403 when deleting workflow run in private repo with PAT

I’m trying to use the REST API to remove old workflow runs from a private repo.

I just created a new GITHUB_PAT and can use that to GET the run from the repo via:

GET /repos/nforgeio/neonCLOUD/actions/runs/822507977

but this fails with a 403 using the same token:

DELETE /repos/nforgeio/neonCLOUD/actions/runs/822507977

The reference documentation mentions that If the repository is private you must use an access token with the repo scope

I believe my token has the repo scope, but it is a little weird that these check boxes are greyed-out in the token UI:

What do I need to change to enable this?

So I got this response from GitHub in email (not here as well for some reason):

GitHub noreply@github.com 10:45 AM (39 minutes ago)

to Jeff

Hey jefflill!

Previously, the personal access token (PAT) had delete:packages, repo, workflow, and write:packages scopes. It was recently updated to include an additional scope (admin:repo_hook). Visit https://github.com/settings/tokens for more information.

To see this and other security events for your account, visit https://github.com/settings/security-log

If you run into problems, please contact support by visiting https://github.com/contact

The GitHub Team

I tried adding the admin:repo_hook scope to my token by I still couldn’t delete a workflow run (403 error). I then (temporally) enabled all scopes for my token and am still seeing 403s, so this must not be a scope thing.

Just for fun, I also tried basic in addition to bearer token authentication but that didn’t work either. Note that GET is still working on the exact same endpoint and since this is a private repo, I’d assume that I must be submitting the token correctly.

I took a look at my security log (really cool, I didn’t know about this) but it looks like it takes some time (10 hours?) for new entries to post. I’ll have to check back later to see anything interesting comes up.

This seems to be working now with the admin:repo_hook. Perhaps it took some time for the token update to replicate across GitHub.

1 Like