HTTP Error 403 Forbidden on nix-review post-result

[KiaraGrouwstra]

this is the first time i'm trying nixpkgs-review, and its GET-like command comments works fine for me.
using commands like post-result tho yields me an HTTP Forbidden error:

$ nix-review post-result
Posting result comment on https://github.com/NixOS/nixpkgs/pull/261805
Traceback (most recent call last):
  File "/nix/store/7llgaybxglfs6h2fr5w2pxjfwc8z0k8q-nixpkgs-review-2.10.3/bin/.nix-review-wrapped", line 9, in <module>
    sys.exit(main())
             ^^^^^^
  File "/nix/store/7llgaybxglfs6h2fr5w2pxjfwc8z0k8q-nixpkgs-review-2.10.3/lib/python3.11/site-packages/nixpkgs_review/__init__.py", line 10, in main
    cli.main(command, args)
  File "/nix/store/7llgaybxglfs6h2fr5w2pxjfwc8z0k8q-nixpkgs-review-2.10.3/lib/python3.11/site-packages/nixpkgs_review/cli/__init__.py", line 334, in main
    return cast(str, args.func(args))
                     ^^^^^^^^^^^^^^^
  File "/nix/store/7llgaybxglfs6h2fr5w2pxjfwc8z0k8q-nixpkgs-review-2.10.3/lib/python3.11/site-packages/nixpkgs_review/cli/post_result.py", line 26, in post_result_command
    github_client.comment_issue(pr, report_text)
  File "/nix/store/7llgaybxglfs6h2fr5w2pxjfwc8z0k8q-nixpkgs-review-2.10.3/lib/python3.11/site-packages/nixpkgs_review/github.py"
, line 44, in comment_issue
    return self.post(
           ^^^^^^^^^^
  File "/nix/store/7llgaybxglfs6h2fr5w2pxjfwc8z0k8q-nixpkgs-review-2.10.3/lib/python3.11/site-packages/nixpkgs_review/github.py", line 36, in post
    return self._request(path, "POST", data)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/7llgaybxglfs6h2fr5w2pxjfwc8z0k8q-nixpkgs-review-2.10.3/lib/python3.11/site-packages/nixpkgs_review/github.py", line 29, in _request
    with urllib.request.urlopen(req) as resp:
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/asiphbpiy2gmidfm3xbwcikayhs66289-python3-3.11.7/lib/python3.11/urllib/request.py", line 216, in urlopen
    return opener.open(url, data, timeout)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/asiphbpiy2gmidfm3xbwcikayhs66289-python3-3.11.7/lib/python3.11/urllib/request.py", line 525, in open
    response = meth(req, response)
               ^^^^^^^^^^^^^^^^^^^
  File "/nix/store/asiphbpiy2gmidfm3xbwcikayhs66289-python3-3.11.7/lib/python3.11/urllib/request.py", line 634, in http_response
    response = self.parent.error(
               ^^^^^^^^^^^^^^^^^^
  File "/nix/store/asiphbpiy2gmidfm3xbwcikayhs66289-python3-3.11.7/lib/python3.11/urllib/request.py", line 563, in error
    return self._call_chain(*args)
           ^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/asiphbpiy2gmidfm3xbwcikayhs66289-python3-3.11.7/lib/python3.11/urllib/request.py", line 496, in _call_chain
    result = func(*args)
             ^^^^^^^^^^^
  File "/nix/store/asiphbpiy2gmidfm3xbwcikayhs66289-python3-3.11.7/lib/python3.11/urllib/request.py", line 643, in http_error_default
    raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 403: Forbidden

i've tried passing account credentials in different ways; by env var, by gh or by --token.

version:

$ nix-review --version
nixpkgs-review 2.10.3

my github token has the rights to access all repos (read/write), with no other special settings.

would there be a good way to debug this?

[Mic92]

Check if your GITHUB_TOKEN is expired in $HOME/.config/hub or $HOME/.config/gh/config.yml

[KiaraGrouwstra]

i used a fresh github token.

my gh auth login did complain about gh/config.yml being read-only (being symlinked by nix), tho with such login succeeding to let gh use the credential led me to believe this might have worked.

that doesn't explain to me tho why passing the token by env var (on both nix-review pr <number> and nix-review post-result) or by --token would fail as well tho.

[Mic92]

If you create a new token manually here: https://github.com/settings/tokens with the permissions to create issue commends, does it work than?

[KiaraGrouwstra]

giving the token (passing by env var) read/write permissions on issues and PRs doesn't seem to change anything for me.
i gotta say i'm not sure on precedence rules tho, so i'm not sure if this is actually the token it's using.

[Mic92]

If you pass it via --token than it overwrites anything else. Environment variables have higher precedence over configuration files.

[KiaraGrouwstra]

thanks, retried using --token just in case, but same result

[siraben]

I've been having this issue too, with a token with these permissions. Tried `--token` but also didn't work. Got HTTP error 403: Forbidden.

[siraben]

When I use a classic personal access token with repo permissions, it works. So it looks like fine-grained tokens might not be supported yet, or I am not selecting the right permissions scopes.

[KiaraGrouwstra]

the classic token works for me as well. perhaps we could clarify that in the docs?

[siraben]

@Mic92