feat: log when using fine-grained PATs (#20097)

Co-authored-by: Rhys Arkins <rhys@arkins.net>

lib/modules/platform/github/index.md

@@ -2,7 +2,8 @@
 
 ## Authentication
 
-First, [create a Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) for the bot account, select `repo` scope.
+First, [create a classic Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-personal-access-token-classic) for the bot account, select `repo` scope.
+Fine-grained Personal Access Tokens do not support the GitHub GraphQL API and cannot be used with Renovate.
 
 Let Renovate use your PAT by doing _one_ of the following:
 

lib/modules/platform/github/index.spec.ts

@@ -56,6 +56,14 @@ describe('modules/platform/github/index', () => {
       );
     });
 
+    it('should throw if fine-grained token', async () => {
+      await expect(
+        github.initPlatform({ token: 'github_pat_XXXXXX' })
+      ).rejects.toThrow(
+        'Init: Fine-grained Personal Access Tokens do not support the GitHub GraphQL API and cannot be used with Renovate.'
+      );
+    });
+
     it('should throw if user failure', async () => {
       httpMock.scope(githubApiHost).get('/user').reply(404);
       await expect(github.initPlatform({ token: '123test' })).rejects.toThrow();

lib/modules/platform/github/index.ts

@@ -129,6 +129,11 @@ export async function initPlatform({
   if (!token) {
     throw new Error('Init: You must configure a GitHub token');
   }
+  if (token.startsWith('github_pat_')) {
+    throw new Error(
+      'Init: Fine-grained Personal Access Tokens do not support the GitHub GraphQL API and cannot be used with Renovate.'
+    );
+  }
   token = token.replace(/^ghs_/, 'x-access-token:ghs_');
   platformConfig.isGHApp = token.startsWith('x-access-token:');
 

lib/workers/global/config/parse/__snapshots__/env.spec.ts.snap

@@ -1,5 +1,12 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
+exports[`workers/global/config/parse/env .getConfig(env) does not support GitHub fine-grained PATs 1`] = `
+{
+  "hostRules": [],
+  "token": "a github.com token",
+}
+`;
+
 exports[`workers/global/config/parse/env .getConfig(env) supports Azure DevOps 1`] = `
 {
   "endpoint": "an Azure DevOps endpoint",

lib/workers/global/config/parse/env.spec.ts

@@ -148,6 +148,16 @@ describe('workers/global/config/parse/env', () => {
       });
     });
 
+    it('does not support GitHub fine-grained PATs', () => {
+      const envParam: NodeJS.ProcessEnv = {
+        GITHUB_COM_TOKEN: 'github_pat_XXXXXX',
+        RENOVATE_TOKEN: 'a github.com token',
+      };
+      expect(env.getConfig(envParam)).toMatchSnapshot({
+        token: 'a github.com token',
+      });
+    });
+
     it('supports GitHub custom endpoint and gitlab.com', () => {
       const envParam: NodeJS.ProcessEnv = {
         RENOVATE_ENDPOINT: 'a ghe endpoint',

lib/workers/global/config/parse/env.ts

@@ -133,12 +133,18 @@ export function getConfig(inputEnv: NodeJS.ProcessEnv): AllConfig {
   });
 
   if (env.GITHUB_COM_TOKEN) {
-    logger.debug(`Converting GITHUB_COM_TOKEN into a global host rule`);
-    config.hostRules.push({
-      hostType: 'github',
-      matchHost: 'github.com',
-      token: env.GITHUB_COM_TOKEN,
-    });
+    if (env.GITHUB_COM_TOKEN.startsWith('github_pat_')) {
+      logger.warn(
+        'GITHUB_COM_TOKEN: Fine-grained Personal Access Tokens do not support do not support the GitHub GraphQL API. Use a classic PAT instead.'
+      );
+    } else {
+      logger.debug(`Converting GITHUB_COM_TOKEN into a global host rule`);
+      config.hostRules.push({
+        hostType: 'github',
+        matchHost: 'github.com',
+        token: env.GITHUB_COM_TOKEN,
+      });
+    }
   }
 
   // These env vars are deprecated and deleted to make sure they're not used