Cannot remove review request from within workflow?

I want to remove a PR review request from within a workflow. To this end, I’m trying to use the endpoint

DELETE /repos/:owner/:repo/pulls/:pull_number/requested_reviewers

as documented here (linking to old docs – the new docs have somehow dropped the description of these endpoints today…)

To this end, I’m using the GitHub CLI like this:

gh api "repos/:owner/:repo/pulls/$prid/requested_reviewers" \
    --method DELETE --input - < reviewers.json

where reviewers.json looks something like

{
  "reviewers": [
    "user1",
    "user2"
  ]
}

and $prid is the PR ID.

This works fine when I run it locally. However, from within a workflow, I get an error

HTTP/1.1 422 Unprocessable Entity

To get more output, I tried the same endpoint with a request sent using curl (still from within the workflow):

curl \
	--verbose \
	--request DELETE \
	--location \
	--silent \
	--show-error \
	--header "Content-Type: application/json" \
	--header "Accept: application/vnd.github.v3+json" \
	--header "Authorization: Bearer $GITHUB_TOKEN" \
	--data @reviewers.json \
	"https://api.github.com/repos/$GITHUB_REPOSITORY/pulls/$prid/requested_reviewers"

resulting in a more specific error response:

{
  "message": "Validation Failed",
  "errors": [
    "Could not resolve to a node with the global id of 'MDQ6VGVhbTM4NzY3NDQ='."
  ],
  "documentation_url": "https://developer.github.com/v3/pulls/review_requests/#delete-a-review-request"
}

A bit of googling pointed towards a permission issue, an indeed, using a personal access token instead of GITHUB_TOKEN fixed it.

Why is this required, though? GITHUB_TOKEN has read/write permissions for pull requests, shouldn’t this work out of the box? I’d imagine interacting with a pull request is one of the core use cases for actions, so I’m confused as to why removing a review request is not permitted by default.

Hi @bewuethr,

GITHUB_TOKEN has the read&write permission to the pull request. The error is due to that GITHUB_TOKEN is not correctly invoked.

Please use ${{ secrets.GITHUB_TOKEN }} instead of $GITHUB_TOKEN in your curl command. Code sample as below:

          curl \
          --verbose \
          --request DELETE \
          --location \
          --silent \
          --show-error \
          --header "Content-Type: application/json" \
          --header "Accept: application/vnd.github.v3+json" \
          --header "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
          --data @reviewers.json \
          "https://api.github.com/repos/$GITHUB_REPOSITORY/pulls/$prid/requested_reviewers"

Please refer to my workflow for your reference: https://github.com/weide-zhou/ticket12/runs/938801751?check_suite_focus=true

Or you can define token in env:

          curl \
          --verbose \
          --request DELETE \
          --location \
          --silent \
          --show-error \
          --header "Content-Type: application/json" \
          --header "Accept: application/vnd.github.v3+json" \
          --header "Authorization: Bearer $GH_TOKEN" \
          --data @reviewers.json \
          "https://api.github.com/repos/$GITHUB_REPOSITORY/pulls/$prid/requested_reviewers"
        env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Thanks.

I apologize for not making this clear in my question. The commands I’m showing run in a script that I call like this from the workflow:

- run: GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} .github/workflows/createpr

so the GITHUB_TOKEN is set in the environment. I see in your example workflow that calling directly from the YAML file seems to work, though. I’ll have a look if it works for me when calling directly from the workflow instead of via script, or if there is something else that’s peculiar about my setup.

Hi @bewuethr,

Thanks for your reply!

You cannot simply use GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} to set the GITHUB_TOKEN in the environment, it doens’t work. Please follow the usage doc below, set it in env:

        env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token

Thanks

This does work to put the token into the environment the script runs in, though? In a minimal example, with a script .github/workflows/printenv containing just

#!/usr/bin/env bash

env | grep 'GITHUB_TOKEN'

and a workflow

on:
  workflow_dispatch:

jobs:
  testenv:
    runs-on: ubuntu-18.04
    steps:
      - uses: actions/checkout@v2
      - run: GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} .github/workflows/printenv

the output of the action is

Run GITHUB_TOKEN=*** .github/workflows/printenv
  GITHUB_TOKEN=*** .github/workflows/printenv
  shell: /bin/bash -e {0}
GITHUB_TOKEN=***

so the token is in the environment. This is no different than setting a value for the environment of a single command in Bash, as described in the manual:

The environment for any simple command or function may be augmented temporarily by prefixing it with parameter assignments […]

Or is there anything special about Bash execution in a run step?

Hi @bewuethr,

Sorry for late response.

GitHub will automatically redact secrets, as you can see, it shows star “***” in env.

You can confirm with below code, you will find it cannot get token in tok.txt, but fine for tok2.txt.

      - name: checkout
        uses: actions/checkout@v2
      - run: GH_TOKEN=${{ secrets.GITHUB_TOKEN }} printenv
      - run: |
          touch tok.txt
          echo $GH_TOKEN > tok.txt
      - uses: actions/upload-artifact@v2
        with:
          path: tok.txt
      - run: |
          touch tok2.txt
          echo ${{ secrets.GITHUB_TOKEN }} > tok2.txt
      - uses: actions/upload-artifact@v2
        with:
          path: tok2.txt

Thanks