fix: improve error message when ref listing fails (#1293)

Author: woodruffw

crates/zizmor/src/github.rs

@@ -148,6 +148,9 @@ pub(crate) enum ClientError {
     /// between listing and fetching it.
     #[error("couldn't fetch file {file} from {slug}: is the branch/tag being modified?")]
     FileTOCTOU { file: String, slug: String },
+    /// An accessed repository is missing or private.
+    #[error("can't access {owner}/{repo}: missing or you have no access")]
+    RepoMissingOrPrivate { owner: String, repo: String },
     /// Any of the errors above, wrapped from concurrent contexts.
     #[error(transparent)]
     Inner(#[from] Arc<ClientError>),
@@ -372,8 +375,20 @@ impl Client {
                     .body(req)
                     .basic_auth("x-access-token", Some(&self.token.0))
                     .send()
-                    .await?
-                    .error_for_status()?;
+                    .await?;
+
+                let resp = match resp.status() {
+                    StatusCode::OK => Ok(resp),
+                    // NOTE: Versions of zizmor prior to 1.16.0 would silently
+                    // skip private or missing repositories, as branch/tag lookups
+                    // were done as a binary present/absent check. This caused
+                    // false negatives.
+                    StatusCode::NOT_FOUND => Err(ClientError::RepoMissingOrPrivate {
+                        owner: owner.to_string(),
+                        repo: repo.to_string(),
+                    }),
+                    _ => Err(resp.error_for_status().unwrap_err().into()),
+                }?;
 
                 let mut remote_refs = vec![];
                 let content = resp.bytes().await?;

crates/zizmor/tests/integration/e2e.rs

@@ -75,7 +75,7 @@ fn menagerie() -> Result<()> {
             .output(OutputMode::Both)
             .args(["--collect=all"])
             .input(input_under_test("e2e-menagerie"))
-            .run()?
+            .run()?,
     );
 
     Ok(())
@@ -367,3 +367,31 @@ fn issue_1207() -> Result<()> {
 
     Ok(())
 }
+
+/// Regression test for #1286.
+///
+/// Ensures that we produce a useful error when a user's input references
+/// a private (or missing) repository.
+#[cfg_attr(not(feature = "gh-token-tests"), ignore)]
+#[test]
+fn issue_1286() -> Result<()> {
+    insta::assert_snapshot!(
+        zizmor()
+            .expects_failure(true)
+            .output(OutputMode::Both)
+            .offline(false)
+            .input(input_under_test("issue-1286.yml"))
+            .run()?,
+        @r"
+    🌈 zizmor v@@VERSION@@
+    fatal: no audit was performed
+    ref-confusion failed on file://@@INPUT@@
+
+    Caused by:
+        0: couldn't list branches for woodruffw-experiments/this-does-not-exist
+        1: can't access woodruffw-experiments/this-does-not-exist: missing or you have no access
+    ",
+    );
+
+    Ok(())
+}

crates/zizmor/tests/integration/test-data/issue-1286.yml

@@ -0,0 +1,19 @@
+# repro for #1286
+
+name: issue-1286-repro
+
+on: [push, pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  issue-1286-repro:
+    name: issue-1286-repro
+    runs-on: ubuntu-latest
+    steps:
+      - name: private
+        uses: woodruffw-experiments/[email protected]

docs/release-notes.md

@@ -9,6 +9,12 @@ of `zizmor`.
 
 ## Next (UNRELEASED)
 
+### Enhancements 🌱
+
+* `zizmor` now produces a more useful error message when asked to indirectly
+  access a nonexistent or private repository via a `uses:` clause (without
+  a sufficiently privileged GitHub token) (#1293)
+
 ## 1.16.0
 
 ### New Features 🌈