feat(github): support fine-grained token (#23810)

2025-01-11 22:46:27 +00:00 · 2023-08-16 13:53:48 +08:00 · 2023-08-16 13:53:48 +08:00 · 8ad31261d7
commit 8ad31261d7
parent a36424771a
6 changed files with 75 additions and 30 deletions
--- a/lib/modules/platform/github/index.spec.ts
+++ b/lib/modules/platform/github/index.spec.ts
@ -57,14 +57,55 @@ describe('modules/platform/github/index', () => {
      );
    });

-    it('should throw if fine-grained token', async () => {
+    it('should throw if using fine-grained token with GHE <3.10 ', async () => {
+      httpMock
+        .scope('https://ghe.renovatebot.com')
+        .head('/')
+        .reply(200, '', { 'x-github-enterprise-version': '3.9.0' });
      await expect(
-        github.initPlatform({ token: 'github_pat_XXXXXX' })
+        github.initPlatform({
+          endpoint: 'https://ghe.renovatebot.com',
+          token: 'github_pat_XXXXXX',
+        })
      ).rejects.toThrow(
-        'Init: Fine-grained Personal Access Tokens do not support the GitHub GraphQL API and cannot be used with Renovate.'
+        'Init: Fine-grained Personal Access Tokens do not support GitHub Enterprise Server API version <3.10 and cannot be used with Renovate.'
      );
    });

+    it('should throw if using fine-grained token with GHE unknown version ', async () => {
+      httpMock.scope('https://ghe.renovatebot.com').head('/').reply(200);
+      await expect(
+        github.initPlatform({
+          endpoint: 'https://ghe.renovatebot.com',
+          token: 'github_pat_XXXXXX',
+        })
+      ).rejects.toThrow(
+        'Init: Fine-grained Personal Access Tokens do not support GitHub Enterprise Server API version <3.10 and cannot be used with Renovate.'
+      );
+    });
+
+    it('should support fine-grained token with GHE >=3.10', async () => {
+      httpMock
+        .scope('https://ghe.renovatebot.com')
+        .head('/')
+        .reply(200, '', { 'x-github-enterprise-version': '3.10.0' })
+        .get('/user')
+        .reply(200, { login: 'renovate-bot' })
+        .get('/user/emails')
+        .reply(200, [{ email: 'user@domain.com' }]);
+      expect(
+        await github.initPlatform({
+          endpoint: 'https://ghe.renovatebot.com',
+          token: 'github_pat_XXXXXX',
+        })
+      ).toEqual({
+        endpoint: 'https://ghe.renovatebot.com/',
+        gitAuthor: 'undefined <user@domain.com>',
+        renovateUsername: 'renovate-bot',
+        token: 'github_pat_XXXXXX',
+      });
+    });
+
    it('should throw if user failure', async () => {
      httpMock.scope(githubApiHost).get('/user').reply(404);
      await expect(github.initPlatform({ token: '123test' })).rejects.toThrow();
--- a/lib/modules/platform/github/index.ts
+++ b/lib/modules/platform/github/index.ts
@ -23,6 +23,7 @@ import {
 import { logger } from '../../../logger';
 import type { BranchStatus, VulnerabilityAlert } from '../../../types';
 import { ExternalHostError } from '../../../types/errors/external-host-error';
+import { isGithubFineGrainedPersonalAccessToken } from '../../../util/check-token';
 import * as git from '../../../util/git';
 import { listCommitTree, pushCommitToRenovateRef } from '../../../util/git';
 import type {
@ -133,11 +134,6 @@ export async function initPlatform({
  if (!token) {
    throw new Error('Init: You must configure a GitHub token');
  }
-  if (token.startsWith('github_pat_')) {
-    throw new Error(
-      'Init: Fine-grained Personal Access Tokens do not support the GitHub GraphQL API and cannot be used with Renovate.'
-    );
-  }
  token = token.replace(/^ghs_/, 'x-access-token:ghs_');
  platformConfig.isGHApp = token.startsWith('x-access-token:');

@ -149,6 +145,20 @@ export async function initPlatform({
  }

  await detectGhe(token);
+  /**
+   * GHE requires version >=3.10 to support fine-grained access tokens
+   * https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#authentication
+   */
+  if (
+    isGithubFineGrainedPersonalAccessToken(token) &&
+    platformConfig.isGhe &&
+    (!platformConfig.gheVersion ||
+      semver.lt(platformConfig.gheVersion, '3.10.0'))
+  ) {
+    throw new Error(
+      'Init: Fine-grained Personal Access Tokens do not support GitHub Enterprise Server API version <3.10 and cannot be used with Renovate.'
+    );
+  }

  let renovateUsername: string;
  if (username) {
--- a/lib/util/check-token.spec.ts
+++ b/lib/util/check-token.spec.ts
@ -246,7 +246,7 @@ describe('util/check-token', () => {
      ).toBe(githubToken);
    });

-    it('take personal assess token over fine grained token', () => {
+    it('take personal access token over fine grained token', () => {
      const githubToken = 'ghp_github';
      const gitTagsGithubToken = 'github_pat_gitTags';
      expect(
--- a/lib/workers/global/config/parse/snapshots/env.spec.ts.snap
+++ b/lib/workers/global/config/parse/snapshots/env.spec.ts.snap
@ -1,12 +1,5 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP

-exports[`workers/global/config/parse/env .getConfig(env) does not support GitHub fine-grained PATs 1`] = `
-{
-  "hostRules": [],
-  "token": "a github.com token",
-}
-`;
-
 exports[`workers/global/config/parse/env .getConfig(env) supports Azure DevOps 1`] = `
 {
  "endpoint": "an Azure DevOps endpoint",
--- a/lib/workers/global/config/parse/env.spec.ts
+++ b/lib/workers/global/config/parse/env.spec.ts
@ -161,13 +161,20 @@ describe('workers/global/config/parse/env', () => {
      });
    });

-    it('does not support GitHub fine-grained PATs', () => {
+    it('supports GitHub fine-grained PATs', () => {
      const envParam: NodeJS.ProcessEnv = {
        GITHUB_COM_TOKEN: 'github_pat_XXXXXX',
        RENOVATE_TOKEN: 'a github.com token',
      };
-      expect(env.getConfig(envParam)).toMatchSnapshot({
+      expect(env.getConfig(envParam)).toEqual({
        token: 'a github.com token',
+        hostRules: [
+          {
+            hostType: 'github',
+            matchHost: 'github.com',
+            token: 'github_pat_XXXXXX',
+          },
+        ],
      });
    });

--- a/lib/workers/global/config/parse/env.ts
+++ b/lib/workers/global/config/parse/env.ts
@ -164,18 +164,12 @@ export function getConfig(inputEnv: NodeJS.ProcessEnv): AllConfig {
  });

  if (env.GITHUB_COM_TOKEN) {
-    if (env.GITHUB_COM_TOKEN.startsWith('github_pat_')) {
-      logger.warn(
-        'GITHUB_COM_TOKEN: Fine-grained Personal Access Tokens do not support the GitHub GraphQL API. Use a classic PAT instead.'
-      );
-    } else {
-      logger.debug(`Converting GITHUB_COM_TOKEN into a global host rule`);
-      config.hostRules.push({
-        hostType: 'github',
-        matchHost: 'github.com',
-        token: env.GITHUB_COM_TOKEN,
-      });
-    }
+    logger.debug(`Converting GITHUB_COM_TOKEN into a global host rule`);
+    config.hostRules.push({
+      hostType: 'github',
+      matchHost: 'github.com',
+      token: env.GITHUB_COM_TOKEN,
+    });
  }

  // These env vars are deprecated and deleted to make sure they're not used