From 4204248bc337e87fe94cf93b06f22495f6c7f2b8 Mon Sep 17 00:00:00 2001
From: Derek Nola <derek.nola@suse.com>
Date: Tue, 9 Jul 2024 08:36:56 -0700
Subject: [PATCH] Check for bad token permissions when install via PR (#10387)

* Check for bad token permissions when install via PR

Signed-off-by: Derek Nola <derek.nola@suse.com>
---
 install.sh           | 10 +++++++---
 install.sh.sha256sum |  2 +-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/install.sh b/install.sh
index e618672be1..cf72346f6d 100755
--- a/install.sh
+++ b/install.sh
@@ -482,11 +482,15 @@ get_pr_artifact_url() {
     fi
 
     if [ -z "${GITHUB_TOKEN}" ]; then
-        fatal "Installing PR builds requires GITHUB_TOKEN with k3s-io/k3s repo authorization"
+        fatal "Installing PR builds requires GITHUB_TOKEN with k3s-io/k3s repo permissions"
     fi
-
     # GET request to the GitHub API to retrieve the latest commit SHA from the pull request
-    commit_id=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" "$github_api_url/pulls/$INSTALL_K3S_PR" | jq -r '.head.sha')
+    pr_raw=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" "$github_api_url/pulls/$INSTALL_K3S_PR")
+    
+    if ! echo "$pr_raw" | grep -q "Bad credentials.*401" ; then
+        fatal "Installing PR builds requires GITHUB_TOKEN with k3s-io/k3s repo permissions"
+    fi
+    commit_id=$( echo "$pr_raw" | jq -r '.head.sha')
     
     # GET request to the GitHub API to retrieve the Build workflow associated with the commit
     wf_raw=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" "$github_api_url/commits/$commit_id/check-runs")
diff --git a/install.sh.sha256sum b/install.sh.sha256sum
index 2cc7336957..2a09542d1f 100644
--- a/install.sh.sha256sum
+++ b/install.sh.sha256sum
@@ -1 +1 @@
-696c6a93262b3e1f06a78841b8a82c238a8f17755824c024baad652b18bc92bc  install.sh
+2e2469498e1d6a5dcd97d0eeae342298500b27fe0768527ea8039a3295cdbce9  install.sh