fix: ignore SAML issues in GH API

[SMillerDev]

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same change?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes? Here's an example.
• Have you successfully run brew style with your changes locally?
• Have you successfully run brew typecheck with your changes locally?
• Have you successfully run brew tests with your changes locally?

---

This should allow people with SAML login for organisations that are not related to Homebrew (like me) to use commands that need the GH API.

[MikeMcQuaid]

Works for me! Just wants a wee syntax tweak (use dig) and a comment.

[Bo98]

Just to clarify:

• What happens when this error occurs? We're skipping the error here but are we actually get the data we wanted? Normally there isn't any data returned with errors.
• This seems specific to too_many_open_prs? since the GraphQL query there is loose and not repo-specific since it searches all of your PRs rather than just ones for the tap. I wonder if ignoring this error should be scoped to that specific call rather than globally as a API query to a SAML repository specifically (e.g. brew bump --tap=saml/repo) should fail. Or even better: change the query so we're not requesting stuff from non-Homebrew organisations.

[Bo98]

I'm not the convinced the GraphQL part of too_many_open_prs? even works as intended given headRepositoryOwner.login will never be Homebrew for a third-party contribution, unless the intention was to make the limit only apply to maintainers.

[SMillerDev]

What happens when this error occurs?

I get a list of errors telling me to allow my Homebrew token access to the SAML orgs. And the command fails.

EDIT: found it

Error: FORBIDDEN: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
FORBIDDEN: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
FORBIDDEN: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
FORBIDDEN: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
FORBIDDEN: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
FORBIDDEN: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
FORBIDDEN: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
FORBIDDEN: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
FORBIDDEN: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
FORBIDDEN: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.

[Bo98]

I think we can fix this by either changing the GraphQL query or scoping this better to be a rescue API::Error around that specific GraphQL query. The issue seems specific to that one query and I don't think we should ignore SAML errors in other API calls, as it can indicate a genuine issue if you have a Homebrew tap that does have SAML enforcement.

@MikeMcQuaid just to check what the GraphQL query is intended to do here. Right now it only checks PRs created from non-forks (i.e. only covers maintainers). The REST API query also seems to only be invoked if the user has >= 100 PRs across all of GitHub.

[MikeMcQuaid]

Right now it only checks PRs created from non-forks (i.e. only covers maintainers)

This was not intended, whoops. Should be checking the base repository owner of the PR instead.

The REST API query also seems to only be invoked if the user has >= 100 PRs across all of GitHub.

The, perhaps incorrect, intent here was that if they have <100 open PRs: we can instead iterate over them rather than having to hit the REST API.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.