- Resource not accessible by integration
daniel-bogart opened this issue · 11 comments
I've tried omitting the GITHUB_TOKEN, I've tried creating a custom personal access token with every possible permission yet I'm still getting this error: - Resource not accessible by integration
What could possibly be the issue?
name: Write deploy comment
on:
pull_request_target:
types: [ opened, reopened ]
branches-ignore:
- 'production'
jobs:
trigger:
name: Write comment with url
runs-on: ubuntu-latest
steps:
- name: Set dev folder
run: |
echo "::set-output name=DEV_FOLDER::$(echo ${GITHUB_HEAD_REF} | sed 's|/|-|')"
id: <organization>
- name: Write comment
uses: marocchino/sticky-pull-request-comment@v2
with:
GITHUB_TOKEN: <my token with 100% permissions>
message: |
<a href="<my dev build url>">Link live dev site for this PR</a>
I've never tried it myself, but I think it probably won't work with pull_request_target. The reason is that it's difficult to meet the condition where the person executing it has access to the PAT (Personal Access Token).
If you want someone without permissions to execute it, I recommend having the output generated in the pull_request and writing the message part in the main branch.
This is my current setting.
https://github.com/marocchino/sticky-pull-request-comment/blob/main/.github/workflows/
This is my current setup. I think you might need to change ./ to marocchino/sticky-pull-request-comment@v2.
GitHub
create comment on pull request, if exists update that comment. - sticky-pull-request-comment/.github/workflows at main · marocchino/sticky-pull-request-comment
This is happening to me in a repository created by me (in an organization also created by me).
This is the workflow:
name: PR Checker
on: pull_request
jobs:
tests:
runs-on: ubuntu-latest
name: Run Tests
steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
node-version: 18
- name: Run tests and report coverage
uses: ArtiomTr/jest-coverage-report-action@v2
id: coverage
with:
output: report-markdown
test-script: npm run test:coverage
- uses: marocchino/sticky-pull-request-comment@v2
with:
message: ${{ steps.coverage.outputs.report }}Help!
You can try permission setting in job.
sticky-pull-request-comment/.github/workflows/test.yml
Lines 11 to 12 in b3a1b92
I tested it this morning, and pull_request_target runs based on the main branch. If you're currently checking with a pull request and haven't merged it yet, try merging it and then check again.
Thanks @marocchino!
I also had to add contents: read because the checkout action was throwing repository not found error 🤔.
Anyway, your tip took me somewhere 🙏
Thanks again!
Is this a new requirement from Github?
I have other workflows in another organization with the previous configuration and they work fine.
Maybe there is something tweaked in Github settings (?)
Indeed, it seems to be a relatively recent development, as far as I understand. 😄 Please find the relevant resources below:
- https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
- https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token
GitHub Docs
Modify the default permissions granted to GITHUB_TOKEN.
Hey @marocchino I have the same issue can't get it to work from forked Pull request, do you have any idea how to make it work
The code is here:
https://github.com/phantasma-io/TOMB/blob/dev/.github/workflows/dotnet-core.yml
If it's an internal PR for example from dev to Master it will work but since it's a PR from a forked repo it won't work.
Any ideas ?
TOMB smart contract compiler for Phantasma platform - TOMB/dotnet-core.yml at dev · phantasma-io/TOMB
I created this to use for internal repos and have never used it in a fork, so my answer may not be accurate. but...
- try replacing pull_request with pull_request_target.
- this part should already be applied to master, not pr.
This response was from Github support:
"When workflows are triggered from pull requests(with the pull_request trigger) from forks, the GITHUB_TOKEN is read-only and all other secrets are not available to the workflow run:
This means that if you try to perform any write operations, such as creating comments on the pull request using the GITHUB_TOKEN or any other secrets, the operation will fail.
GitHub does provide the pull_request_target trigger that can be used to handle such scenarios. This, however, runs against the code on the pull request base, rather than the merge commit. While you can combine this trigger with an explicit checkout of the pull request branch code, GitHub discourages such setups as detailed below:
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
The article above provides details on how to use the pull_request in combination with the workflow_run trigger to implement the desired outcome."
Thank you Github PAUL!
This will fix the issue, you can run a workflow depending on the result on the PR if it's complete or not which will solve the issue using the upload artifacts and download artifacts
https://github.com/actions/upload-artifact
https://github.com/actions/download-artifact
You can configure your workflows to run when specific activity on GitHub happens, at a scheduled time, or when an event outside of GitHub occurs.
GitHub Security Lab
In this article, we’ll discuss some common security malpractices for GitHub Actions and workflows, and how to best avoid them. Our examples are based on real-world GitHub workflow implementation vulnerabilities the GitHub Security Lab has reported to maintainers.
Contribute to actions/upload-artifact development by creating an account on GitHub.
Contribute to actions/download-artifact development by creating an account on GitHub.
It seems I am also affected by this.
I originally added coverage reports and tested this action against my own repo antoniovazquezblanco/sigutils#3 and it was all fine but when I merged into the original repo it failed... See BatchDrake/sigutils#65
It happens to me too when I'm integrating the example in the Outputs part of semantic-pull-request.
Run marocchino/sticky-pull-request-comment@v2
with:
header: pr-title-lint-error
message: Hey there and thank you for opening this pull request! 👋🏼
We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted.
Details:
No release type found in pull request title "This is a test, delete branch". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/
Available types:
- feat: A new feature
- fix: A bug fix
- docs: Documentation only changes
- style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
- refactor: A code change that neither fixes a bug nor adds a feature
- perf: A code change that improves performance
- test: Adding missing tests or correcting existing tests
- build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
- ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
- chore: Other changes that don't modify src or test files
- revert: Reverts a previous commit
append: false
recreate: false
delete: false
only_create: false
only_update: false
hide_details: false
hide: false
hide_and_recreate: false
hide_classify: OUTDATED
ignore_empty: false
follow_symbolic_links: false
GITHUB_TOKEN: ***
Error: Resource not accessible by integration
@antoniovazquezblanco @JustJerem you need to use PAT (personal access token) and pass it via GITHUB_TOKEN in the inputs. I'd recommend fine grained tokens (beta): https://github.com/settings/tokens?type=beta
Make sure the token can only be used to create comments on PRs. Otherwise it could be abused by an evil pull request. You will need to approve any PRs from external contributors.
GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 330 million projects.