Conversation
There was a problem hiding this comment.
Pull request overview
This PR improves the user-facing error message for Dependabot alert API failures by adding a permission/scope hint when requests are denied, and updates unit tests to validate the new messaging.
Changes:
- Enhance Dependabot tool error messages by appending a token-permission hint for certain HTTP failures.
- Update/extend Dependabot tool tests to assert the improved error output for forbidden/not-found scenarios.
Show a summary per file
| File | Description |
|---|---|
| pkg/github/dependabot.go | Adds dependabotErrMsg helper to enrich Dependabot API error messages with token permission guidance. |
| pkg/github/dependabot_test.go | Updates and extends tests to assert the new token-permission hint is present in error results. |
Copilot's findings
- Files reviewed: 2/2 changed files
- Comments generated: 2
| name: "alert fetch fails", | ||
| mockedClient: MockHTTPClientWithHandlers(map[string]http.HandlerFunc{ | ||
| GetReposDependabotAlertsByOwnerByRepoByAlertNumber: http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { | ||
| w.WriteHeader(http.StatusNotFound) | ||
| _, _ = w.Write([]byte(`{"message": "Not Found"}`)) | ||
| }), | ||
| }), | ||
| requestArgs: map[string]any{ | ||
| "owner": "owner", | ||
| "repo": "repo", | ||
| "alertNumber": float64(9999), | ||
| }, | ||
| expectError: true, | ||
| expectedErrMsg: "failed to get alert", | ||
| expectedErrMsg: "Your token may not have access to Dependabot alerts on owner/repo", | ||
| }, |
There was a problem hiding this comment.
This test uses a 404 Not Found response but now asserts the token-permission hint. If the intent is to verify the hint for insufficient permissions, it would be clearer to use a 403/“Resource not accessible by integration” style response (and/or rename the case). Otherwise, consider adding a separate 404 “alert truly not found” case to ensure the hint isn’t shown for real missing alerts once the production logic is tightened.
| func dependabotErrMsg(base, owner, repo string, resp *github.Response) string { | ||
| if resp != nil && (resp.StatusCode == http.StatusForbidden || resp.StatusCode == http.StatusNotFound) { | ||
| return fmt.Sprintf("%s. Your token may not have access to Dependabot alerts on %s/%s. "+ | ||
| "To access Dependabot alerts, the token needs the 'security_events' scope or, for fine-grained tokens, "+ | ||
| "Dependabot alerts read permission for this specific repository.", | ||
| base, owner, repo) |
There was a problem hiding this comment.
dependabotErrMsg appends the token-permission hint for all 404 responses. A 404 can also mean the alert/repo genuinely doesn’t exist, so this risks presenting misleading guidance. Consider limiting the hint to 403 (or otherwise gating it on a stronger signal than status code alone) so “not found” failures don’t look like permission problems.
This pull request improves error handling for Dependabot alert API failures by providing more informative error messages when access is denied due to insufficient token permissions. It also updates and extends tests to verify these enhanced messages.
Why
When in environments where the github token is provided, like a codespace, the error message is a bit vague in helping the user understand why their tool call failed.
MCP impact
Prompts tested (tool changes only)
n/a
Security / limits
Tool renaming
deprecated_tool_aliases.goNote: if you're renaming tools, you must add the tool aliases. For more information on how to do so, please refer to the official docs.
Lint & tests
./script/lint./script/testDocs