-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub Pull Request does not work when using a fine-grained access token #13293
Comments
Thanks for the feedback, I've clarified the permissions needed in 6a60520. As for creating the pull requests, I know this works for many of our customers, so it might also be something in the repository configuration. Do you have any specific branch rules that might prohibit this? |
There are branch protection rules in the upstream repository, but not in the fork where Weblate is pushing to. In fact, the pushing is succeeding, but the pull requesting is failing. It must be something to do with the fine-grained tokens because I have temporarily switched to classical tokens and it's working |
The pull request goes to the upstream repository, does Weblate have the pull request permission there? |
I'm a bit confused, anybody on GitHub can make a PR to the upstream repository, as it's a public user (non-organization) repository, so surely it shouldn't require any special permissions? The REST API docs state that:
The bot account has write access to the source branch. |
Are you at least able to reproduce the issue using the steps provided? You can use my repository (https://github.com/Earthcomputer/clientcommands) if you like |
Based on https://docs.github.com/rest/pulls/pulls#create-a-pull-request you need "Pull requests" repository permissions (write) permission on the target repository to create a pull request. So it won't work if you only have fine-grained token with permissions only to the cloned repository. The fine-grained tokens can be confusing in this, but you need to grant it access to both repositories to make it work in the fork/pull request workflow. |
I don't see where in those docs it specifies that, but it would definitely explain the problem if that were the case. It's a very strange requirement given that you can create pull requests without permission from the target repository using classical tokens (or indeed via the UI). I will try and find out how to grant this permission tomorrow, but I would definitely consider this a defect on GitHub's side if it is necessary, as it really doesn't make sense |
It kind of makes sense, the fine-grained token is there to explicitly define the scope where the token can be used. But at the same time, it is confusing as pull request on public repository is something people expect to work. Still, I'm just describing what I observe and I might be wrong. |
Describe the issue
When I am using a self-hosted instance of Weblate to create a pull request (via a fork), the log is printing:
I already tried
Steps to reproduce the behavior
GITHUB_CREDENTIALS
as specified in the documentationExpected behavior
The pull request is created successfully
Screenshots
Exception traceback
No response
How do you run Weblate?
Docker container
Weblate versions
Weblate deploy checks
Additional context
I think this might be on GitHub's end but I'm not sure, maybe the permissions have changed.
The text was updated successfully, but these errors were encountered: