fix: handle Group Access Token permissions correctly when project/group access are null

Co-authored-by: fgreinacher <[email protected]>

Author: Copilot

lib/verify.js

@@ -60,23 +60,70 @@ export default async (pluginConfig, context) => {
     logger.log("Verify GitLab authentication (%s)", gitlabApiUrl);
 
     try {
-      ({
-        permissions: { project_access: projectAccess, group_access: groupAccess },
-      } = await got
+      const projectData = await got
         .get(projectApiUrl, {
           headers: { "PRIVATE-TOKEN": gitlabToken },
           ...proxy,
         })
-        .json());
-      if (
-        context.options.dryRun &&
-        !((projectAccess && projectAccess.access_level >= 10) || (groupAccess && groupAccess.access_level >= 10))
-      ) {
-        errors.push(getError("EGLNOPULLPERMISSION", { projectPath }));
-      } else if (
-        !((projectAccess && projectAccess.access_level >= 30) || (groupAccess && groupAccess.access_level >= 30))
-      ) {
-        errors.push(getError("EGLNOPUSHPERMISSION", { projectPath }));
+        .json();
+
+      ({
+        permissions: { project_access: projectAccess, group_access: groupAccess },
+      } = projectData);
+
+      // Check if we have direct project or group access
+      const hasDirectPushAccess =
+        (projectAccess && projectAccess.access_level >= 30) || (groupAccess && groupAccess.access_level >= 30);
+      const hasDirectPullAccess =
+        (projectAccess && projectAccess.access_level >= 10) || (groupAccess && groupAccess.access_level >= 10);
+
+      // Original logic for direct access
+      if (context.options.dryRun && !hasDirectPullAccess) {
+        // If we have explicit low permissions, fail immediately
+        if ((projectAccess && projectAccess.access_level < 10) || (groupAccess && groupAccess.access_level < 10)) {
+          errors.push(getError("EGLNOPULLPERMISSION", { projectPath }));
+        } else if (!projectAccess && !groupAccess) {
+          // If both are null, try alternative permission verification for pull access
+          try {
+            await got
+              .get(`${projectApiUrl}/repository/branches`, {
+                headers: { "PRIVATE-TOKEN": gitlabToken },
+                ...proxy,
+              })
+              .json();
+            debug("Verified pull permissions through branches endpoint");
+          } catch (pullError) {
+            if (pullError.response && pullError.response.statusCode === 403) {
+              errors.push(getError("EGLNOPULLPERMISSION", { projectPath }));
+            } else {
+              // For other errors, assume permission granted to avoid false negatives
+              debug("Pull permission check failed with non-403 error, assuming access granted");
+            }
+          }
+        }
+      } else if (!hasDirectPushAccess) {
+        // If we have explicit low permissions, fail immediately
+        if ((projectAccess && projectAccess.access_level < 30) || (groupAccess && groupAccess.access_level < 30)) {
+          errors.push(getError("EGLNOPUSHPERMISSION", { projectPath }));
+        } else if (!projectAccess && !groupAccess) {
+          // If both are null, try alternative permission verification
+          try {
+            await got
+              .get(`${projectApiUrl}/variables`, {
+                headers: { "PRIVATE-TOKEN": gitlabToken },
+                ...proxy,
+              })
+              .json();
+            debug("Verified push permissions through variables endpoint");
+          } catch (permissionError) {
+            if (permissionError.response && permissionError.response.statusCode === 403) {
+              errors.push(getError("EGLNOPUSHPERMISSION", { projectPath }));
+            } else {
+              // For other errors, assume permission granted to avoid false negatives
+              debug("Push permission check failed with non-403 error, assuming access granted");
+            }
+          }
+        }
       }
     } catch (error) {
       if (error.response && error.response.statusCode === 401) {

test/verify.test.js

@@ -988,3 +988,121 @@ test.serial(
     t.true(gitlab.isDone());
   }
 );
+
+test.serial(
+  "Throw SemanticReleaseError for group access token with null permissions (shared_with_groups scenario)",
+  async (t) => {
+    const owner = "test_user";
+    const repo = "test_repo";
+    const env = { GL_TOKEN: "group_access_token" };
+    const gitlab = authenticate(env)
+      .get(`/projects/${owner}%2F${repo}`)
+      .reply(200, {
+        permissions: {
+          project_access: null,
+          group_access: null,
+        },
+        shared_with_groups: [
+          {
+            group_id: 123,
+            group_name: "test_group",
+            group_full_path: "test_group",
+            group_access_level: 40,
+            expires_at: null,
+          },
+        ],
+      })
+      .get(`/projects/${owner}%2F${repo}/variables`)
+      .reply(403);
+
+    const {
+      errors: [error, ...errors],
+    } = await t.throwsAsync(
+      verify(
+        {},
+        { env, options: { repositoryUrl: `https://gitlab.com:${owner}/${repo}.git` }, logger: t.context.logger }
+      )
+    );
+
+    t.is(errors.length, 0);
+    t.is(error.name, "SemanticReleaseError");
+    t.is(error.code, "EGLNOPUSHPERMISSION");
+    t.true(gitlab.isDone());
+  }
+);
+
+test.serial(
+  "Verify token and repository access with null permissions but successful permission test (group access token)",
+  async (t) => {
+    const owner = "test_user";
+    const repo = "test_repo";
+    const env = { GL_TOKEN: "group_access_token" };
+    const gitlab = authenticate(env)
+      .get(`/projects/${owner}%2F${repo}`)
+      .reply(200, {
+        permissions: {
+          project_access: null,
+          group_access: null,
+        },
+        shared_with_groups: [
+          {
+            group_id: 123,
+            group_name: "test_group",
+            group_full_path: "test_group",
+            group_access_level: 40,
+            expires_at: null,
+          },
+        ],
+      })
+      .get(`/projects/${owner}%2F${repo}/variables`)
+      .reply(200, []);
+
+    await t.notThrowsAsync(
+      verify(
+        {},
+        { env, options: { repositoryUrl: `https://gitlab.com/${owner}/${repo}.git` }, logger: t.context.logger }
+      )
+    );
+    t.true(gitlab.isDone());
+  }
+);
+
+test.serial(
+  "Throw SemanticReleaseError for insufficient group access level even with shared_with_groups",
+  async (t) => {
+    const owner = "test_user";
+    const repo = "test_repo";
+    const env = { GL_TOKEN: "group_access_token" };
+    const gitlab = authenticate(env)
+      .get(`/projects/${owner}%2F${repo}`)
+      .reply(200, {
+        permissions: {
+          project_access: null,
+          group_access: { access_level: 20 }, // Reporter level, insufficient for push
+        },
+        shared_with_groups: [
+          {
+            group_id: 123,
+            group_name: "test_group",
+            group_full_path: "test_group",
+            group_access_level: 40,
+            expires_at: null,
+          },
+        ],
+      });
+
+    const {
+      errors: [error, ...errors],
+    } = await t.throwsAsync(
+      verify(
+        {},
+        { env, options: { repositoryUrl: `https://gitlab.com/${owner}/${repo}.git` }, logger: t.context.logger }
+      )
+    );
+
+    t.is(errors.length, 0);
+    t.is(error.name, "SemanticReleaseError");
+    t.is(error.code, "EGLNOPUSHPERMISSION");
+    t.true(gitlab.isDone());
+  }
+);