fix: improve error message when PAT is expired or unauthorized (#168)

* fix: improve error message when PAT is expired or unauthorized

When the Azure DevOps PAT is expired, revoked, or lacks required scopes,
the action now fails with a clear authentication error message instead of
misleadingly reporting that work items do not exist.

Detects auth errors by checking HTTP status codes (401/403) and error
message patterns (e.g. 'Access Denied', 'Personal Access Token expired').

Fixes #167

* chore: bumping version

* fix: propagate auth error from PR validation to prevent false success

When the PR check path encounters a PAT auth error, return a structured
object with authError flag instead of an empty array. The run() function
now detects this and early-returns, preventing the success path from
incorrectly updating comments or reporting work items as valid.

Addresses review feedback from PR #168.

Author: joshjohanning

__tests__/index.test.js

@@ -128,7 +128,7 @@ describe('Azure DevOps Commit Validator', () => {
     mockContext.payload.pull_request = { number: 42 };
 
     // Default mock for validateWorkItemExists (returns true by default)
-    mockValidateWorkItemExists.mockResolvedValue(true);
+    mockValidateWorkItemExists.mockResolvedValue({ exists: true });
 
     // Default mock for getWorkItemTitle
     mockGetWorkItemTitle.mockResolvedValue({ title: 'Test Work Item', type: 'User Story' });
@@ -1007,7 +1007,7 @@ describe('Azure DevOps Commit Validator', () => {
         }
       });
 
-      mockValidateWorkItemExists.mockResolvedValue(true);
+      mockValidateWorkItemExists.mockResolvedValue({ exists: true });
       mockGetWorkItemTitle.mockResolvedValue({ title: 'Fix login bug', type: 'Bug' });
 
       await run();
@@ -1795,7 +1795,7 @@ describe('Azure DevOps Commit Validator', () => {
       });
 
       // Mock work item validation to return false (work item doesn't exist)
-      mockValidateWorkItemExists.mockResolvedValue(false);
+      mockValidateWorkItemExists.mockResolvedValue({ exists: false });
 
       await run();
 
@@ -1828,14 +1828,80 @@ describe('Azure DevOps Commit Validator', () => {
       });
 
       // Mock work item validation to return true (work item exists)
-      mockValidateWorkItemExists.mockResolvedValue(true);
+      mockValidateWorkItemExists.mockResolvedValue({ exists: true });
 
       await run();
 
       expect(mockSetFailed).not.toHaveBeenCalled();
       expect(mockValidateWorkItemExists).toHaveBeenCalledWith('test-org', 'azdo-token', '12345');
     });
 
+    it('should fail with auth error message when PAT is expired', async () => {
+      mockGetInput.mockImplementation(name => {
+        if (name === 'check-commits') return 'true';
+        if (name === 'check-pull-request') return 'false';
+        if (name === 'validate-work-item-exists') return 'true';
+        if (name === 'azure-devops-token') return 'azdo-token';
+        if (name === 'azure-devops-organization') return 'test-org';
+        if (name === 'github-token') return 'github-token';
+        if (name === 'comment-on-failure') return 'false';
+        return 'false';
+      });
+
+      mockOctokit.rest.pulls.listCommits.mockResolvedValue({
+        data: [
+          {
+            sha: 'abc123',
+            commit: {
+              message: 'feat: add feature AB#12345'
+            }
+          }
+        ]
+      });
+
+      mockValidateWorkItemExists.mockResolvedValue({
+        exists: false,
+        authError: true,
+        errorMessage: 'Access Denied: The Personal Access Token used has expired.'
+      });
+
+      await run();
+
+      expect(mockSetFailed).toHaveBeenCalledWith(expect.stringContaining('Personal Access Token (PAT) may be expired'));
+    });
+
+    it('should fail with auth error message when PAT is expired during PR check', async () => {
+      mockGetInput.mockImplementation(name => {
+        if (name === 'check-commits') return 'false';
+        if (name === 'check-pull-request') return 'true';
+        if (name === 'validate-work-item-exists') return 'true';
+        if (name === 'azure-devops-token') return 'azdo-token';
+        if (name === 'azure-devops-organization') return 'test-org';
+        if (name === 'github-token') return 'github-token';
+        if (name === 'comment-on-failure') return 'false';
+        return 'false';
+      });
+
+      mockOctokit.rest.pulls.get.mockResolvedValue({
+        data: {
+          title: 'feat: new feature AB#12345',
+          body: ''
+        }
+      });
+
+      mockValidateWorkItemExists.mockResolvedValue({
+        exists: false,
+        authError: true,
+        errorMessage: 'Access Denied: The Personal Access Token used has expired.'
+      });
+
+      await run();
+
+      expect(mockSetFailed).toHaveBeenCalledWith(expect.stringContaining('Personal Access Token (PAT) may be expired'));
+      // Should NOT report invalid work items - auth error takes precedence
+      expect(mockSetFailed).not.toHaveBeenCalledWith(expect.stringContaining('do not exist'));
+    });
+
     it('should update existing invalid work item comment to success when work items are fixed', async () => {
       mockGetInput.mockImplementation(name => {
         if (name === 'check-commits') return 'true';
@@ -1870,7 +1936,7 @@ describe('Azure DevOps Commit Validator', () => {
       });
 
       // Mock work item validation to return true (work item now exists)
-      mockValidateWorkItemExists.mockResolvedValue(true);
+      mockValidateWorkItemExists.mockResolvedValue({ exists: true });
 
       await run();
 
@@ -1944,7 +2010,7 @@ describe('Azure DevOps Commit Validator', () => {
       });
 
       // Mock both work items as invalid
-      mockValidateWorkItemExists.mockResolvedValue(false);
+      mockValidateWorkItemExists.mockResolvedValue({ exists: false });
 
       await run();
 
@@ -1978,7 +2044,7 @@ describe('Azure DevOps Commit Validator', () => {
       });
 
       // Mock both work items as invalid
-      mockValidateWorkItemExists.mockResolvedValue(false);
+      mockValidateWorkItemExists.mockResolvedValue({ exists: false });
 
       await run();
 
@@ -2024,7 +2090,7 @@ describe('Azure DevOps Commit Validator', () => {
       });
 
       // Mock both work items as invalid
-      mockValidateWorkItemExists.mockResolvedValue(false);
+      mockValidateWorkItemExists.mockResolvedValue({ exists: false });
 
       await run();
 
@@ -2076,7 +2142,7 @@ describe('Azure DevOps Commit Validator', () => {
       });
 
       // Mock both work items as invalid
-      mockValidateWorkItemExists.mockResolvedValue(false);
+      mockValidateWorkItemExists.mockResolvedValue({ exists: false });
 
       await run();
 
@@ -2133,7 +2199,7 @@ describe('Azure DevOps Commit Validator', () => {
       });
 
       // Mock both work items as invalid
-      mockValidateWorkItemExists.mockResolvedValue(false);
+      mockValidateWorkItemExists.mockResolvedValue({ exists: false });
 
       await run();
 

__tests__/link-work-item.test.js

@@ -244,7 +244,7 @@ describe('Azure DevOps Work Item Linker', () => {
   });
 
   describe('validateWorkItemExists', () => {
-    it('should return true when work item exists', async () => {
+    it('should return { exists: true } when work item exists', async () => {
       // Mock getWorkItem to return a valid work item
       mockGetWorkItem.mockResolvedValue({
         id: 12345,
@@ -256,11 +256,11 @@ describe('Azure DevOps Work Item Linker', () => {
       const { validateWorkItemExists } = await import('../src/link-work-item.js');
       const result = await validateWorkItemExists('test-org', 'azdo-token', '12345');
 
-      expect(result).toBe(true);
+      expect(result).toEqual({ exists: true });
       expect(mockGetWorkItem).toHaveBeenCalledWith(12345);
     });
 
-    it('should return false when work item does not exist (404)', async () => {
+    it('should return { exists: false } when work item does not exist (404)', async () => {
       // Mock getWorkItem to throw a 404 error
       const error = new Error('Work item not found');
       error.statusCode = 404;
@@ -269,20 +269,56 @@ describe('Azure DevOps Work Item Linker', () => {
       const { validateWorkItemExists } = await import('../src/link-work-item.js');
       const result = await validateWorkItemExists('test-org', 'azdo-token', '99999');
 
-      expect(result).toBe(false);
+      expect(result).toEqual({ exists: false });
       expect(mockGetWorkItem).toHaveBeenCalledWith(99999);
     });
 
-    it('should return false when work item API call fails', async () => {
+    it('should return { exists: false } when work item API call fails', async () => {
       // Mock getWorkItem to throw a network error
       mockGetWorkItem.mockRejectedValue(new Error('Network error'));
 
       const { validateWorkItemExists } = await import('../src/link-work-item.js');
       const result = await validateWorkItemExists('test-org', 'azdo-token', '12345');
 
-      expect(result).toBe(false);
+      expect(result).toEqual({ exists: false });
       expect(mockGetWorkItem).toHaveBeenCalledWith(12345);
     });
+
+    it('should return authError when PAT has expired (status 401)', async () => {
+      const error = new Error('Unauthorized');
+      error.statusCode = 401;
+      mockGetWorkItem.mockRejectedValue(error);
+
+      const { validateWorkItemExists } = await import('../src/link-work-item.js');
+      const result = await validateWorkItemExists('test-org', 'azdo-token', '12345');
+
+      expect(result).toEqual({ exists: false, authError: true, errorMessage: 'Unauthorized' });
+    });
+
+    it('should return authError when PAT has expired (status 403)', async () => {
+      const error = new Error('Forbidden');
+      error.statusCode = 403;
+      mockGetWorkItem.mockRejectedValue(error);
+
+      const { validateWorkItemExists } = await import('../src/link-work-item.js');
+      const result = await validateWorkItemExists('test-org', 'azdo-token', '12345');
+
+      expect(result).toEqual({ exists: false, authError: true, errorMessage: 'Forbidden' });
+    });
+
+    it('should return authError when error message indicates expired PAT', async () => {
+      const error = new Error('Access Denied: The Personal Access Token used has expired.');
+      mockGetWorkItem.mockRejectedValue(error);
+
+      const { validateWorkItemExists } = await import('../src/link-work-item.js');
+      const result = await validateWorkItemExists('test-org', 'azdo-token', '12345');
+
+      expect(result).toEqual({
+        exists: false,
+        authError: true,
+        errorMessage: 'Access Denied: The Personal Access Token used has expired.'
+      });
+    });
   });
 
   describe('getWorkItemTitle', () => {

badges/coverage.svg

@@ -1,6 +1,6 @@
 {
   "name": "azure-devops-work-item-link-enforcer-and-linker",
-  "version": "4.0.0",
+  "version": "4.0.1",
   "private": true,
   "type": "module",
   "description": "GitHub Action to enforce that each commit in a pull request be linked to an Azure DevOps work item and automatically link the pull request to each work item ",

package-lock.json

@@ -109,12 +109,17 @@ export async function run() {
       );
       workItemToCommitMap = commitResults.workItemToCommitMap;
       invalidWorkItemsFromCommits = commitResults.invalidWorkItems;
+
+      // If auth error was detected, stop processing - setFailed was already called
+      if (commitResults.authError) {
+        return;
+      }
     }
 
     // Check pull request
     let invalidWorkItemsFromPR = [];
     if (checkPullRequest) {
-      invalidWorkItemsFromPR = await checkPullRequestForWorkItems(
+      const prResult = await checkPullRequestForWorkItems(
         octokit,
         context,
         pullNumber,
@@ -126,6 +131,13 @@ export async function run() {
         addWorkItemTable,
         pullRequestCheckScope
       );
+
+      // If auth error was detected, stop processing - setFailed was already called
+      if (prResult && prResult.authError) {
+        return;
+      }
+
+      invalidWorkItemsFromPR = Array.isArray(prResult) ? prResult : [];
     }
 
     // Combine all invalid work items and create ONE comment
@@ -356,9 +368,15 @@ async function checkCommitsForWorkItems(
 
     for (const match of uniqueWorkItems) {
       const workItemId = match.substring(3); // Remove "AB#" prefix
-      const exists = await validateWorkItemExists(azureDevopsOrganization, azureDevopsToken, workItemId);
+      const result = await validateWorkItemExists(azureDevopsOrganization, azureDevopsToken, workItemId);
+
+      if (result.authError) {
+        const authMessage = `Azure DevOps authentication failed while validating work items. Your Personal Access Token (PAT) may be expired, revoked, or lack the required scopes. Details: ${result.errorMessage}`;
+        core.setFailed(authMessage);
+        return { workItemToCommitMap, invalidWorkItems: [], hasCommitFailures: false, authError: true };
+      }
 
-      if (!exists) {
+      if (!result.exists) {
         invalidWorkItems.push(workItemId);
       }
     }
@@ -548,9 +566,15 @@ async function checkPullRequestForWorkItems(
             workItemToCommitMap.set(workItemNumber, null); // null indicates it's from PR title/body
           }
 
-          const exists = await validateWorkItemExists(azureDevopsOrganization, azureDevopsToken, workItemNumber);
+          const result = await validateWorkItemExists(azureDevopsOrganization, azureDevopsToken, workItemNumber);
+
+          if (result.authError) {
+            const authMessage = `Azure DevOps authentication failed while validating work items. Your Personal Access Token (PAT) may be expired, revoked, or lack the required scopes. Details: ${result.errorMessage}`;
+            core.setFailed(authMessage);
+            return { authError: true };
+          }
 
-          if (!exists) {
+          if (!result.exists) {
             invalidWorkItems.push(workItemNumber);
           }
         }