Description

I am working on migrating repositories from ADO to Github via Github CLI with ado2gh extension. To begin with, I wanted to migrate one single repo to test and made use of migrate-repo command. I followed the process mentioned in the documentation and generated personal access tokens. However, the permissions assigned on the token for migration was not sufficient. It kept erroring out with "FORBIDDEN". I reviewed the documentation and permissions multiple times. Once I added admin:org permission to the token, the migration of the repo succeeded. Please update the documentation here to include the same. If having admin:org permission is not intended, please consider this a bug.

For now, I will continue to use the permissions that are working for me. Kindly let me know otherwise. Thanks!

Reproduction Steps:

Permissions mentioned in the documentation:

repo, read:org, workflow
Ref: Managing access for a migration from Azure DevOps

Permissions that worked:

repo, admin:org, workflow

Failure log:

`smunukutla-mycarrier@local ~ % gh ado2gh migrate-repo --ado-org MY_ADO_ORG--ado-team-project MY_ADO_PROJECT --ado-repo TEST_REPO --github-org MY_GH_ORG --github-repo TEST_REPO --target-repo-visibility private --verbose

[2024-03-12 15:14:44] [INFO] You are running an up-to-date version of the ado2gh CLI [v1.8.0]
[2024-03-12 15:14:44] [INFO] ADO ORG: MY_ADO_ORG
[2024-03-12 15:14:44] [INFO] ADO TEAM PROJECT: MY_ADO_PROJECT
[2024-03-12 15:14:44] [INFO] ADO REPO: TEST_REPO
[2024-03-12 15:14:44] [INFO] GITHUB ORG: MY_GH_ORG
[2024-03-12 15:14:44] [INFO] GITHUB REPO: TEST_REPO
[2024-03-12 15:14:44] [INFO] TARGET REPO VISIBILITY: private
[2024-03-12 15:14:44] [INFO] VERBOSE: true
[2024-03-12 15:14:44] [INFO] Migrating Repo...
[2024-03-12 15:14:44] [DEBUG] HTTP POST: https://api.github.com/graphql
[2024-03-12 15:14:45] [DEBUG] HTTP BODY: {"query":"query($login: String!) {organization(login: $login) { login, id, name } }","variables":{"login":"MY_GH_ORG"}}
[2024-03-12 15:14:45] [DEBUG] GITHUB REQUEST ID: EA65:0F8F:277D57B:4BD9C5E:65F0B7B5
[2024-03-12 15:14:45] [DEBUG] RESPONSE (OK): {"data":{"organization":{"login":"MY_GH_ORG","id":"xxxxxxxxx","name":"MY_GH_ORG"}}}
[2024-03-12 15:14:45] [DEBUG] HTTP POST: https://api.github.com/graphql
[2024-03-12 15:14:45] [DEBUG] HTTP BODY: {"query":"mutation createMigrationSource($name: String!, $url: String!, $ownerId: ID!, $type: MigrationSourceType!) { createMigrationSource(input: {name: $name, url: $url, ownerId: $ownerId, type: $type}) { migrationSource { id, name, url, type } } }","variables":{"name":"Azure DevOps Source","url":"https://dev.azure.com","ownerId":"xxxxxxxx,"type":"AZURE_DEVOPS"},"operationName":"createMigrationSource"}
[2024-03-12 15:14:45] [DEBUG] GITHUB REQUEST ID: EA65:0F8F:277D5E2:4BD9D02:65F0B7B5
[2024-03-12 15:14:45] [DEBUG] RESPONSE (OK): {"data":{"createMigrationSource":null},"errors":[{"type":"FORBIDDEN","path":["createMigrationSource"],"locations":[{"line":1,"column":109}],"message":"smunukutla-mycarrier does not have the correct permissions to execute CreateMigrationSource"}]}
[2024-03-12 15:14:45] [ERROR] OctoshiftCLI.OctoshiftCliException: smunukutla-mycarrier does not have the correct permissions to execute CreateMigrationSource. Please check that:
(a) you are a member of the MY_GH_ORG organization,
(b) you are an organization owner or you have been granted the migrator role and
(c) your personal access token has the correct scopes.
For more information, see https://docs.github.com/en/migrations/using-github-enterprise-importer/preparing-to-migrate-with-github-enterprise-importer/managing-access-for-github-enterprise-importer.
---> OctoshiftCLI.OctoshiftCliException: smunukutla-mycarrier does not have the correct permissions to execute CreateMigrationSource
at OctoshiftCLI.Services.GithubClient.EnsureSuccessGraphQLResponse(JObject response)
at OctoshiftCLI.Services.GithubClient.PostGraphQLAsync(String url, Object body, Dictionary2 customHeaders) at OctoshiftCLI.Services.GithubApi.CreateAdoMigrationSource(String orgId, String adoServerUrl) at OctoshiftCLI.AdoToGithub.Commands.MigrateRepo.MigrateRepoCommandHandler.Handle(MigrateRepoCommandArgs args) --- End of inner exception stack trace --- at OctoshiftCLI.AdoToGithub.Commands.MigrateRepo.MigrateRepoCommandHandler.Handle(MigrateRepoCommandArgs args) at OctoshiftCLI.Extensions.CommandExtensions.RunHandler[TArgs,THandler](TArgs args, ServiceProvider sp, CommandBase2 command)
at OctoshiftCLI.Extensions.CommandExtensions.<>c__DisplayClass1_03.<<ConfigureCommand>b__0>d.MoveNext() --- End of stack trace from previous location --- at System.CommandLine.Invocation.AnonymousCommandHandler.InvokeAsync(InvocationContext ) at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass4_0.<<BuildInvocationChain>b__0>d.MoveNext() --- End of stack trace from previous location --- at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass17_0.<<UseParseErrorReporting>b__0>d.MoveNext() --- End of stack trace from previous location --- at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass12_0.<<UseHelp>b__0>d.MoveNext() --- End of stack trace from previous location --- at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass22_0.<<UseVersionOption>b__0>d.MoveNext() --- End of stack trace from previous location --- at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass19_0.<<UseTypoCorrections>b__0>d.MoveNext() --- End of stack trace from previous location --- at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<UseSuggestDirective>b__18_0>d.MoveNext() --- End of stack trace from previous location --- at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass16_0.<<UseParseDirective>b__0>d.MoveNext() --- End of stack trace from previous location --- at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<RegisterWithDotnetSuggest>b__5_0>d.MoveNext() --- End of stack trace from previous location --- at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass8_0.<<UseExceptionHandler>b__0>d.MoveNext()

@smunukutla-mycarrier there are 2 roles we have for migrations Organization owner and Migrator as fine grained permission role granted by another API. For an Organization owner you would need repo, admin:org, workflow vs repo, read:org, workflow if you are a Migrator. Here are docs about migrator role. Hope that helps to add some clarity.