[FEAT]: Requests returning HTTP 410 Gone should not be retried

[camchenry]

Describe the need

As part of the Projects (classic) sunset, these REST APIs are returning HTTP 410 to indicate that the APIs are no longer available.

According to the spec for the 410 status code, this is mechanically very similar to HTTP 404 and the recommendation is to even cache the request:

The 410 (Gone) status code indicates that access to the target resource is no longer available at the origin server and that this condition is likely to be permanent. If the origin server does not know, or has no facility to determine, whether or not the condition is permanent, the status code 404 (Not Found) ought to be used instead.
[...]
A 410 response is heuristically cacheable; i.e., unless otherwise indicated by the method definition or explicit cache controls (see Section 4.2.2 of [CACHING]).

https://www.rfc-editor.org/rfc/rfc9110.html#name-410-gone

Based on this information, I believe that requests which return a 410 status code should not be retried, as the server has indicated future requests will also return a 410 temporarily or permanently. This saves on unnecessary network requests, which helps ensure that clients are better able to stay under the API rate limits.

Code of Conduct

• I agree to follow this project's Code of Conduct

[github-actions]

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

[wolfy1339]

Thanks for pointing this out, it's a simple one-line fix for this.

A PR for this is welcome!

However please do note that we are currently unable to release any new versions of Octokit packages because GitHub recently clamped down on security and enabled 2FA on our bot token that is used for publishing NPM releases from GitHub actions.

[camchenry]

@wolfy1339 Thanks! I've opened a PR to resolve this issue: #621

However please do note that we are currently unable to release any new versions of Octokit packages because GitHub recently clamped down on security and enabled 2FA on our bot token that is used for publishing NPM releases from GitHub actions.

Is this something you're actively working on right now? No rush for this feature, but I think it would be a good one to include eventually. Let me know if there's anything I can do to help.

[wolfy1339]

It's out of my hands, I am only a community maintainer and not a GitHub employee. I did raise this issue with a GitHub employee who is on the Octokit team, and they said they would look into it.
I don't have any contacts at GitHub myself to resolve this.

It especially sucks because we sign our releases using provenance, and that can only be done from CI

🤷‍♂ Here we are...

[camchenry]

@wolfy1339 Do you have all the details on what the exact problem is? Is there an issue that you could point me to? (And if not, would you mind creating one?) I work at GitHub and I would like to help you escalate this. Thank you for helping to maintain Octokit, and apologies for any inconvenience here 🙇

[wolfy1339]

I created octokit/octokit.js#2829 to track this

[github-actions]

🎉 This issue has been resolved in version 7.2.0 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)

Your semantic-release bot 📦🚀