Merge endpoint for pull request returns 403 with PAT

[io7m]

Select Topic Area

Question

Body

Hello!

I am the owner of the io7m-com organization. I have a pull request on a test repository here:

io7m-com/testartifact#35

There are no branch protection rules on the testartifact repository, and no restrictions (that I'm aware of) at the organization level on merging PRs.

I have issued myself a PAT, and have given the PAT read/write access to Contents in line with what the documentation says the endpoint requires:

https://docs.github.com/en/rest/authentication/permissions-required-for-fine-grained-personal-access-tokens?apiVersion=2022-11-28
https://docs.github.com/en/rest/authentication/permissions-required-for-fine-grained-personal-access-tokens?apiVersion=2022-11-28#repository-permissions-for-contents

PUT /repos/{owner}/{repo}/pulls/{pull_number}/merge write

However, if I PUT a simple JSON object {} (the documentation doesn't say any parameters are required) to https://api.github.com/repos/io7m-com/testartifact/pulls/35/merge, I get:

{
  "message" : "Resource not accessible by personal access token",
  "documentation_url" : "https://docs.github.com/rest/pulls/pulls#merge-a-pull-request",
  "status" : "403"
}

I am able to use the token to perform various read operations, so it's not a matter of not including the token in requests or anything like that. What am I doing wrong?

[phgoncalves2603]

That error message:

"Resource not accessible by personal access token"

usually means your fine-grained personal access token (PAT) doesn’t have the exact permissions GitHub needs for that specific API call.

Even though you gave it Contents: Read/Write, that permission only covers things like pushing commits or updating files.
To merge a pull request, the token also needs Pull requests: Read/Write access.

Here’s what to check

Go to your Personal Access Tokens (fine-grained)
settings.

Edit your token (or make a new one).
Under Repository permissions, make sure these are set:
Contents: Read and write
Pull requests: Read and write

Make sure the token is allowed to access the io7m-com/testartifact repository (fine-grained tokens can be repo-specific).

Save and try the request again.

Your call should look like this:

curl \
  -X PUT \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Accept: application/vnd.github+json" \
  https://api.github.com/repos/io7m-com/testartifact/pulls/35/merge \
  -d '{}'

[io7m]

Still no change, unfortunately. The same 403 error. The current token configuration:

[io7m]

The problem was that the access token was owned by my account instead of the organization. 🤦

Edit: Set the "resource owner" to that of the organization in the token settings.