Various Codespace Secrets endpoints failing when using a Personal Access Token or GitHub App

[robmonte]

To preface this, I'm not sure if I'm simply doing something incorrectly, if there's an issue in the library, or if there's an issue in GitHub's API. I figure this is the best spot to start with.

I am getting several different kinds of errors when trying to use the Codespace Secrets feature via GitHub App. For example, when trying to access User secrets via the app, I get the following error when trying to obtain the User Codespace secrets public key:
https://api.github.com/user/codespaces/secrets/public-key: 403 Resource not accessible by integration
The permissions explained here say that the App needs the codespaces_user_secrets user permission. You can see in this screenshot that the permission is indeed set:

I also noticed updating permissions in the Account section of a GitHub App does not trigger the typical "app is requesting an update to its permissions." prompt that appears when Repository or Organization permissions are changed, so I'm leaning towards this being a GitHub-side issue.

 

Next, I am unable to start or stop a Codespace in a repository, once again as a GitHub App. This time I am able to authenticate and fully access the repository Codespace secrets as the GitHub App however. I get the following error when calling start:
https://api.github.com/user/codespaces/<random_gh_codespace_name>/start: 404 Not Found
The permissions explained here say that the App needs the codespaces_lifecycle_admin repository permission. You can see again in this screenshot that the permission is indeed set:

 

Lastly, the final issue with Codespace secrets. This time, it fails Personal Access Tokens (+it seems GitHub doesn't support Apps for these Org secrets at all). Like the first issue, when trying to obtain the public key of the Organization Codespace secrets it fails:
https://api.github.com/orgs/<org_name>/codespaces/secrets/public-key: 404 Not Found
The permissions explained here say that the Access Token needs the admin:org organization permission. You can see in the screenshot one final time that the permission is set:

I found it a bit strange this one supposedly doesn't require "organization codespace secrets" permissions to be set like the others all require, however adding that permission and in fact all permissions to the PAT still gives the same public key error.

 

My hunch is this is all likely on GitHub's side but as mentioned I figured I'd start here first, and I can point to this post as a later reference if I need to open up an issue with GitHub directly.

[gmlewis]

Hmmm... thanks for the detailed writeup of the issues you are seeing.
I personally have not used Codespace secrets, and unfortunately don't know what the problem is.
From your description, it sounds like you are using things properly.

I'll leave this issue open in the hopes that someone else has tried the Codespace APIs.

Maybe @artificial-aidan who wrote the initial implementation in #2803 has some ideas.

[aidandj]

I didn't end up using the implementation in my companies product, so other than initial testing I don't have much info.

What I would do is replicate the same process with bare http calls and see if you get the same process. I think there is a logging setting in the Go library to print all http calls.

[gmlewis]

Thanks, @artificial-aidan !

Along the same lines, this package is frequently helpful to debug the curl versions of API calls:
https://github.com/gmlewis/go-httpdebug

[robmonte]

Thanks for the suggestions. I am seeing the same errors when using the curl commands directly, such as using a PAT for the organization codespace public key:
{"message":"Not Found","documentation_url":"https://docs.github.com/rest/codespaces/organization-secrets#get-an-organization-public-key"}

Providing an incorrect PAT changes the error message to "Bad credentials", so it seems to at least be recognizing that there is a valid token being provided and authorizing my request.

I'll see what options I have available regarding bringing this up with GitHub directly.

[stevehipwell]

@robmonte did you get anything back from GitHub? This endpoint works correctly for my enterprise org but doesn;t work for my OSS one.

[robmonte]

Hi @stevehipwell sorry I missed your reply.

Unfortunately soon after I had done this investigation, my org had priorities change and ended up dropping this pursuit. However I was recently thinking of this again and started to wonder the same exact thing you pointed out now, after I began encountering errors with GitHub's organization secrets API. It turned out that they were limiting the API feature set in free orgs on private repositories, and at the time that fact was very poorly documented in very few places.

I was just theorizing that perhaps Codespace secrets are in in a similar boat and in fact are mostly enterprise-only features in some mixed-up capacity. Maybe once again the documentation surrounding its limitations were lacking.

Do you know if the entire API feature set works in your enterprise org? Or which subset of features did work in OSS?

[stevehipwell]

@robmonte I discovered this while doing E2E tests for the GitHub TF provider so these aren't APIs I personally use. The PR in question integrations/terraform-provider-github#2476) hasn't been reviewed or triaged so can't even provide a framework around this behaviour.