GraphQL PullRequest query fails with wrong error message (Resource not accessible for commits)

[bahrmichael]

Select Topic Area

Bug

Body

I'm reporting that the PullRequest GraphQL query fails with "errors":[{"type":"FORBIDDEN","path":["repository","pullRequest","commits","nodes",0],"extensions":{"saml_failure":false},"locations":[{"line":45,"column":5}],"message":"Resource not accessible by integration"}] if I request the particpants, but succeeds if I don't request participants. The REST api doesn't seem to support the participants relation: https://docs.github.com/en/rest/pulls/pulls?apiVersion=2022-11-28#link-relations

There are two bugs in here: (1) the misleading error message and (2) graphql being unable to serve data that can be accessed via the rest api

There are a lot of variables you need to consider, but I was able to reproduce this behavior reliably. I'll share a reproducer at the end of this report.

• GitHub Enterprise 3.14 with permission to install GitHub apps. I have a suspicion that this applies to github.com, but have not tested it yet. It showed up reliably with GHE.
• GitHub App installed for an organization with all permissions set to Read/Write or Read (whatever higher permission is possible). I've done this to rule out a lack of permission as indicated by the error message.

• GitHub App Installation Token for authentication (Bearer ...) that is valid (i.e. it has been created in the last minute(s) and you don't get an error using it)
• A signed commit following the reproducer below, created with the REST api
• A pull request that contains this commit (also created via the REST api)

Why don't you just use the GraphQL api for everything? Because the request to create signed commits needs the whole patch of the file instead of just the commit id, which becomes unfeasible with large changes.

I have also seen https://github.com/orgs/community/discussions/69154 and made sure that I'm not missing anything.

Reproducers

The reproducer is based on https://github.com/orgs/community/discussions/50055.

This assumes you have create a GitHub app with the required permissions (if you don't know which, then go for max permissions), installed it into the org of your GHE instance, and generate an installation access token.

Creating a signed commit

Run this first, and then run the other reproducer to see the error. This helps you avoid creating the commit over and over again (and I failed to extract the sha with jq).

Check out a repository from your GHE instance, modify a file, and create a commit. Don't push it.

Adjust the variables at the top of the file below, and run it.

repo_user=your_organization
repo_name=your_repo
branch_name=choose_a_branch_name_thats_not_taken
host=https://you.ghe.instance.domain
auth="Authorization: Bearer ghs_somethingsomething"

commit_id=$(git rev-parse HEAD)
echo "Commit ID: $commit_id"
target="$commit_id:refs/heads/$branch_name"
echo "Target: $target"
git push --force $host/$repo_user/$repo_name "$target"
echo "---PUSHED---"

echo "---SIGNING---"
# Get the original, unsigned commit
get_commit_url="$host/api/v3/repos/$repo_user/$repo_name/git/commits/$commit_id"
echo "GET COMMIT URL: $get_commit_url"
commit=$(curl -s -H "$auth" "$get_commit_url")

echo "COMMIT: $commit"

# Extract the tree SHA and parent SHAs
tree_sha=$(echo "$commit" | jq -r '.tree.sha')
parent_shas=$(echo "$commit" | jq -r '.parents[].sha' | tr '\n' ',' | sed 's/,$//')

echo "TREE SHA: $tree_sha PARENT SHAS: $parent_shas"

# Create the new signed commit
create_commit_url="$host/api/v3/repos/$repo_user/$repo_name/git/commits"
echo "CREATE COMMIT URL: $create_commit_url"
new_commit=$(curl -f -H "$auth" -X POST \
  -d '{
    "message": "This should be a signed version of '"$commit_id"'",
    "tree": "'"$tree_sha"'",
    "parents": ["'"$parent_shas"'"]
  }' "$create_commit_url")

echo "NEW COMMIT: $new_commit"

Create a PR and access its commits (i.e. reproduce the bug)

Place the following query.file in your working directory:

fragment actor on Actor {
  avatarUrl
  login
  url
}

fragment repo on Repository {
  id
  name
  owner {
    login
  }
}

fragment pr on PullRequest {
  id
  title
  body
  state
  url
  number
  createdAt
  updatedAt
  headRefOid
  baseRefOid
  headRefName
  baseRefName
  reviewDecision
  isDraft
  author {
    ...actor
  }
  baseRepository {
    ...repo
  }
  headRepository {
    ...repo
  }
  participants(first: 100) {
    nodes {
      ...actor
    }
  }
  commits(last: 1) {
    nodes {
      id
      commit {
        oid
      }
    }
  }
}

query($owner: String!, $name: String!, $number: Int!) {
	repository(owner: $owner, name: $name) {
		pullRequest(number: $number) { ...pr }
	}
}

With the commit sha from the last script, adjust and run the following script. Close existing PRs if necessary.

repo_user=your_organization
repo_name=your_repo
branch_name=choose_a_branch_name_thats_not_taken
host=https://you.ghe.instance.domain
auth="Authorization: Bearer ghs_somethingsomething"
new_commit_sha="your_commit_sha"

# Update the branch reference
update_ref_url=$host/api/v3/repos/$repo_user/$repo_name/git/refs/heads/$branch_name
echo "UPDATE REF URL: $update_ref_url"
curl -s -H "$auth" -X PATCH \
  -d '{
    "sha": "'"$new_commit_sha"'",
    "force": true
  }' $update_ref_url

echo "---COMMIT SIGNED AND BRANCH UPDATED---"

echo "---CREATING PR---"
pr=$(curl -XPOST -H "$auth" -d '{"title": "test", "body": "test", "head": "'"$branch_name"'", "base": "main"}' "$host/api/v3/repos/$repo_user/$repo_name/pulls")
echo $pr
pr_number=$(echo "$pr" | jq -r '.number')

echo "---PR CREATED--- $pr_number"

echo "---GETTING PR COMMITS VIA REST"

curl -s -H "$auth" "$host/api/v3/repos/$repo_user/$repo_name/pulls/$pr_number/commits"

echo "---GETTING PR COMMITs VIA GRAPHQL"

jq  -Rs '{query: ., variables: {"owner": "'$repo_user'","name": "'$repo_name'","number": '"$pr_number"'}}' query.file | curl -XPOST -H "$auth" --data-binary @- $host/api/graphql

When you run this, you should see that the REST call was able to read the commits, but the GraphQL returns an error saying that it can't access the commit.

Now close the PR you just created, remove the participants section from the query.file and run the script again. You'll see that it can now read the commits.

I believe that other fields which were not part of the REST api but are part of GraphQL are also affected. We previously removed them from our queries to work around the same error: sourcegraph/sourcegraph-public-snapshot#64299
We dropped the following fields there:

	pr.Commits.Nodes = []CommitWithChecks{}
	pr.Participants = []Actor{}
	pr.TimelineItems = []TimelineItem{}
	pr.Labels.Nodes = []Label{}

[bahrmichael]

As a workaround you can split out the commits field into a separate query.

[bahrmichael]

We've seen this bug with timelineItems, too. I'm confident that the bug affects all fields that have nodes.