Orb publishing GitHub token scopes

It’s been a month or so since we lasted published our orb, seems GitHub personal tokens have changed and are now scoped. I have generated a token with all scopes but still getting Error: AUTHORIZATION_FAILURE when performing circleci orb publish [...] --token $GITHUB_TOKEN

Thanks for joining @zygopleural! We’re glad to have you join us.

I believe @FelicianoTech would be the person to check into this.

Hi @zygopleural - can you confirm whether you’re using a GitHub token, or a CircleCI token for authentication? :slight_smile:

I did a little more digging before signing-off last night and things are getting weirder and weirder…

Before:

  • We lint, pack, and publish-to-dev using circleci/orb-tools
  • We had a GitHub token created months ago that we used with admin rights
  • Said token was saved in our circleci environment as the default used by circleci/orb-tools, namely: CIRCLE_TOKEN
  • This setup has been working for last month or so, until I came to publishing our orb again yesterday

The first problem I kept getting was during the pack step:

circleci config pack [...] > orb.yml
⠋ Checking for updates... Error: Failed to query the GitHub API for updates.

This is most likely due to GitHub rate-limiting on unauthenticated requests.

To have the circleci-cli make authenticated requests please:

  1. Generate a token at https://github.com/settings/tokens
  2. Set the token by either adding it to your ~/.gitconfig or
     setting the GITHUB_TOKEN environment variable.

[...]

: GET https://api.github.com/repos/CircleCI-Public/circleci-cli/releases: 403 API rate limit exceeded for 3.91.8.82. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.) [rate reset in 12m45s]

Weird because the build before that worked fine and I’m not sure why packing needs to talk to the GitHub API, but okay, I took our current token that was already saved in the environment as CIRCLE_TOKEN and changed it to GITHUB_TOKEN as per the instructions. Then I got the same error as before but with:

: GET https://api.github.com/repos/CircleCI-Public/circleci-cli/releases: 401 Bad credentials []

Okay, maybe there is something wrong with our token, so I headed to https://github.com/settings/tokens to check the tokens and there are 0 tokens. Creating a new token now requires you to select which scopes you want, so I repeated the steps above with different scopes until I ended up just giving it every single scope available, yet still:

: GET https://api.github.com/repos/CircleCI-Public/circleci-cli/releases: 401 Bad credentials []

Also worth noting that the build about 10 mins before it all started going wrong, went through fine unchanged:

It looks like the “Failed to query the GitHub API for updates” error is due to the CLI trying to auto-update. You should be able to use the --skip-update-check to skip this, which should resolve your issue (along with ensuring CIRCLE_TOKEN is currently set). With the change implemented, it’s attempting to use your CircleCI API key to authenticate with GitHub, which isn’t valid :slight_smile: