(Writing this up as both a question and an answer, because I couldn’t find anything useful on Google when debugging this problem and want to fix the “zero google hits” problem for the next person.)
I am working for a client who uses Terraform and Concourse to manage Github team membership (and thus repo access, amongst other things).
We started seeing curious errors (at the same time as some other changes, which made debugging more awkward), which appeared in the output as:
Error: PUT https://api.github.com/organizations/000000/team/000000/memberships/XXXXXX: 422 Validation Failed [{Resource:TeamMember Field:user Code:invalid Message:Inviter has insufficient permissions}]
Where 000000 indicates the org and team IDs and XXXXXX indicates a user’s username; see Add or update team membership for a user in the Octokit docs. (The docs note that a numeric team_id, as we have used, is acceptable instead of an alphanumeric team_slug.)
I assume this is actually a JSON response of:
{
"Resource": "TeamMember",
"Field": "user",
"Code": "invalid",
"Message": "Inviter has insufficient permissions"
}
In all cases, the robot user and its personal access token, used by Concourse to make these API calls, definitely does have permissions to add users to the team in question (and has successfully added other users in the same run). But nowhere can I find anything useful about what “Inviter has insufficient permissions” actually means.
After looking at who the users were and checking with the team they work for, these users had left the project and been removed from the organisation, but we had been overlooked in their offboarding.
Presumably the “insufficient permissions” in question were to re-add them to the Github org (which we don’t want to do).
So the 2 ways to resolve this issue are:
The latter is what we needed, and has turned our pipeline green again.