1

I want to add GitHub users as collaborators of an organization repository using NodeJS octokit/rest library. The library and manually sent requests to GitHub API repond with HTTP 404 - Not Found, even if my user account has a valid access token with the necessary permissions.

I am trying to add GitHub users as collaborators of an organization repository, no matter if they are members of the organization itself. My requesting user is authenticated through a personal access token with needed permissions. I am using 'octokit/rest's repos.addCollaborators function with organization name as owner, the repositoryname as repo and the username of the user to be added as username property of the parameter object. The octokit object uses my accounts access token for authentification. My user account is owner of the organization.

this.octokit = new Octokit({
            auth: accessToken,
            log: {
                debug: (msg) => { logger.debug(`${msg}`); },
                error: (msg) => { logger.error(`${msg}`); },
                info: (msg) => { logger.info(`${msg}`); },
                warn: (msg) => { logger.warn(`${msg}`); }
            },
            userAgent: process.env.APP_NAME
});
// ...
this.octokit.repos.addCollaborator({
                owner: ownername,
                repo: url[url.length - 1],
                username
}).catch((msg) => {
                logger.verbose(`Error message ${msg}`);
});

Regarding the documentation, I expect that an invite is sent to the user.
Unfortunately I get 404 Not Found.

The same happens when I use curl: 

curl -u myUsername:token -X PUT https://api.github.com/repos/:organizationname/:reponame/collaborators/:collaboratorname?permission=push

The same behaviour appears when performing a membership request.

spethso
  • 29
  • 7
  • if both your script test and cURL fail, then it sounds like your token is in fact incorrect, and other calls only seem to work because they might be calls that don't require authentication. Renegotiate your access token and try again? – Mike 'Pomax' Kamermans Jul 30 '19 at 15:06
  • @Mike'Pomax'Kamermans I can't list the collaborators with an unauthenticated requests, but it works with a token. A new token does not work for the request, too. So I think the token should work. – spethso Jul 30 '19 at 15:15
  • Hang on. Are you using literally that cURL statement, or did you replace the `:reponame` with the actual repo name that github says it is (copy-pasted, _not_ typed, to 100% rule out typos) and the `:collaboratorname` with the actual name according to github (again copy-pasted, _not_ typed) – Mike 'Pomax' Kamermans Jul 30 '19 at 15:18
  • @Mike'Pomax'Kamermans Of course I change :organizationanme, :reponame and :collaboratorname with the actual names according to github. – spethso Jul 30 '19 at 15:31
  • Another question: you're using `-u` to send a user/password, which would be amazing if github accepted that. Have you tried putting the token in a header, which is the usual approach? (e.g. https://gist.github.com/btoone/2288960#headers ) – Mike 'Pomax' Kamermans Jul 30 '19 at 15:33
  • I also tried sending the original token in a header as in https://developer.github.com/v3/#authentication and https://gist.github.com/btoone/2288960#headers said, which didn't work. Then I tried a third token with less permission which suddenly worked. Thanks for your help! – spethso Jul 30 '19 at 16:10
  • You'll have to update your answer, probably, because there is nothing in that solution that explains _why_ this might be the case, so future visitors with this same problem won't benefit from being told to use a token with fewer permissions: from a token pespective, that's literally the opposite of how the docs claim permissions work. – Mike 'Pomax' Kamermans Jul 30 '19 at 22:53
  • I would love to update the answer, if possible. Unfortunately three persons took a lok on this problem and this was the only working solution we found. Of course it's the opposite of how the docs claim permissions work. Nevertheless, this does not mean there can't be any bug. – spethso Aug 01 '19 at 07:02
  • indeed, so you probably also want to file an issue on the github octokit-javascript repo, so that they can explain (because they're the authority in this matter) what's going on. And then based on their answer you can rewrite your to help others, too. Remember that SO is typically your last line of resort, which in this case isn't _quite_ true yet: octokit is open source with a public issue tracker over on https://github.com/octokit/octokit.js/issues – Mike 'Pomax' Kamermans Aug 01 '19 at 14:54
  • 1
    `404` for github API unfortunately also means that the user/auth doesn't have access to that particular API – bitsabhi May 24 '21 at 05:40
  • @spethso, a lot of time has passed since you first posted, so you may have moved on. I too am getting 404s with a PAT. I downgraded scopes and it worked intermittently. That leads me to wonder if the problem is that I'm trying to add collaborators too soon after creating the repository. Maybe the repository isn't quite ready yet? Were you also creating the repository in your script? – kaerimasu Jan 23 '22 at 17:51

1 Answers1

1

I tried with several permission scopes. It seems the first two tokens had too much permissions (?!). A working permission scope seems to be "admin:org, notifications, repo, write:discussion".

spethso
  • 29
  • 7
  • @NullDev this _is_ the author. They wrote an answer to their own question. – Mike 'Pomax' Kamermans Jul 30 '19 at 22:52
  • 2
    Yes, because after 5 days, my collegues and I found a working solution. Of course this seems stupid and you can delete it, but I'm sure, there could be other people facing this problem, too. – spethso Aug 01 '19 at 07:03