review feedback

burmudar · burmudar · commit cd32acb50de2 · 2026-03-25T16:16:29.000+02:00
- rename `RequireAccessToken` to `checkIfCIAccessTokenRequired`
- provide more context in error on why it happened
diff --git a/cmd/src/main.go b/cmd/src/main.go
@@ -82,7 +82,7 @@ var (
 
 	errConfigMerge                 = errors.New("when using a configuration file, zero or all environment variables must be set")
 	errConfigAuthorizationConflict = errors.New("when passing an 'Authorization' additional headers, SRC_ACCESS_TOKEN must never be set")
-	errCIAccessTokenRequired       = errors.New("SRC_ACCESS_TOKEN must be set in CI")
+	errCIAccessTokenRequired       = errors.New("CI is true and SRC_ACCESS_TOKEN is not set or empty. When running in CI OAuth tokens cannot be used, only SRC_ACCESS_TOKEN. Either set CI=false or define a SRC_ACCESS_TOKEN")
 )
 
 // commands contains all registered subcommands.
@@ -168,6 +168,9 @@ func (c *config) InCI() bool {
 }
 
 func (c *config) requireCIAccessToken() error {
+	// In CI we typically do not have access to the keyring and the machine is also typically headless
+	// we therefore require SRC_ACCESS_TOKEN to be set when in CI.
+	// If someone really wants to run with OAuth in CI they can temporarily do CI=false
 	if c.InCI() && c.AuthMode() != AuthModeAccessToken {
 		return errCIAccessTokenRequired
 	}
@@ -178,14 +181,14 @@ func (c *config) requireCIAccessToken() error {
 // apiClient returns an api.Client built from the configuration.
 func (c *config) apiClient(flags *api.Flags, out io.Writer) api.Client {
 	opts := api.ClientOpts{
-		EndpointURL:        c.endpointURL,
-		AccessToken:        c.accessToken,
-		AdditionalHeaders:  c.additionalHeaders,
-		Flags:              flags,
-		Out:                out,
-		ProxyURL:           c.proxyURL,
-		ProxyPath:          c.proxyPath,
-		RequireAccessToken: c.InCI(),
+		EndpointURL:            c.endpointURL,
+		AccessToken:            c.accessToken,
+		AdditionalHeaders:      c.additionalHeaders,
+		Flags:                  flags,
+		Out:                    out,
+		ProxyURL:               c.proxyURL,
+		ProxyPath:              c.proxyPath,
+		RequireAccessTokenInCI: c.InCI(),
 	}
 
 	// Only use OAuth if we do not have SRC_ACCESS_TOKEN set
diff --git a/internal/api/api.go b/internal/api/api.go
@@ -6,6 +6,7 @@ import (
 	"context"
 	"crypto/tls"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -71,10 +72,10 @@ type request struct {
 
 // ClientOpts encapsulates the options given to NewClient.
 type ClientOpts struct {
-	EndpointURL        *url.URL
-	AccessToken        string
-	AdditionalHeaders  map[string]string
-	RequireAccessToken bool
+	EndpointURL            *url.URL
+	AccessToken            string
+	AdditionalHeaders      map[string]string
+	RequireAccessTokenInCI bool
 
 	// Flags are the standard API client flags provided by NewFlags. If nil,
 	// default values will be used.
@@ -139,20 +140,20 @@ func NewClient(opts ClientOpts) Client {
 
 	return &client{
 		opts: ClientOpts{
-			EndpointURL:        opts.EndpointURL,
-			AccessToken:        opts.AccessToken,
-			AdditionalHeaders:  opts.AdditionalHeaders,
-			RequireAccessToken: opts.RequireAccessToken,
-			Flags:              flags,
-			Out:                opts.Out,
+			EndpointURL:            opts.EndpointURL,
+			AccessToken:            opts.AccessToken,
+			AdditionalHeaders:      opts.AdditionalHeaders,
+			RequireAccessTokenInCI: opts.RequireAccessTokenInCI,
+			Flags:                  flags,
+			Out:                    opts.Out,
 		},
 		httpClient: httpClient,
 	}
 }
 
-func (c *client) requireAccessToken() error {
-	if c.opts.RequireAccessToken && c.opts.AccessToken == "" {
-		return fmt.Errorf("SRC_ACCESS_TOKEN must be set in CI")
+func (c *client) checkIfCIAccessTokenRequired() error {
+	if c.opts.RequireAccessTokenInCI && c.opts.AccessToken == "" {
+		return errors.New("SRC_ACCESS_TOKEN must be set when CI=true")
 	}
 
 	return nil
@@ -183,7 +184,7 @@ func (c *client) NewHTTPRequest(ctx context.Context, method, p string, body io.R
 }
 
 func (c *client) createHTTPRequest(ctx context.Context, method, p string, body io.Reader) (*http.Request, error) {
-	if err := c.requireAccessToken(); err != nil {
+	if err := c.checkIfCIAccessTokenRequired(); err != nil {
 		return nil, err
 	}
 
@@ -216,7 +217,7 @@ func (c *client) createHTTPRequest(ctx context.Context, method, p string, body i
 }
 
 func (r *request) do(ctx context.Context, result any) (bool, error) {
-	if err := r.client.requireAccessToken(); err != nil {
+	if err := r.client.checkIfCIAccessTokenRequired(); err != nil {
 		return false, err
 	}
 
