When should you not use GitHub GraphQL API? - github

Much has been written about the benefits of the GitHub GraphQL API. And this is a really great technology. The only thing I can't figure out is in what situations is it still better to use the good old REST API v3?

Github GraphQL API is subject to the following caveats:
GraphQL API can only be accessed using authentication. You need a token to use this API. Thus, you can't use GraphQL in an environment where you can't secure the provisioning of this token. For example, in a web app without github authentication. This is a big caveat, especially for people who want to create web app or scripts that target only public repository informations.
Searching commits and code using the search API is not possible in Github Graphql. Only searching repos, issues and users are supported (for the search API)
some features like comparing commits and getting contributors are not possible yet in Graphql. Another example: you can't recursively get a tree using GraphQL API
some mutations already available in v3 may not yet have been implemented in GraphQL (create commit, create tag, create branch etc...), checkout mutations documentation

Related

Is it possible to fetch the issue/PR templates of a Github repository, via REST API?

I wanted to pre-fill some Github issue/PR creation forms, by fetching the templates from the repository via REST API.
Is this possible? I've searched in the documentation, but I couldn't find an API for this purpose.

How to create a comment with data from endpoint?

At my company, we have a CLI which allows our customers to upload data to our backend solution. The CLI runs on PR changes within a job. Let's assume the uploaded data looks like this:
{
name: "John",
age: 20,
}
Once the upload is completed, I'd like to create a comment on the PR with to following body:
John is 20 years old.
I've found the following ways to do this:
GitHub App (a bot)
GitHub OAuth App
Personal Access Token
GITHUB_TOKEN
GitHub App
The GitHub App needs to do the following things:
Fetch the data via a user-specific API key
Create a comment
I already created a comment via a bot, but I have no clue how to fetch the data.
As far as my understanding goes, I'd like other users to be able to install this GitHub app from the marketplace to work out of the box. From the ProBot Docs I understand that the bot operates on a webhook basis. Meaning I need to subscribe to a 'job completed' event (not sure if that's the correct name but I think you get the idea) and then fetch the data via a user-specific API we are providing on our platform. However, I see no way for the user of our App to configure an API key (or any form of secret) so the bot can make authenticated requests to our endpoints.
I'd prefer to use GitHub App because the comment coming from the bot would have our company branding and also an indicator that this comment has been created by the integration.
OAuth App
I already tested this by using Postman, however, the comment looks like it's coming from a specific user. Therefore, it has no company branding and it's not clear that an integration created the comment. However, the great part is that we could integrate this with our application, so our backend could create the comment once the data is received.
What I like about this approach is that we also need to implement such a feature for GitLab, Azure, etc, and using OAuth likely scales well with the other providers in comparison to the GitHub app, which is GitHub-specific.
Personal Access Token
Works pretty much like the OAuth App, but instead of our backend creating the comment, the comment is created by the CLI (and the access token is passed into the CLI). However, I think this approach is a bit sketchy.
GITHUB_TOKEN
While I haven't tried this yet, I assume that the token has limited but sufficient permissions to create a comment. As of now, I don't know what the comment will look like, but I think we can rather safely pass this into the CLI to create the comment from there. Since the permissions are limited and the token is invalidated after the workflow I see limited risk for the user of our CLI (and services).
Edit: The comment is coming from the github-actions bot, which is not the branding we are looking for, but it's clear that the comment has been created by the integration.
Questions
What's the best way to accomplish what I am trying?
Is there any way I can make this work with GitHub Apps (aka bots)?

Best way to get Github repository info using Service Account

We're building a microservice to interact with Github REST API to read repository information within our organization. At the moment, we use individual user id and personal access token (created for the user id) to access the remote api programmatically.
Our requirement is to have a service account to access the api that has read privileges and no coupling with any individual. I was looking at Github Apps to perform the integration but it seem a bit complicated for our purpose as it focuses on making changes and handling events. We only need to read the repositories and collect information such as pull requests, commits etc. done on those repositories.
Are there any other simpler ways to achieve this?

Get the list of maintainers in GitHub GraphQL API?

I would like to use the GitHub GraphQL API to fetch a list of accounts that have control of a given public repo.
This would include anyone who can:
Make commits
Approve pull requests
Create releases
Administrate the repo
etc.
Is this possible using the GraphQL API? And if so, what would the query be?
This isn't possible in the general case. There's the concept of secret teams where the users aren't publicly visible, and those teams can have access to repositories. The REST API endpoints don't allow you to query the team list of an arbitrary public repository, so the GraphQL endpoints won't allow that, either.

Github Actions v4 API?

I need to interact with Github Actions through some code. I found the v3 API for that, but I've been migrating code to use the v4 API instead. I have not been able to find anything related to github actions on v4, unfortunately. Using introspection won't show "artifacts" or "workflows", except for copying the latter on CloneProjectInput, but, perhaps, there's a feature flag I need to use to get them.
Is there any way to interact with Github Actions through their v4 API?
Not yet: the GitHub Actions API announced last January 2020 is:
still in beta
using the V3 API only
Note that there is a difference between:
GitHub REST API v3
GitHub GraphQL API v4
For now, Actions are exposed through REST, not GraphQL
The request has been made of course:
As of now, the GitHub Actions API enables you to manage GitHub Actions only using the REST API.
I'll be sure to pass on your request for v4 support to the team for consideration.
(that was mid-April 2020)