From e3b163f07a3bd056ce9a23540a2f315034d839e3 Mon Sep 17 00:00:00 2001
From: Jamie Magee <jamie.magee@gmail.com>
Date: Mon, 30 Jan 2023 02:48:29 -0500
Subject: [PATCH] feat: log when using fine-grained PATs (#20097)

Co-authored-by: Rhys Arkins <rhys@arkins.net>
---
 lib/modules/platform/github/index.md           |  3 ++-
 lib/modules/platform/github/index.spec.ts      |  8 ++++++++
 lib/modules/platform/github/index.ts           |  5 +++++
 .../parse/__snapshots__/env.spec.ts.snap       |  7 +++++++
 lib/workers/global/config/parse/env.spec.ts    | 10 ++++++++++
 lib/workers/global/config/parse/env.ts         | 18 ++++++++++++------
 6 files changed, 44 insertions(+), 7 deletions(-)

diff --git a/lib/modules/platform/github/index.md b/lib/modules/platform/github/index.md
index 08f588e5e3..6540a42423 100644
--- a/lib/modules/platform/github/index.md
+++ b/lib/modules/platform/github/index.md
@@ -2,7 +2,8 @@
 
 ## Authentication
 
-First, [create a Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) for the bot account, select `repo` scope.
+First, [create a classic Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-personal-access-token-classic) for the bot account, select `repo` scope.
+Fine-grained Personal Access Tokens do not support the GitHub GraphQL API and cannot be used with Renovate.
 
 Let Renovate use your PAT by doing _one_ of the following:
 
diff --git a/lib/modules/platform/github/index.spec.ts b/lib/modules/platform/github/index.spec.ts
index d148c41874..d9a211a825 100644
--- a/lib/modules/platform/github/index.spec.ts
+++ b/lib/modules/platform/github/index.spec.ts
@@ -56,6 +56,14 @@ describe('modules/platform/github/index', () => {
       );
     });
 
+    it('should throw if fine-grained token', async () => {
+      await expect(
+        github.initPlatform({ token: 'github_pat_XXXXXX' })
+      ).rejects.toThrow(
+        'Init: Fine-grained Personal Access Tokens do not support the GitHub GraphQL API and cannot be used with Renovate.'
+      );
+    });
+
     it('should throw if user failure', async () => {
       httpMock.scope(githubApiHost).get('/user').reply(404);
       await expect(github.initPlatform({ token: '123test' })).rejects.toThrow();
diff --git a/lib/modules/platform/github/index.ts b/lib/modules/platform/github/index.ts
index 573dc8bf70..1ce3812984 100644
--- a/lib/modules/platform/github/index.ts
+++ b/lib/modules/platform/github/index.ts
@@ -129,6 +129,11 @@ export async function initPlatform({
   if (!token) {
     throw new Error('Init: You must configure a GitHub token');
   }
+  if (token.startsWith('github_pat_')) {
+    throw new Error(
+      'Init: Fine-grained Personal Access Tokens do not support the GitHub GraphQL API and cannot be used with Renovate.'
+    );
+  }
   token = token.replace(/^ghs_/, 'x-access-token:ghs_');
   platformConfig.isGHApp = token.startsWith('x-access-token:');
 
diff --git a/lib/workers/global/config/parse/__snapshots__/env.spec.ts.snap b/lib/workers/global/config/parse/__snapshots__/env.spec.ts.snap
index 0f673583d4..47739dda64 100644
--- a/lib/workers/global/config/parse/__snapshots__/env.spec.ts.snap
+++ b/lib/workers/global/config/parse/__snapshots__/env.spec.ts.snap
@@ -1,5 +1,12 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
+exports[`workers/global/config/parse/env .getConfig(env) does not support GitHub fine-grained PATs 1`] = `
+{
+  "hostRules": [],
+  "token": "a github.com token",
+}
+`;
+
 exports[`workers/global/config/parse/env .getConfig(env) supports Azure DevOps 1`] = `
 {
   "endpoint": "an Azure DevOps endpoint",
diff --git a/lib/workers/global/config/parse/env.spec.ts b/lib/workers/global/config/parse/env.spec.ts
index 3dc48e238f..ff963b7658 100644
--- a/lib/workers/global/config/parse/env.spec.ts
+++ b/lib/workers/global/config/parse/env.spec.ts
@@ -148,6 +148,16 @@ describe('workers/global/config/parse/env', () => {
       });
     });
 
+    it('does not support GitHub fine-grained PATs', () => {
+      const envParam: NodeJS.ProcessEnv = {
+        GITHUB_COM_TOKEN: 'github_pat_XXXXXX',
+        RENOVATE_TOKEN: 'a github.com token',
+      };
+      expect(env.getConfig(envParam)).toMatchSnapshot({
+        token: 'a github.com token',
+      });
+    });
+
     it('supports GitHub custom endpoint and gitlab.com', () => {
       const envParam: NodeJS.ProcessEnv = {
         RENOVATE_ENDPOINT: 'a ghe endpoint',
diff --git a/lib/workers/global/config/parse/env.ts b/lib/workers/global/config/parse/env.ts
index c92ccce10d..ebb48e129b 100644
--- a/lib/workers/global/config/parse/env.ts
+++ b/lib/workers/global/config/parse/env.ts
@@ -133,12 +133,18 @@ export function getConfig(inputEnv: NodeJS.ProcessEnv): AllConfig {
   });
 
   if (env.GITHUB_COM_TOKEN) {
-    logger.debug(`Converting GITHUB_COM_TOKEN into a global host rule`);
-    config.hostRules.push({
-      hostType: 'github',
-      matchHost: 'github.com',
-      token: env.GITHUB_COM_TOKEN,
-    });
+    if (env.GITHUB_COM_TOKEN.startsWith('github_pat_')) {
+      logger.warn(
+        'GITHUB_COM_TOKEN: Fine-grained Personal Access Tokens do not support do not support the GitHub GraphQL API. Use a classic PAT instead.'
+      );
+    } else {
+      logger.debug(`Converting GITHUB_COM_TOKEN into a global host rule`);
+      config.hostRules.push({
+        hostType: 'github',
+        matchHost: 'github.com',
+        token: env.GITHUB_COM_TOKEN,
+      });
+    }
   }
 
   // These env vars are deprecated and deleted to make sure they're not used
-- 
GitLab