Error: HttpError: Resource not accessible by integration
Closed this issue · 5 comments
I have included repo-lockdown in my project. My goal is to automatically close all the PR with a message. I tested this exact same file in a private repo to check that it was working as expected and it worked. Now, in a real repository, when I go to Actions in github, it shows:
Run dessant/repo-lockdown@v2
with:
github-token: ***
skip-closed-issue-comment: false
close-issue: false
lock-issue: true
pr-comment: cpufetch does not accept pull requests, see [the contributing guidelines](https://github.com/Dr-Noob/cpufetch/blob/master/CONTRIBUTING.md) for details
skip-closed-pr-comment: false
close-pr: true
lock-pr: false
process-only: prs
Error: HttpError: Resource not accessible by integration
What is happening?
Thanks for the bug report! I've also tested with my own pull requests only during development, but that breaks down during normal use, because the pull requests you want to avoid are created by untrusted users, so workflows triggered by the pull_request event will get read-only tokens from GitHub.
The fix is to replace the pull_request event with pull_request_target in your workflow file, so that the workflow run can get write access to pull requests. Using this event is safe with the standalone example workflows from the README, but should not be combined with other actions that check out the pull request code or otherwise touch the changes.
https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target
Recent changes on GitHub regarding workflow run approvals may also complicate things, but I'm not sure if that also applies to workflows triggered by the pull_request_target event.
https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks
Thanks for the quick response! I have updated the target in my repository. I already saw the new GitHub thing about approving workflow runs from public forks, and I have to admit that I was pretty confused. There's an easy way to check if pull_request_target works with this feature, tough; open a dummy pull request in my repository and let's see what happens.
PS: Maybe this pull_request vs pull_request_target issue should be detailed in the README (maybe it is, but I just didn't see it?)
Yes, I've left the issue open because I plan to make some changes to the documentation. It seems to work now 😋: Dr-Noob/cpufetch#105
Great! Yeah, it worked. For the record, I didn't need to allow explicitly the workflow to be run, it did it automatically. Thanks for the help!