Revert "refactor: deduplicate scope error handling between api/client.go and project queries"#12914
Merged
williammartin merged 1 commit intotrunkfrom Mar 12, 2026
Conversation
….go and project queries"
Contributor
There was a problem hiding this comment.
Pull request overview
This PR reverts #12845 by restoring project-queries-specific handling for GraphQL “insufficient scopes” errors, rather than relying on the deduplicated API client behavior.
Changes:
- Reintroduces missing-scope detection and error formatting inside
pkg/cmd/project/shared/queriesGraphQL error handling. - Adds unit coverage for parsing required scopes from GraphQL server error messages in project queries.
- Adds a TODO note in
api/client.goflagging duplication in the scope-suggestion messaging.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| pkg/cmd/project/shared/queries/queries.go | Restores local insufficient-scope parsing + error construction for project GraphQL calls. |
| pkg/cmd/project/shared/queries/queries_test.go | Adds a new unit test for requiredScopesFromServerMessage. |
| api/client.go | Adds a TODO comment noting duplicated scope-suggestion logic. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+1689
to
+1701
| var scopesRE = regexp.MustCompile(`one of the following scopes: \[(.+?)]`) | ||
|
|
||
| func requiredScopesFromServerMessage(msg string) []string { | ||
| m := scopesRE.FindStringSubmatch(msg) | ||
| if m == nil { | ||
| return nil | ||
| } | ||
| var scopes []string | ||
| for _, mm := range strings.Split(m[1], ",") { | ||
| scopes = append(scopes, strings.Trim(mm, "' ")) | ||
| } | ||
| return scopes | ||
| } |
There was a problem hiding this comment.
This file now duplicates scopesRE/requiredScopesFromServerMessage logic that already exists in api/client.go. Keeping two copies increases the chance they drift if the server message format changes; consider factoring this into a shared helper (or exporting/reusing the existing one) so both call sites stay in sync.
Comment on lines
+580
to
+585
| msg: "Your token has not been granted the required scopes to execute this query. The 'dataType' field requires one of the following scopes: ['read:project'], but your token has only been granted the: ['codespace', repo'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens.", | ||
| want: []string{"read:project"}, | ||
| }, | ||
| { | ||
| name: "multiple scopes", | ||
| msg: "Your token has not been granted the required scopes to execute this query. The 'dataType' field requires one of the following scopes: ['read:project', 'read:discussion', 'codespace'], but your token has only been granted the: [repo'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens.", |
There was a problem hiding this comment.
The sample server messages in this test contain mismatched quotes (e.g. repo'], ['codespace', repo']), which makes the fixture unrealistic and confusing. Please update the strings to valid/representative scope lists so the test documents the actual server error format being parsed.
Suggested change
| msg: "Your token has not been granted the required scopes to execute this query. The 'dataType' field requires one of the following scopes: ['read:project'], but your token has only been granted the: ['codespace', repo'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens.", | |
| want: []string{"read:project"}, | |
| }, | |
| { | |
| name: "multiple scopes", | |
| msg: "Your token has not been granted the required scopes to execute this query. The 'dataType' field requires one of the following scopes: ['read:project', 'read:discussion', 'codespace'], but your token has only been granted the: [repo'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens.", | |
| msg: "Your token has not been granted the required scopes to execute this query. The 'dataType' field requires one of the following scopes: ['read:project'], but your token has only been granted the: ['codespace', 'repo'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens.", | |
| want: []string{"read:project"}, | |
| }, | |
| { | |
| name: "multiple scopes", | |
| msg: "Your token has not been granted the required scopes to execute this query. The 'dataType' field requires one of the following scopes: ['read:project', 'read:discussion', 'codespace'], but your token has only been granted the: ['repo'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens.", |
Comment on lines
+591
to
+592
| if got := requiredScopesFromServerMessage(tt.msg); !reflect.DeepEqual(got, tt.want) { | ||
| t.Errorf("requiredScopesFromServerMessage() = %v, want %v", got, tt.want) |
There was a problem hiding this comment.
This test pulls in the reflect package just to compare slices, but the rest of the file already uses testify's assert. Consider switching to assert.Equal/assert.ElementsMatch here to keep assertions consistent and avoid the extra import.
Comment on lines
+1669
to
1688
| missing := set.NewStringSet() | ||
| for _, e := range gerr.Errors { | ||
| if e.Type != "INSUFFICIENT_SCOPES" { | ||
| continue | ||
| } | ||
| missing.AddValues(requiredScopesFromServerMessage(e.Message)) | ||
| } | ||
| if missing.Len() > 0 { | ||
| s := missing.ToSlice() | ||
| // TODO: this duplicates parts of generateScopesSuggestion | ||
| return fmt.Errorf( | ||
| "error: your authentication token is missing required scopes %v\n"+ | ||
| "To request it, run: gh auth refresh -s %s", | ||
| s, | ||
| strings.Join(s, ",")) | ||
| } | ||
| } | ||
| return err | ||
| } | ||
|
|
There was a problem hiding this comment.
handleError was changed to reimplement GraphQL insufficient-scope handling, but there is no test that exercises handleError end-to-end (e.g., an api.GraphQLError containing multiple INSUFFICIENT_SCOPES items and verifying the returned error message). Adding a focused test will help prevent regressions in how project queries surface missing-scope errors.
Suggested change
| missing := set.NewStringSet() | |
| for _, e := range gerr.Errors { | |
| if e.Type != "INSUFFICIENT_SCOPES" { | |
| continue | |
| } | |
| missing.AddValues(requiredScopesFromServerMessage(e.Message)) | |
| } | |
| if missing.Len() > 0 { | |
| s := missing.ToSlice() | |
| // TODO: this duplicates parts of generateScopesSuggestion | |
| return fmt.Errorf( | |
| "error: your authentication token is missing required scopes %v\n"+ | |
| "To request it, run: gh auth refresh -s %s", | |
| s, | |
| strings.Join(s, ",")) | |
| } | |
| } | |
| return err | |
| } | |
| if scopeErr := handleInsufficientScopesError(gerr); scopeErr != nil { | |
| return scopeErr | |
| } | |
| } | |
| return err | |
| } | |
| // handleInsufficientScopesError extracts missing OAuth scopes from a GraphQL error | |
| // and returns a user-facing error describing how to refresh credentials. | |
| // It is split out from handleError to allow focused testing. | |
| func handleInsufficientScopesError(gerr api.GraphQLError) error { | |
| missing := set.NewStringSet() | |
| for _, e := range gerr.Errors { | |
| if e.Type != "INSUFFICIENT_SCOPES" { | |
| continue | |
| } | |
| missing.AddValues(requiredScopesFromServerMessage(e.Message)) | |
| } | |
| if missing.Len() == 0 { | |
| return nil | |
| } | |
| s := missing.ToSlice() | |
| // TODO: this duplicates parts of generateScopesSuggestion | |
| return fmt.Errorf( | |
| "error: your authentication token is missing required scopes %v\n"+ | |
| "To request it, run: gh auth refresh -s %s", | |
| s, | |
| strings.Join(s, ",")) | |
| } |
williammartin
deleted the
revert-12845-refactor/deduplicate-scope-error-handling
branch
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Mar 24, 2026
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [cli/cli](https://github.com/cli/cli) | minor | `v2.87.3` → `v2.88.1` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>cli/cli (cli/cli)</summary> ### [`v2.88.1`](https://github.com/cli/cli/releases/tag/v2.88.1): GitHub CLI 2.88.1 [Compare Source](cli/cli@v2.88.0...v2.88.1) #### Fix `pr` commands failing with `read:project` scope error v2.88.0 introduced a regression where `pr` commands would fail with the error: ``` error: your authentication token is missing required scopes [read:project] To request it, run: gh auth refresh -s read:project ``` Previously, missing read:project scope was gracefully handled, and project data was silently skipped. A change inadvertently broke the error matching that enabled this graceful degradation. v2.88.1 reverts these changes so that `pr` commands work correctly without requiring the `read:project` scope. #### What's Changed - Migrate Windows code signing from client secret to OIDC by [@​BagToad](https://github.com/BagToad) in [#​12911](cli/cli#12911) - Revert "refactor: deduplicate scope error handling between api/client.go and project queries" by [@​williammartin](https://github.com/williammartin) in [#​12914](cli/cli#12914) - Revert "fix: clarify scope error while creating issues for projects" by [@​williammartin](https://github.com/williammartin) in [#​12915](cli/cli#12915) **Full Changelog**: <cli/cli@v2.88.0...v2.88.1> ### [`v2.88.0`](https://github.com/cli/cli/releases/tag/v2.88.0): GitHub CLI 2.88.0 [Compare Source](cli/cli@v2.87.3...v2.88.0) ####Request Copilot Code Review from `gh` <img width="80%" height="80%" alt="image" src="https://github.com/user-attachments/assets/c9b86700-5934-44b6-9210-227495a18d8e" /> `gh pr create` and `gh pr edit` now support [Copilot Code Review](https://docs.github.com/en/copilot/using-github-copilot/code-review/using-copilot-code-review) as a reviewer. Request a review with `--add-reviewer @​copilot`, or select Copilot interactively from the searchable reviewer prompt. Create a pull request and request review from Copilot: ``` gh pr create --reviewer @​copilot ``` Edit a pull request and request review from Copilot: ``` gh pr edit --add-reviewer @​copilot ``` #### Close issues as duplicates with `gh issue close --duplicate-of` You can now close issues as duplicates and link to a duplicate issue directly from the CLI. The new `--duplicate-of` flag accepts an issue number or URL and marks the closed issue as a duplicate of the referenced one. You can also use `--reason duplicate` to set the close reason without linking a specific issue. ``` # Close as duplicate, linking to the original issue gh issue close 123 --duplicate-of 456 # Close with duplicate reason only gh issue close 123 --reason duplicate ``` #### JSON support for `gh agent-task` `gh agent-task list` and `gh agent-task view` now support `--json`, `--jq`, and `--template` flags, consistent with other `gh` commands. ``` gh agent-task list --json id,name,state gh agent-task view <id> --json state --jq '.state' ``` #### What's Changed ##### ✨ Features - `gh pr create`: login-based reviewer requests and search-based interactive selection by [@​BagToad](https://github.com/BagToad) in [#​12627](cli/cli#12627) - `gh pr view` and `gh issue view`: show friendly display names for all actors by [@​BagToad](https://github.com/BagToad) in [#​12854](cli/cli#12854) - `gh issue close`: add `--duplicate-of` flag and duplicate reason by [@​tksohishi](https://github.com/tksohishi) in [#​12811](cli/cli#12811) - `gh pr diff`: add `--exclude` flag to filter files from diff output by [@​yuvrajangadsingh](https://github.com/yuvrajangadsingh) in [#​12655](cli/cli#12655) - `gh pr view/list`: add `changeType` field to files JSON output by [@​yuvrajangadsingh](https://github.com/yuvrajangadsingh) in [#​12657](cli/cli#12657) - `gh repo clone`: add `--no-upstream` flag by [@​4RH1T3CT0R7](https://github.com/4RH1T3CT0R7) in [#​12686](cli/cli#12686) - `gh repo edit`: add `--squash-merge-commit-message` flag by [@​yuvrajangadsingh](https://github.com/yuvrajangadsingh) in [#​12846](cli/cli#12846) - `gh browse`: add `--blame` flag by [@​masonmcelvain](https://github.com/masonmcelvain) in [#​11486](cli/cli#11486) - `gh agent-task list`: add `--json` support by [@​maxbeizer](https://github.com/maxbeizer) in [#​12806](cli/cli#12806) - `gh agent-task view`: add `--json` support by [@​maxbeizer](https://github.com/maxbeizer) in [#​12807](cli/cli#12807) - `gh copilot`: set `COPILOT_GH` env var when launching Copilot CLI by [@​devm33](https://github.com/devm33) in [#​12821](cli/cli#12821) ##### 🐛 Fixes - Fix `gh project item-edit` error when editing Draft Issue with only one (`--title`/`--body`) flag by [@​ManManavadaria](https://github.com/ManManavadaria) in [#​12787](cli/cli#12787) - Fix extension install error message showing raw struct instead of `owner/repo` by [@​Copilot](https://github.com/Copilot) in [#​12836](cli/cli#12836) - Fix incorrect integer conversion from int to uint16 in port forwarder by [@​BagToad](https://github.com/BagToad) in [#​12831](cli/cli#12831) - Fix invalid ANSI SGR escape code in JSON and diff colorization by [@​BagToad](https://github.com/BagToad) in [#​12720](cli/cli#12720) - Fix assignees `databaseId` always being `0` in `--json` output by [@​srt32](https://github.com/srt32) in [#​12783](cli/cli#12783) - Fix error when `--remote` flag used with repo argument by [@​majiayu000](https://github.com/majiayu000) in [#​12375](cli/cli#12375) - Fix redundant API call in `gh issue view --comments` by [@​VishnuVV27](https://github.com/VishnuVV27) in [#​12652](cli/cli#12652) - Clarify scope error while creating issues for projects by [@​elijahthis](https://github.com/elijahthis) in [#​12596](cli/cli#12596) - Reject pull request-only search qualifiers in `gh issue list` by [@​LouisLau-art](https://github.com/LouisLau-art) in [#​12623](cli/cli#12623) - Prevent `.git/config` corruption on repeated `issue develop --name` invocation by [@​gunadhya](https://github.com/gunadhya) in [#​12651](cli/cli#12651) - Use pre-compiled regexp for matching Content-Type by [@​itchyny](https://github.com/itchyny) in [#​12781](cli/cli#12781) - Isolate generated licenses per platform (os/arch) by [@​babakks](https://github.com/babakks) in [#​12774](cli/cli#12774) ##### 📚 Docs & Chores - Add examples to `gh issue close` help text by [@​BagToad](https://github.com/BagToad) in [#​12830](cli/cli#12830) - Customizable install `prefix` in Makefile by [@​scarf005](https://github.com/scarf005) in [#​11714](cli/cli#11714) - Deduplicate scope error handling between `api/client.go` and project queries by [@​yuvrajangadsingh](https://github.com/yuvrajangadsingh) in [#​12845](cli/cli#12845) - Remove unnecessary `StateReason` and `StateReasonDuplicate` feature detection by [@​BagToad](https://github.com/BagToad) in [#​12838](cli/cli#12838) - Update Go version requirement to 1.26+ by [@​BagToad](https://github.com/BagToad) in [#​12864](cli/cli#12864) - Add monthly pitch surfacing workflow by [@​tidy-dev](https://github.com/tidy-dev) in [#​12894](cli/cli#12894) #####
Dependencies - Bump Go from 1.25.7 to 1.26.1 by [@​BagToad](https://github.com/BagToad) in [#​12860](cli/cli#12860) - chore(deps): bump golang.org/x/sync from 0.19.0 to 0.20.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​12886](cli/cli#12886) - chore(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​12851](cli/cli#12851) - chore(deps): bump github.com/docker/cli from 29.0.3+incompatible to 29.2.0+incompatible by [@​dependabot](https://github.com/dependabot)\[bot] in [#​12842](cli/cli#12842) - chore(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​12759](cli/cli#12759) - chore(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​12760](cli/cli#12760) - chore(deps): bump actions/upload-artifact from 6 to 7 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​12797](cli/cli#12797) - chore(deps): bump actions/download-artifact from 7 to 8 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​12796](cli/cli#12796) - chore(deps): bump actions/attest-build-provenance from 3.2.0 to 4.1.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​12795](cli/cli#12795) - chore(deps): bump github.com/gabriel-vasile/mimetype from 1.4.11 to 1.4.13 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​12615](cli/cli#12615) #### New Contributors - [@​srt32](https://github.com/srt32) made their first contribution in [#​12783](cli/cli#12783) - [@​itchyny](https://github.com/itchyny) made their first contribution in [#​12781](cli/cli#12781) - [@​VishnuVV27](https://github.com/VishnuVV27) made their first contribution in [#​12652](cli/cli#12652) - [@​elijahthis](https://github.com/elijahthis) made their first contribution in [#​12596](cli/cli#12596) - [@​ManManavadaria](https://github.com/ManManavadaria) made their first contribution in [#​12787](cli/cli#12787) - [@​maxbeizer](https://github.com/maxbeizer) made their first contribution in [#​12806](cli/cli#12806) - [@​LouisLau-art](https://github.com/LouisLau-art) made their first contribution in [#​12623](cli/cli#12623) - [@​4RH1T3CT0R7](https://github.com/4RH1T3CT0R7) made their first contribution in [#​12686](cli/cli#12686) - [@​yuvrajangadsingh](https://github.com/yuvrajangadsingh) made their first contribution in [#​12657](cli/cli#12657) - [@​masonmcelvain](https://github.com/masonmcelvain) made their first contribution in [#​11486](cli/cli#11486) - [@​scarf005](https://github.com/scarf005) made their first contribution in [#​11714](cli/cli#11714) - [@​tksohishi](https://github.com/tksohishi) made their first contribution in [#​12811](cli/cli#12811) - [@​tidy-dev](https://github.com/tidy-dev) made their first contribution in [#​12894](cli/cli#12894) **Full Changelog**: <cli/cli@v2.87.3...v2.88.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42MS43IiwidXBkYXRlZEluVmVyIjoiNDMuNjQuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiUmVub3ZhdGUgQm90IiwiYXV0b21hdGlvbjpib3QtYXV0aG9yZWQiLCJkZXBlbmRlbmN5LXR5cGU6Om1pbm9yIl19-->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Reverts #12845
Part of fixing #12904