Command 'ok-to-test' is not configured for the user's permission level 'none' for GitHub Teams

[sfc-gh-jcieslak]

Recently, we had to migrate our repository from one organization to another. Because of that, we had to configure some things again (like GitHub apps to use slash-command-dispatch). Today, I tested our slash command, and it didn't work. It failed with the Command 'ok-to-test' is not configured for the user's permission level 'none' error. Our setup from other organizations is pretty much the same (except for one thing explained later).

After a few tests, it seems like this function:

slash-command-dispatch/src/github-helper.ts

Lines 58 to 84 in 13bc097

	async getActorPermission(repo: Repository, actor: string): Promise<string> {
	// https://docs.github.com/en/graphql/reference/enums#repositorypermission
	// https://docs.github.com/en/graphql/reference/objects#repositorycollaboratoredge
	// Returns 'READ', 'TRIAGE', 'WRITE', 'MAINTAIN', 'ADMIN'
	const query = `query CollaboratorPermission($owner: String!, $repo: String!, $collaborator: String) {
	repository(owner:$owner, name:$repo) {
	collaborators(login: $collaborator) {
	edges {
	permission
	}
	}
	}
	}`
	const collaboratorPermission =
	await this.octokit.graphql<CollaboratorPermission>(query, {
	...repo,
	collaborator: actor
	})
	core.debug(
	`CollaboratorPermission: ${inspect(
	collaboratorPermission.repository.collaborators.edges
	)}`
	)
	return collaboratorPermission.repository.collaborators.edges.length > 0
	? collaboratorPermission.repository.collaborators.edges[0].permission.toLowerCase()
	: 'none'
	}

causes this problem. It cannot find privileges for the user that triggers the event because the privileges our privileges are assigned to a team that is a collaborator of the project. After adding myself as an individual collaborator, I was able to trigger the necessary workflow and the Command 'ok-to-test' is not configured for the user's permission level 'none' error wasn't showing up. I saw that there's an issue with nested teams, but our team is not nested; it's just a regular GH team.

I generated a token from the same application I use in GitHub and used it to call the same GraphQL query and REST alternative. I'm not familiar with GH API, but I tested a similar REST endpoint, GET /repos/{owner}/{repo}/collaborators/{collaborator}/permission, which shows more than the GraphQL one. GraphQL returned an empty list, and the REST endpoint returned proper permission to the repository.
REST returned:

{
  data: {
   ...
   permission: 'admin',
   user: {
      ...
      role_name: 'admin',
   },
   role_name: 'admin',
  }
}

GraphQL returned:

{ repository: { collaborators: { edges: [] } } }

Please let us know if anything else needs to be checked on our side or if the function mentioned could be transformed to use the REST endpoint instead of the GraphQL one (or if there's something else that can be done to get the same/similar results). Thanks.

[sfc-gh-jcieslak]

Hey @peter-evans, could you take a look at the message above?

Also, we found the following error in another project:

Check run status and conclusions can only be updated internally by GitHub Actions. Please see https://github.blog/changelog/2025-02-12-notice-of-upcoming-deprecations-and-breaking-changes-for-github-actions/#changes-to-check-run-status-modification

It seems there are some changes in GitHub that may prevent certain actions.