fix: propagate auth errors from getWorkItemTitle and short-circuit run() on addWorkItemsToPRBody auth failure (#186)

* fix: propagate auth errors from getWorkItemTitle and short-circuit run() on addWorkItemsToPRBody auth failure

Resolves #169: getWorkItemTitle() now uses detectAuthError() to identify
auth errors (401, 403, expired PAT) and returns { authError, errorMessage }
instead of silently returning null.

Resolves #172: addWorkItemsToPRBody() now returns { authError: true } on
auth failure so run() can short-circuit instead of continuing to execute
subsequent commit/PR checks.

Agent-Logs-Url: https://github.com/joshjohanning/azdo_commit_message_validator/sessions/6edbda9a-8711-4a1c-911d-58f076d74159

Co-authored-by: joshjohanning <19912012+joshjohanning@users.noreply.github.com>

* fix: change version bump from minor (4.2.0) to patch (4.1.2) since this is a bug fix

Agent-Logs-Url: https://github.com/joshjohanning/azdo_commit_message_validator/sessions/572dd5a6-60c2-48b1-bb60-11bd36236059

Co-authored-by: joshjohanning <19912012+joshjohanning@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: joshjohanning <19912012+joshjohanning@users.noreply.github.com>

Author: Copilot

__tests__/index.test.js

@@ -2820,7 +2820,42 @@ describe('Azure DevOps Commit Validator', () => {
         errorMessage: 'Access Denied: The Personal Access Token used has expired.'
       });
 
-      mockOctokit.paginate.mockResolvedValueOnce([]); // commits
+      await run();
+
+      expect(mockSetFailed).toHaveBeenCalledWith(expect.stringContaining('Personal Access Token (PAT) may be expired'));
+      expect(mockOctokit.rest.pulls.update).not.toHaveBeenCalled();
+      // Should short-circuit and not proceed to commit checks
+      expect(mockOctokit.paginate).not.toHaveBeenCalled();
+    });
+
+    it('should handle auth error from getWorkItemTitle in appendWorkItemTitlesToPRBody', async () => {
+      mockGetInput.mockImplementation(name => {
+        const inputs = {
+          'check-commits': 'false',
+          'check-pull-request': 'true',
+          'github-token': 'github-token',
+          'comment-on-failure': 'false',
+          'validate-work-item-exists': 'false',
+          'add-work-item-table': 'true',
+          'azure-devops-token': 'azdo-token',
+          'azure-devops-organization': 'my-org',
+          'add-work-item-from-branch': 'false'
+        };
+        return inputs[name] || '';
+      });
+
+      mockOctokit.rest.pulls.get.mockResolvedValue({
+        data: {
+          title: 'feat: new feature',
+          body: 'This PR implements AB#12345'
+        }
+      });
+
+      // Simulate auth error from getWorkItemTitle
+      mockGetWorkItemTitle.mockResolvedValue({
+        authError: true,
+        errorMessage: 'Access Denied: The Personal Access Token used has expired.'
+      });
 
       await run();
 

__tests__/link-work-item.test.js

@@ -367,6 +367,44 @@ describe('Azure DevOps Work Item Linker', () => {
       expect(mockWarning).toHaveBeenCalledWith(expect.stringContaining('failed to fetch work item 12345 title'));
     });
 
+    it('should return authError when PAT has expired (status 401)', async () => {
+      const error = new Error('Unauthorized');
+      error.statusCode = 401;
+      mockGetWorkItem.mockRejectedValue(error);
+
+      const { getWorkItemTitle } = await import('../src/link-work-item.js');
+      const result = await getWorkItemTitle('test-org', 'azdo-token', '12345');
+
+      expect(result).toEqual({ authError: true, errorMessage: 'Unauthorized' });
+      expect(mockError).toHaveBeenCalledWith(
+        expect.stringContaining('authentication error while fetching work item 12345 title')
+      );
+    });
+
+    it('should return authError when PAT has expired (status 403)', async () => {
+      const error = new Error('Forbidden');
+      error.statusCode = 403;
+      mockGetWorkItem.mockRejectedValue(error);
+
+      const { getWorkItemTitle } = await import('../src/link-work-item.js');
+      const result = await getWorkItemTitle('test-org', 'azdo-token', '12345');
+
+      expect(result).toEqual({ authError: true, errorMessage: 'Forbidden' });
+    });
+
+    it('should return authError when error message indicates access denied', async () => {
+      const error = new Error('Access Denied: The Personal Access Token used has expired.');
+      mockGetWorkItem.mockRejectedValue(error);
+
+      const { getWorkItemTitle } = await import('../src/link-work-item.js');
+      const result = await getWorkItemTitle('test-org', 'azdo-token', '12345');
+
+      expect(result).toEqual({
+        authError: true,
+        errorMessage: 'Access Denied: The Personal Access Token used has expired.'
+      });
+    });
+
     it('should handle missing title and type fields gracefully', async () => {
       mockGetWorkItem.mockResolvedValue({
         id: 12345,

badges/coverage.svg

@@ -1,6 +1,6 @@
 {
   "name": "azure-devops-work-item-link-enforcer-and-linker",
-  "version": "4.1.1",
+  "version": "4.1.2",
   "private": true,
   "type": "module",
   "description": "GitHub Action to enforce that each commit in a pull request be linked to an Azure DevOps work item and automatically link the pull request to each work item ",

package-lock.json

@@ -140,7 +140,7 @@ export async function run() {
 
     // Automatically add AB# tags from branch name if enabled
     if (addWorkItemFromBranch) {
-      await addWorkItemsToPRBody(
+      const branchResult = await addWorkItemsToPRBody(
         octokit,
         context,
         pullNumber,
@@ -149,6 +149,11 @@ export async function run() {
         branchWorkItemPrefixes,
         branchWorkItemMinDigits
       );
+
+      // If auth error was detected, stop processing - setFailed was already called
+      if (branchResult && branchResult.authError) {
+        return;
+      }
     }
 
     // Store work item to commit mapping and validation results
@@ -675,7 +680,7 @@ async function checkPullRequestForWorkItems(
 
       // Append work item titles to PR body if enabled
       if (addWorkItemTable && azureDevopsOrganization && azureDevopsToken) {
-        await appendWorkItemTitlesToPRBody(
+        const appendResult = await appendWorkItemTitlesToPRBody(
           octokit,
           context,
           pullNumber,
@@ -684,6 +689,12 @@ async function checkPullRequestForWorkItems(
           azureDevopsOrganization,
           azureDevopsToken
         );
+
+        if (appendResult && appendResult.authError) {
+          const authMessage = `Azure DevOps authentication failed while fetching work item titles. Your Personal Access Token (PAT) may be expired, revoked, or lack the required scopes. Details: ${appendResult.errorMessage}`;
+          core.setFailed(authMessage);
+          return { authError: true };
+        }
       }
 
       return [];
@@ -728,6 +739,11 @@ async function appendWorkItemTitlesToPRBody(
   for (const workItem of workItems) {
     const workItemNumber = workItem.substring(3); // Remove "AB#" prefix
     const workItemInfo = await getWorkItemTitle(azureDevopsOrganization, azureDevopsToken, workItemNumber);
+
+    if (workItemInfo && workItemInfo.authError) {
+      return { authError: true, errorMessage: workItemInfo.errorMessage };
+    }
+
     if (workItemInfo && workItemInfo.title) {
       workItemInfos.push({ id: workItemNumber, title: workItemInfo.title, type: workItemInfo.type });
       core.summary.addRaw(
@@ -828,6 +844,7 @@ export function extractWorkItemIdsFromBranch(branchName, prefixes, minDigits = 1
  * @param {string} azureDevopsToken - Azure DevOps PAT token
  * @param {string[]} branchPrefixes - Keyword prefixes for identifying work item IDs in branch names
  * @param {number} [minDigits=1] - Minimum number of digits for a work item ID
+ * @returns {Promise<{authError: true}|undefined>} - Auth error status if auth failed, undefined otherwise
  */
 async function addWorkItemsToPRBody(
   octokit,
@@ -891,7 +908,7 @@ async function addWorkItemsToPRBody(
     if (result.authError) {
       const authMessage = `Azure DevOps authentication failed while validating work items from branch. Your Personal Access Token (PAT) may be expired, revoked, or lack the required scopes. Details: ${result.errorMessage}`;
       core.setFailed(authMessage);
-      return;
+      return { authError: true };
     }
 
     if (result.exists) {

package.json

@@ -208,7 +208,7 @@ export async function validateWorkItemExists(devOpsOrg, azToken, workItemId) {
  * @param {string} devOpsOrg - Azure DevOps organization name
  * @param {string} azToken - Azure DevOps PAT token
  * @param {string} workItemId - Work item ID to fetch
- * @returns {Promise<{title: string, type: string}|null>} - Work item title and type, or null if not found
+ * @returns {Promise<{title: string, type: string}|{authError: true, errorMessage: string}|null>} - Work item title and type, auth error info, or null if not found
  */
 export async function getWorkItemTitle(devOpsOrg, azToken, workItemId) {
   try {
@@ -230,9 +230,14 @@ export async function getWorkItemTitle(devOpsOrg, azToken, workItemId) {
     core.warning(`... work item ${workItemId} not found`);
     return null;
   } catch (error) {
-    core.warning(
-      `... failed to fetch work item ${workItemId} title: ${error instanceof Error ? error.message : String(error)}`
-    );
+    const { isAuthError, message } = detectAuthError(error);
+
+    if (isAuthError) {
+      core.error(`... authentication error while fetching work item ${workItemId} title: ${message}`);
+      return { authError: true, errorMessage: message };
+    }
+
+    core.warning(`... failed to fetch work item ${workItemId} title: ${message}`);
     return null;
   }
 }