Action fails with "HttpError: Resource not accessible by integration" (v1.3)
suniastar opened this issue · 7 comments
When using the github action with this workflow
name: Pull Requests Checks
on:
pull_request:
branches: [ "dev" ]
workflow_dispatch:
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3.0.2
- name: Set up Java JDK
uses: actions/setup-java@v3.5.0
with:
java-version: '17'
distribution: 'zulu'
- name: Build with Maven
run: mvn --batch-mode --update-snapshots test
- name: JaCoCo Report
uses: Madrapps/jacoco-report@v1.3
with:
paths: ${{ github.workspace }}/target/site/jacoco/jacoco.xml
token: ${{ secrets.GITHUB_TOKEN }}
min-coverage-overall: 80
the workflow fails with:
2022-09-26T05:36:16.4439290Z ##[group]Run Madrapps/jacoco-report@v1.3
2022-09-26T05:36:16.4439589Z with:
2022-09-26T05:36:16.4439928Z paths: /home/runner/work/ms-address/ms-address/target/site/jacoco/jacoco.xml
2022-09-26T05:36:16.4440634Z token: ***
2022-09-26T05:36:16.4440901Z min-coverage-overall: 80
2022-09-26T05:36:16.4441209Z min-coverage-changed-files: 80
2022-09-26T05:36:16.4441510Z update-comment: false
2022-09-26T05:36:16.4441774Z debug-mode: false
2022-09-26T05:36:16.4442007Z env:
2022-09-26T05:36:16.4442307Z JAVA_HOME: /opt/hostedtoolcache/Java_Zulu_jdk/17.0.4-8/x64
2022-09-26T05:36:16.4442690Z JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Zulu_jdk/17.0.4-8/x64
2022-09-26T05:36:16.4442984Z ##[endgroup]
2022-09-26T05:36:16.5308197Z Event is pull_request
2022-09-26T05:36:16.5312473Z base sha: 585b6c90a6ee99cf93b39df7651fb8f8441a3699
2022-09-26T05:36:16.5312840Z head sha: 9e4e921341b6f13e4b021cbbb831fc55dab9ff8c
2022-09-26T05:36:17.1332963Z ##[error]HttpError: Resource not accessible by integration
however when using the main (Madrapps/jacoco-report@main
) branch the worklfow completes successfully without a problem.
This does not make sense to me as the commits since the latest version (v1.3) only consists of README
updates.
Does anyone has an idea what could cause this problem?
This problem is related to dependabot instead of the action's version.
When this github workflow is run by dependabot (e.g. when creating a pull request on a dependency update) the API call to comment the pull request throws "Resource not accessible by integration" because of a lack of permissions.
Dependabot's github token is limited to read-only by default.
It is possible to change the action's token read/write permissions to the needed permission but I dont know which permission is required.
Details here:
Ran into this because my workflow had custom permission defined (and per docs, any unspecified permissions default to none
). I believe pull-requests: write
is the required permission, as the action wants to add results as a comment to the PR.
@suniastar
I faced same problem and I figured out what is problem.
I guess you made PR from forked repository.
For that, the origin repository have to allow some option about "Fork pull reqquest".
Here is the option:
Settings -> Actions -> General -> Fork pull request workflows -> Enable "Send write tokens to workflows from fork pull requests."
After that, jacoco report is shown in PR comment.
This is about security github action trigger from forked repository :
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
I know about that but I dont have that option in my settings.
Maybe it is only for enterprise/paid customers?
The "complete" list of default permissions for the token is listed here: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
But this list does not include the default permissions for dependebot.
I have tested all important access rights on one of my repositories.
I have made PR by myself, from another user via a forked repository, from another user which was also a collaborator and by dependbot on the primary repository.
PR from | GITHUB_TOKEN defaults to |
---|---|
myself | read/write |
user (collaborator) | read/write |
dependabot | read |
user (forked repo) | none |
When any github workflow is initiated by dependebot (e.g when it creates a PR because of a new version) the token's permssion will be set to read
if not specified explicitly.
In my option simply adding:
permissions:
pull-requests: write
to the workflow file should be enough (as @cengdall said) but I did not test if pull-requests
is the correct scope.
At least in my repository, i needed the contents-read permission as well:
permissions:
contents: read
pull-requests: write
Otherwise I got a "Repository not found" error during the checkout action:
remote: Repository not found.
Error: fatal: repository 'https://github.com/<ORG>/<REPO>/' not found
Thanks @suniastar for investigating this. I already have a PR #26 to add this permission
to README.md doc. In addition, I will also call this out in a separate Troubleshooting section, linking to this issue for more details.