From 37946dfc91d4a7ac4265a1d005ad8f9551cbfd45 Mon Sep 17 00:00:00 2001 From: Denys Zhuravel Date: Wed, 21 Sep 2022 11:59:16 +0000 Subject: [PATCH] Require site_admin for the impersonation logic Also, fixed casing in the text literals --- src/push.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/push.go b/src/push.go index dce12ff..e678911 100644 --- a/src/push.go +++ b/src/push.go @@ -81,6 +81,10 @@ func GetImpersonationToken(ctx context.Context, flags *PushFlags) (string, error scopesHeader := rootResponse.Header.Get(xOAuthScopesHeader) fmt.Printf("these are the scopes we have for the current token `%s` ...\n", scopesHeader) + if !strings.Contains(scopesHeader, "site_admin") { + return "", errors.Wrap(err, "the current token doesn't have the `site_admin` scope, the impersonation function requires the `site_admin` permission to be able to impersonate.") + } + isAE := rootResponse.Header.Get(enterpriseVersionHeaderKey) == enterpriseAegisVersionHeaderValue minimumRepositoryScope := "public_repo" if isAE { @@ -88,15 +92,11 @@ func GetImpersonationToken(ctx context.Context, flags *PushFlags) (string, error // while it is `repo` for ae. minimumRepositoryScope = "repo" fmt.Printf("running against GitHub AE, changing the repository scope to '%s' ...\n", minimumRepositoryScope) - } else { - if !strings.Contains(scopesHeader, "site_admin") { - fmt.Printf("the current token doesn't have the `site_admin` scope. The impersonation request for GHES requres the `site_admin` permission to be able to impersonate. For GitHub AE it's not required.") - } } impersonationToken, _, err := ghClient.Admin.CreateUserImpersonation(ctx, flags.ActionsAdminUser, &github.ImpersonateUserOptions{Scopes: []string{minimumRepositoryScope, "workflow"}}) if err != nil { - return "", errors.Wrap(err, "Failed to impersonate Actions admin user.") + return "", errors.Wrap(err, "failed to impersonate Actions admin user.") } fmt.Printf("got the impersonation token for `%s` ...\n", flags.ActionsAdminUser)