`--project` does not work when using organization token

[dkarter]

CLI Version

v3.0.0

Operating System and Architecture

• macOS (arm64)
• macOS (x86_64)
• Linux (i686)
• Linux (x86_64)
• Linux (armv7)
• Linux (aarch64)
• Windows (i686)
• Windows (x86_64)

Operating System Version

macOS/ubuntu

Link to reproduction repository

No response

CLI Command

npx -y -- @sentry/cli releases list --show-projects --project=

Exact Reproduction Steps

1. Run npx -y -- @sentry/cli login
2. Run npx -y -- @sentry/cli releases list --show-projects --project=<PROJECT SLUG>
3. Collect the result

---

1. Export an organization token which you can get from here https://<ORG_SLUG>.sentry.io/settings/auth-tokens/

export SENTRY_AUTH_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

2. Run the command: npx -y -- @sentry/cli releases list --show-projects --project=<PROJECT SLUG>

3. Collect the result

Expected Results

Results should be the same because the project is scoped in the arguments

Actual Results

The org token with org:ci only permissions, is showing ALL projects.

Since we use this in CI to tag commits in a sentry release it breaks our workflows due to this unexpected result (different projects use different versioning schemes).

Actually, i'm seeing the same issue when curling the API directly with a project_id - it just ignores that parameter.

curl -H 'Authorization: Bearer xxxxxx' 'https://sentry.io/api/0/organizations/<ORG_SLUG>/releases/?project_id=1234567&status=open'

Logs

I can't share these due to the amount of sensitive info. But a simple check against your API will show this as mentioned above.

[linear]

CLI-253

[szokeasaurusrex]

Hi @dkarter, thank you for reporting this issue. Will try to investigate this problem this week.

This issue appears related to getsentry/sentry#105038. Like that issue, I believe this issue is probably a bug in our backend, not the CLI, but the issue only arose in version 3.0.0 of the CLI since we switched the endpoints we call for releases with this new release.

As a workaround, you can downgrade Sentry CLI version 2.58.4. This CLI version calls a different endpoint which should have the expected behavior.

[szokeasaurusrex]

On further review, this appears to be a CLI bug. It is an unintended side-effect of #2991, which switched the APIs for release-related functionality over to newer organization-based endpoints.

The problem is that the organization-based endpoint does not support filtering by project when listing releases. As a temporary solution, we will partially revert #2991, specifically the code related to releases list. Probably a better long term solution would be to allow project filtering via the organization releases endpoint, then we could also allow filtering releases that are associated with one of several projects (currently, we can only filter to a single project via the project releases endpoint)