fix(github): org repo listing fails with fine-grained PATs lacking Issues:Read (#415)

fproulx-boostsecurity · claude · web-flow · commit 984640c18253 · 2026-04-06T08:56:24.000-04:00
Root cause: `issues { totalCount }` is typed `Int!` in GitHub's GraphQL schema.
When a FGPAT lacks Issues:Read on private repos, GitHub cannot resolve that
non-null field and nulls out the entire repo node — silently dropping those
repos from the batch and surfacing the error as a full batch failure.

Fix: move issues fetching into a dedicated `issueNodes: repositories(...)`
alias within the same GraphQL query. The main `repositories` selection no
longer includes `issues`, so all repos are always returned regardless of
Issues:Read permission. The shurcooL/graphql library unmarshals response data
before returning errors, so when issueNodes gets FORBIDDEN the main repo list
is already intact.

- isIssuesPermissionError() detects this partial-success case so the retry
  function returns nil and pagination continues normally
- repoWithIssueCount carries the count matched by databaseId; repos where
  Issues:Read is missing get count 0 without any error or dropped data
- isFatalError() + early break added so true auth failures (bad credentials,
  401/403) stop pagination immediately instead of exhausting retries

Minimum required FGPAT permissions for analyze_org: resource owner set to the
target org + Repository &gt; Contents: Read. Members:Read and Issues:Read are not
required.

Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/providers/github/client.go b/providers/github/client.go
@@ -107,9 +107,6 @@ type GithubRepository struct {
 	License struct {
 		Name string `graphql:"name"`
 	} `graphql:"licenseInfo"`
-	Issues struct {
-		TotalCount int `graphql:"totalCount"`
-	} `graphql:"issues"`
 }
 
 func (gh GithubRepository) GetProviderName() string {
@@ -206,7 +203,10 @@ func (gh GithubRepository) GetStarsCount() int {
 }
 
 func (gh GithubRepository) GetOpenIssuesCount() int {
-	return gh.Issues.TotalCount
+	// Issue counts are fetched via the issueNodes alias in GetOrgRepos and
+	// carried by repoWithIssueCount, which overrides this method. This
+	// implementation exists only to satisfy the analyze.Repository interface.
+	return 0
 }
 
 func (gh GithubRepository) GetIsEmpty() bool {
@@ -374,6 +374,17 @@ func (c *Client) GetOrgRepos(ctx context.Context, org string) <-chan analyze.Rep
 							HasNextPage bool
 						}
 					} `graphql:"repositories(first: 100, after: $after, isArchived: false, isLocked: false, orderBy: {field: UPDATED_AT, direction: DESC})"`
+					// issueNodes is a separate alias for the same query to fetch issue counts.
+					// It may return FORBIDDEN errors for repos where Issues:Read is not granted;
+					// those repos will have a zero issue count rather than failing the whole batch.
+					IssueNodes struct {
+						Nodes []struct {
+							DatabaseId int `graphql:"databaseId"`
+							Issues     struct {
+								TotalCount int `graphql:"totalCount"`
+							} `graphql:"issues"`
+						}
+					} `graphql:"issueNodes: repositories(first: 100, after: $after, isArchived: false, isLocked: false, orderBy: {field: UPDATED_AT, direction: DESC})"`
 				} `graphql:"repositoryOwner(login: $org)"`
 			}
 
@@ -385,6 +396,12 @@ func (c *Client) GetOrgRepos(ctx context.Context, org string) <-chan analyze.Rep
 				if queryErr == nil {
 					return nil
 				}
+				// Partial success: issues FORBIDDEN on some repos but main repo data is intact.
+				// The library unmarshals data before returning errors, so Repositories.Nodes
+				// is already populated. Accept the partial result.
+				if isIssuesPermissionError(queryErr) && query.RepositoryOwner.Login != "" {
+					return nil
+				}
 				if !isRetryableError(queryErr) {
 					return backoff.Permanent(queryErr)
 				}
@@ -417,6 +434,13 @@ func (c *Client) GetOrgRepos(ctx context.Context, org string) <-chan analyze.Rep
 				return
 			}
 
+			issueCounts := make(map[int]int, len(query.RepositoryOwner.IssueNodes.Nodes))
+			for _, node := range query.RepositoryOwner.IssueNodes.Nodes {
+				if node.DatabaseId != 0 {
+					issueCounts[node.DatabaseId] = node.Issues.TotalCount
+				}
+			}
+
 			totalCount := 0
 			if !totalCountSent {
 				totalCount = query.RepositoryOwner.Repositories.TotalCount
@@ -425,7 +449,7 @@ func (c *Client) GetOrgRepos(ctx context.Context, org string) <-chan analyze.Rep
 
 			batchChan <- analyze.RepoBatch{
 				TotalCount:   totalCount,
-				Repositories: convertToRepositorySlice(query.RepositoryOwner.Repositories.Nodes),
+				Repositories: convertToRepositorySlice(query.RepositoryOwner.Repositories.Nodes, issueCounts),
 			}
 
 			if !query.RepositoryOwner.Repositories.PageInfo.HasNextPage {
@@ -439,21 +463,68 @@ func (c *Client) GetOrgRepos(ctx context.Context, org string) <-chan analyze.Rep
 	return batchChan
 }
 
-func convertToRepositorySlice(githubRepos []GithubRepository) []analyze.Repository {
+// repoWithIssueCount wraps GithubRepository to carry an issue count that is
+// fetched via a separate aliased query rather than from GithubRepository itself.
+type repoWithIssueCount struct {
+	GithubRepository
+	issueCount int
+}
+
+func (r repoWithIssueCount) GetOpenIssuesCount() int {
+	return r.issueCount
+}
+
+func convertToRepositorySlice(githubRepos []GithubRepository, issueCounts map[int]int) []analyze.Repository {
 	repos := make([]analyze.Repository, len(githubRepos))
 	for i, repo := range githubRepos {
-		repos[i] = repo
+		repos[i] = repoWithIssueCount{
+			GithubRepository: repo,
+			issueCount:       issueCounts[repo.DatabaseId],
+		}
 	}
 	return repos
 }
 
+// isIssuesPermissionError returns true when the only GraphQL error is a
+// "Resource not accessible by personal access token" on the issueNodes alias —
+// meaning the FGPAT lacks Issues:Read, but the main repo list is intact.
+func isIssuesPermissionError(err error) bool {
+	return err != nil && strings.EqualFold(err.Error(), "resource not accessible by personal access token")
+}
+
+// isFatalError returns true for errors that should stop pagination immediately
+// (auth failures, permission errors) rather than being retried.
+func isFatalError(err error) bool {
+	if err == nil {
+		return false
+	}
+	errStr := strings.ToLower(err.Error())
+	fatalPatterns := []string{
+		"401",
+		"403",
+		"bad credentials",
+		"requires authentication",
+		"must have push access",
+	}
+	for _, pattern := range fatalPatterns {
+		if strings.Contains(errStr, pattern) {
+			return true
+		}
+	}
+	return false
+}
+
 // isRetryableError returns true for transient server errors (5xx, network issues)
 // that are worth retrying.
 func isRetryableError(err error) bool {
 	if err == nil {
 		return false
 	}
 
+	if isFatalError(err) {
+		return false
+	}
+
 	// Type-based checks for network errors
 	var netErr net.Error
 	if errors.As(err, &netErr) {
