Github repo creation not using GITHUB_PAT?

[stephlocke]

Over on a Travis build of a PR, we're getting:

GitHub API error (403): 403 Forbidden
API rate limit exceeded for 35.202.145.110. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)

https://travis-ci.org/lockedata/pRojects/jobs/476567120#L3872

I would have expected the GITHUB_PAT we've got in place on the repo to be enough to get around this - perhaps it's using a different mechanism or perhaps we don't have it hooked up to look for the PAT?

[maelle]

Does the branch have access to the environment variable?

[maelle]

We use gh functions directly so use the GITHUB_PAT when it's available so the best thing I could imagine is skipping this test when the environment variable is not available (which will always happen in PRs). What do you think?

[stephlocke]

I would expect the env var to be found as the environment variables are at the repo level in travis 🤔

[maelle]

I think someone once told me it'd be bad if the environment variables were accessible from external branches because mean people could output them to the log.

[maelle]

@stephlocke so should we skip tests involving the environment variable when it's not present i.e. external PRs?

[maelle]

In codemetar what we have is testthat::skip_if_not(nzchar(Sys.getenv("GITHUB_PAT")))

[stephlocke]

I'm not comfortable accepting code that hasn't done the full set of tests. Can you give some thought as to how we could achieve it? Perhaps we could use a pre-provided pat and make the variable if it doesn't exist at the beginning of tests for instnce?

[maelle]

the problem is that we need a pat that can create a repo for my account chibimaelle.

The only solution I can imagine is not hard-coding "chibimaelle" i.e. the tests would need a GITHUB_PAT with scope to create a project and we'd have

login <- gh::gh_whoami()$login
createBasicProject(
    name = "test",
    packagedeps = "none",
    external_setup = list(
      git_service = "GitHub",
      login = login,
      private = FALSE,
      protocol = "ssh",
      ci_activation = NULL
    ),
    folder = tmp
  )

  expect_true(repo_exists(login, "test"))
  gh::gh("DELETE /repos/:owner/:repo",
    owner = login, repo = "test"
  )

But the users submitting an external PR would need to set the GITHUB_PAT in their fork themselves. what do you think?

[maelle]

I'm not even sure one can create a GITHUB_PAT for a fork 🤔

[stephlocke]

Here's one solution

https://blog.algolia.com/travis-encrypted-variables-external-contributions/
https://github.com/algolia/api-key-dealer

Essentially, have an API that you hit up with some info about the travis job. if master branch, do nothing, if from a legit travis job, return a value. Add value to env if returned.

[maelle]

Other points of view https://discuss.ropensci.org/t/github-pat-needed-in-tests-and-pull-requests-on-travis/1550/7 (no other solutions, the efficient but complicated solution you posted is the only one I've seen).