I'm using JavaScript and Octokit to dynamically create repositories in an organization and set a series of options.
Everything works, except adding write permissions to a team for the repository created.
Just to be clear, by write permission I mean the ones that can be set through the repository settings:
Settings > Collaborators and teams > Manage Acccess > Role: Write
What I've been trying to use so far, was the octokit.rest.teams.addOrUpdateRepoPermissionsInOrg function in Octokit, documented here, like this:
octokit.rest.teams.addOrUpdateRepoPermissionsInOrg({
org: "org-name",
team_slug: "team-name",
owner: "owner-name",
repo: "repo-name",
permission: "write",
}
When doing this, I receive a Validation Failed error.
Checking the relative documentation on the GitHub API docs, it effectively seems that the valid values for permission are: pull, push, admin, maintain, triage
So I guess that I'm simply using the wrong function.
But what's the correct one to change that kind of permission?
I managed to make it work: apparently, the push permission in the API corresponds to the write permission in the GitHub web interface.
FYI: this seems like a discrepancy, so I opened an issue.
Related
I am a collaborator for a private repository and able to edit, push code, create issues, close issues, etc on it. I am trying to create a report of issues open and closed on the repository. To achieve this I needed to get issues based on time interval and label. I found that the GitHub search API will be useful for me.
I started out by creating a token (PAT) giving it the whole repo scope
Then to test the API I hit the below URL with the token
https://api.github.com/search/issues?q=repo:orgname/reponame
I am able to get the results.
Then I tried to narrow down by adding is:issue and is:closed qualifier using the same token
https://api.github.com/search/issues?q=repo:orgname/reponame+is:issue+is:closed
I got the below response
{
"message": "Validation Failed",
"errors": [
{
"message": "The listed users and repositories cannot be searched either because the resources do not exist or you do not have permission to view them.",
"resource": "Search",
"field": "q",
"code": "invalid"
}
],
"documentation_url": "https://docs.github.com/v3/search/"
}
The issues are present and I can search it on Github website, but couldn't via github search api. I am able to apply a repo qualifier but couldn't add any other qualifiers.
What am I missing here?
There's two things I've found that can cause this.
In your case it's likely permissions since your encoding appears to be fine.
Searching specifically for PRs or Issues on private repos requires 'content' permissions (this is incorrectly documented in the GitHub docs as requiring metadata permissions). If a user has no public repos but they do have private ones then you get a permission error like the above, rather than the empty response that you get if they have no repos of any kind or only public repos but no matching results.
The other thing I've found that causes this is incorrect encoding of the query. An easy error to make there (from experience) is having the + sign in the query and then encoding it. This encodes the + as %3A whereas what you want is a space between each query term. The space is then encoded as +. Making this encoding mistake will also result in the same permission/not found error.
I appreciate this is probably a little late for you, but hopefully it helps others.
I'm trying to to get the changes of a changeset but it returns 404. I used this:
https://<myname>.visualstudio.com/<projectname>/_apis/tfvc/changesets/291/changes
changeset exists
without the '/changes' it works, returns the changeset info but I also need the merge sources
tried to specify the API version (e.g.: api-version-5.0)
I created a full control Personal Access Token for the client app but no luck. I tried to use this link in the browser and I got the same result: it works only without '/changes'.
What did I wrong?
As this is an old Q, this is for anyone else who has same problem, The projectname needs to be removed from the request.
https://<myname>.visualstudio.com/_apis/tfvc/changesets/291/changes
You look at the docs and sure enough it's not there but most other REST calls require a project name, so it can be confusing.
Also the docs are not very clear that you can interchange https://{myName}.visualstudio.com/ for the documented https://dev.azure.com/{organization}
Using VSTS APIs, I'm trying to get a list of who has what access to each of our git repositories in VSTS.
I have the security namespaceId for Git and I pass this namespaceId to the Security -> Access Control List API described here:
https://www.visualstudio.com/en-us/docs/integrate/api/security/acls
GET https://xxxxxxxx.visualstudio.com/DefaultCollection/_apis/accesscontrollists/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/?api-version=1.0&recurse=true&includeExtendedInfo=false
Drilling into the response, I can see it is listing the permissions for each repo, along with ref and tags.
Each object contains "acesDictionary", which itself is an object with keys that look like this:
Microsoft.IdentityModel.Claims.ClaimsIdentity;xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\\emailaddress#example.com
How do I decipher a ClaimsIdentity? My first thought was that the UUID in the ClaimsIdentity is the UUID of the user in my VSTS project, but it is not. I know the email address is there so I suppose I could use that, but now I'm curious what the UUID in ClaimsIdentity represent. The VSTS API docs dont mention this.
Is Security -> Access Control Lists even the right place where I should be looking? My main goal is trying to get a list of who has what access to VSTS git repositories.
Through tech support, I was able to reach a Microsoft representative who shared with me that the documentation for mapping identity descriptors isn't available yet but will hopefully be released soon. In the meantime, there is an endpoint to crosswalk identity descriptors which looks something like this:
GET {account}.vssps.visualstudio.com/_apis/identities?descriptors={commaSeparatedDescriptorsList}&api-version={apiVersion}
Note that this call is made through SPS {account}.vssps.visualstudio.com and not through your account instance {account}.visualstudio.com
Using my example, it would look something like this (uuid obfuscated):
https://xxxxx.vssps.visualstudio.com/_apis/identities?descriptors=Microsoft.TeamFoundation.ServiceIdentity;ffead5b1-5121-4e0e-a439-bbecb4999eba:Build:c4bfb762-a246-46c9-ba9a-7e6c53386b11&api-version=4.0
Also, if the descriptor is of type Microsoft.IdentityModel.Claims.ClaimsIdentity, then you'll likely have escaped backslashes in your descriptor which you'll need to un-escape. For example, if you have:
"Microsoft.IdentityModel.Claims.ClaimsIdentity;xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\\someone#example.com"
You'll need to un-escape this descriptor so that it looks like this:
"Microsoft.IdentityModel.Claims.ClaimsIdentity;xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\someone#example.com"
Want to restrict all users in GitHub from deleting an existing tag. Please let us know if there is any way to achieve it. I have found one article where we can protect branches: https://github.com/blog/2051-protected-branches-and-required-status-check
Similarly if there is something through which we can protect tags in GitHub.
That seems to have been implemented in March 2022, as illustrated by the changelog post:
Tag protection rules
Repository owners can now configure tag protection rules to protect tags in all public repositories and in private repositories on the Pro, Teams or Enterprise plans on GitHub.
Once protected by a tag protection rule, tags matching specified patterns can only be created and deleted by users with "Maintain" or "Admin" permissions to the repository.
For more information, see our documentation.
And, now in public beta:
Protected tags
Our beta tag protection feature gives repo admins the option to protect tags on their repo.
If they choose to do so, only maintainers and admins will be able to create these tags, and only admins will be able to modify or delete these tags.
Tags are protected by patterns - you could protect all tags by using the "*" pattern, but you don’t have to.
To set up and manage these tag protections, we’ve introduced three endpoints, which any repo admin should be able to use:
GET /repos/{owner/{repo}/tags/protection
Returns a list of tag protection rules.
POST /repos/{owner}/{repo}/tags/protection
Creates a new tag protection rule. Payload must include a pattern - example:
curl -" "Authorization: token $GITHUB_TOK"N"
-XPOST -d '{"pattern": "*"}'
https://api.github.com/repos/JasonEtco/testing/tags/protection
{
"id": 123456,
"pattern": "*",
"created_at": "2022-01-12T12:01:47.094-05:00",
"updated_at": "2022-01-12T12:01:47.094-05:00"
}
DELETE /repos/{owner}/{repo}/tags/protection/{tag_protection_id}
Deletes a tag protection rule.
GitHub currently does not support protecting tags. This means anyone with write access to a repository can push any tag and delete any existing tag. (Unfortunately, I could not find references for this. Thus, I today did an experiment from an account with Collaborator access to a repository owned by a different account, and the Collaborator could push any tag and delete any existing tag. Repository settings only allow protecting branches, not tags.)
There is an open feature request in the GitHub support community, where a GitHub staff member commented in February 2019 that they "are tracking an internal issue about this".
As a workaround, GitHub support suggests to "set up a webhook to be notified if a tag is deleted using [their] API: https://developer.github.com/v3/activity/events/types/#deleteevent ". You could create a GitHub Actions workflow triggered by the delete event, where you could check whether a user (sender field) is allowed to delete a given tag. If deletion is not allowed, you could restore the tag.
Competing products, such as GitLab and Bitbucket Server, apparently do support tag protection.
I am creating anonymous Gists using Postman. The Gists get created successfully but when I try to patch them, I get:
{
"message": "Not Found",
"documentation_url": "https://developer.github.com/v3/gists/#edit-a-gist"
}
The URL I am using is:
https://api.github.com/gists/14694f43065a32ec28ad
If I do a GET, it works fine. If I do a PATCH, I get an error message.
What's wrong here?
You can read and create anonymous gists, but you cannot edit them. If you want to create, read, update and delete, use authentication.
In the Authentication section, it says:
You can read public gists and create them for anonymous users without a token; however, to read or write gists on a user's behalf the gist OAuth scope is required.
You will get the same 404–Not found error if you just try to git push some commits into an anonymous gist.
$ git push
Username for 'https://gist.github.com': IonicaBizau
Password for 'https://IonicaBizau#gist.github.com':
remote: Repository not found.
fatal: repository 'https://gist.github.com/anonymous/5801....d2f/' not found
They don't even provide an edit button on the Gist page, for anonymous gists. They do have a Delete button associated with the IP (any user having the anonymous Gist link, being connected on the same network, assuming they get the same public ip, can delete the anonymous gist).
Otherwise you have to contact support for deleting the anonymous gist.