Handle Octokit::Forbidden in GitHub solution syncer (#8470, #8472) (#8479)

When a GitHub App installation loses write permissions to a user's
repository, the API returns 403 Forbidden. This was unhandled, causing
exceptions to bubble up to Sentry. Now treated as a noop since the
permission issue is permanent and retrying won't help.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: iHiD

app/commands/user/github_solution_syncer/create_pull_request.rb

@@ -23,8 +23,9 @@ def call
         pr_title,
         pr_message
       )
-    rescue Octokit::NotFound
-      # Repo may have been deleted or renamed — nothing to sync to
+    rescue Octokit::NotFound, Octokit::Forbidden
+      # Repo may have been deleted/renamed, or the integration
+      # no longer has permission — nothing to sync to
       nil
     end
 

app/commands/user/github_solution_syncer/sync_everything.rb

@@ -17,6 +17,8 @@ def call
       end
     rescue GithubApp::InstallationNotFoundError
       # noop - installation may have been removed or GitHub may be having issues
+    rescue Octokit::Forbidden
+      # noop - the integration no longer has permission to access the repo
     rescue Octokit::ServerError
       requeue_job!(30.seconds)
     end

app/commands/user/github_solution_syncer/sync_iteration.rb

@@ -20,6 +20,8 @@ def call
       end
     rescue GithubApp::InstallationNotFoundError
       # noop - installation may have been removed or GitHub may be having issues
+    rescue Octokit::Forbidden
+      # noop - the integration no longer has permission to access the repo
     rescue Octokit::ServerError
       requeue_job!(30.seconds)
     end

app/commands/user/github_solution_syncer/sync_solution.rb

@@ -17,6 +17,8 @@ def call
       end
     rescue GithubApp::InstallationNotFoundError
       # noop - installation may have been removed or GitHub may be having issues
+    rescue Octokit::Forbidden
+      # noop - the integration no longer has permission to access the repo
     rescue Octokit::ServerError
       requeue_job!(30.seconds)
     end

app/commands/user/github_solution_syncer/sync_track.rb

@@ -17,6 +17,8 @@ def call
       end
     rescue GithubApp::InstallationNotFoundError
       # noop - installation may have been removed or GitHub may be having issues
+    rescue Octokit::Forbidden
+      # noop - the integration no longer has permission to access the repo
     rescue Octokit::ServerError
       requeue_job!(30.seconds)
     end

test/commands/user/github_solution_syncer/create_pull_request_test.rb

@@ -53,5 +53,22 @@ class CreatePullRequestTest < ActiveSupport::TestCase
       result = User::GithubSolutionSyncer::CreatePullRequest.(syncer, "title", "body", &block)
       assert_nil result
     end
+
+    test "returns nil when integration lacks permission" do
+      syncer = create :user_github_solution_syncer
+
+      token = "fake-token-#{SecureRandom.uuid}"
+      GithubApp.expects(:generate_installation_token!).with(syncer.installation_id).returns(token)
+
+      client = mock
+      Octokit::Client.expects(:new).with(access_token: token).returns(client).at_least_once
+      client.expects(:repository).with(syncer.repo_full_name).raises(Octokit::Forbidden)
+
+      block = ->(_, _) {}
+      block.expects(:call).never
+
+      result = User::GithubSolutionSyncer::CreatePullRequest.(syncer, "title", "body", &block)
+      assert_nil result
+    end
   end
 end

test/commands/user/github_solution_syncer/sync_everything_test.rb

@@ -12,6 +12,16 @@ class SyncEverythingTest < ActiveSupport::TestCase
       User::GithubSolutionSyncer::SyncEverything.(user)
     end
 
+    test "noops when integration lacks permission" do
+      user = create(:user)
+      create(:user_github_solution_syncer, user:)
+
+      CreatePullRequest.stubs(:call).raises(Octokit::Forbidden)
+
+      # Should not raise
+      User::GithubSolutionSyncer::SyncEverything.(user)
+    end
+
     test "requeues on server error" do
       user = create(:user)
       create(:user_github_solution_syncer, user:)

test/commands/user/github_solution_syncer/sync_iteration_test.rb

@@ -17,6 +17,21 @@ class SyncIterationTest < ActiveSupport::TestCase
       User::GithubSolutionSyncer::SyncIteration.(iteration)
     end
 
+    test "noops when integration lacks permission" do
+      user = create(:user)
+      track = create(:track, slug: "ruby")
+      exercise = create(:practice_exercise, track:, slug: "two-fer")
+      solution = create(:practice_solution, user:, exercise:)
+      submission = create(:submission, solution:)
+      iteration = create(:iteration, user:, solution:, submission:)
+      create(:user_github_solution_syncer, user:)
+
+      CreatePullRequest.stubs(:call).raises(Octokit::Forbidden)
+
+      # Should not raise
+      User::GithubSolutionSyncer::SyncIteration.(iteration)
+    end
+
     test "requeues on server error" do
       user = create(:user)
       track = create(:track, slug: "ruby")

test/commands/user/github_solution_syncer/sync_solution_test.rb

@@ -15,6 +15,19 @@ class SyncSolutionTest < ActiveSupport::TestCase
       User::GithubSolutionSyncer::SyncSolution.(solution)
     end
 
+    test "noops when integration lacks permission" do
+      user = create(:user)
+      track = create(:track, slug: "ruby")
+      exercise = create(:practice_exercise, track:, slug: "two-fer")
+      solution = create(:practice_solution, user:, exercise:)
+      create(:user_github_solution_syncer, user:)
+
+      CreatePullRequest.stubs(:call).raises(Octokit::Forbidden)
+
+      # Should not raise
+      User::GithubSolutionSyncer::SyncSolution.(solution)
+    end
+
     test "requeues on server error" do
       user = create(:user)
       track = create(:track, slug: "ruby")

test/commands/user/github_solution_syncer/sync_track_test.rb

@@ -14,6 +14,18 @@ class SyncTrackTest < ActiveSupport::TestCase
       User::GithubSolutionSyncer::SyncTrack.(user_track)
     end
 
+    test "noops when integration lacks permission" do
+      user = create(:user)
+      track = create(:track, slug: "ruby")
+      user_track = create(:user_track, user:, track:)
+      create(:user_github_solution_syncer, user:)
+
+      CreatePullRequest.stubs(:call).raises(Octokit::Forbidden)
+
+      # Should not raise
+      User::GithubSolutionSyncer::SyncTrack.(user_track)
+    end
+
     test "requeues on server error" do
       user = create(:user)
       track = create(:track, slug: "ruby")