.jenkins.io/blog/2020/04/16/github-app-authentication/

Example:

withCredentials([usernamePassword(credentialsId: scm.userRemoteConfigs[0].credentialsId, passwordVariable: 'GH_TOKEN', usernameVariable: 'GH_USER')]) {
              sh("GH_TOKEN=${GH_TOKEN} npx semantic-release")
            }

Github Apps create installation tokens the same way Github Actions do. These tokens have short expiration time.

The flag will need to be provided as an extra environment variable. Something like the following:

withCredentials([usernamePassword(credentialsId: scm.userRemoteConfigs[0].credentialsId, passwordVariable: 'GH_TOKEN', usernameVariable: 'GH_USER')]) {
              sh("SKIP_PERMISSION_VERIFICATION="true" GH_TOKEN=${GH_TOKEN} npx semantic-release")
            }

Github Apps have lots of advantages over personal access tokens. Higher rate limits, scopes permissions,...

[gr2m]

Is see.

I wish there was a way to check if the current installation has access and the required permissions, but I don't think there is right now.

I suggest to add a skipVerify option to address your use case. Would that work for you?

[psalaberria002]

That should work. I will try to add that flag.

[gr2m]

Good point, I think we shouldn't skip all the verifications, only the permissions verifications 🤔

I have another idea. We could send a request that is guaranteed to succeed when authenticated as an installation, but fail otherwise. I would suggest we send a HEAD /installation/repositories. We are only interested in the response status, and sending a HEAD is faster than a GET.

What I would like to try is the following:

If push is false here, send the following request

// If authenticated as GitHub App installation, `push` will always be false.
// We send another request to check if current authentication is an installation.
// Note: we cannot check if the installation has all required permissions, it's
// up to the user to make sure it has
if (await github.request('HEAD /installation/repositories', { per_page: 1 }).catch(() => return false) {
  return
}

I think I'd prefer doing that check to address your specific use case, over adding a new configuration option. What do you think?

For testing: HEAD /installation/repositories responds with a 200 status without a body if it succeeds, and with a 403 status if it fails

[gr2m]

looks good 👍

[semantic-release-bot]

🎉 This PR is included in version 7.0.7 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[psalaberria002]

@gr2m I don't think this is working as expected. "Accept: application/vnd.github.machine-man-preview+json" is needed in installation/repositories. How do you handle that?

[psalaberria002]

And there is an issue in the semantic-release repo aswell, which needs to be solved like semantic-release/semantic-release@cb2c506