-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
- Resource not accessible by integration #930
Comments
This comment was marked as outdated.
This comment was marked as outdated.
This is happening to me in a repository created by me (in an organization also created by me). This is the workflow: name: PR Checker
on: pull_request
jobs:
tests:
runs-on: ubuntu-latest
name: Run Tests
steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
node-version: 18
- name: Run tests and report coverage
uses: ArtiomTr/jest-coverage-report-action@v2
id: coverage
with:
output: report-markdown
test-script: npm run test:coverage
- uses: marocchino/sticky-pull-request-comment@v2
with:
message: ${{ steps.coverage.outputs.report }} Help! |
You can try permission setting in job. sticky-pull-request-comment/.github/workflows/test.yml Lines 11 to 12 in b3a1b92
I tested it this morning, and pull_request_target runs based on the main branch. If you're currently checking with a pull request and haven't merged it yet, try merging it and then check again. |
Thanks @marocchino! Is this a new requirement from Github? |
Indeed, it seems to be a relatively recent development, as far as I understand. 😄 Please find the relevant resources below:
|
Hey @marocchino I have the same issue can't get it to work from forked Pull request, do you have any idea how to make it work The code is here: https://github.com/phantasma-io/TOMB/blob/dev/.github/workflows/dotnet-core.yml If it's an internal PR for example from dev to Master it will work but since it's a PR from a forked repo it won't work. Any ideas ?
|
I created this to use for internal repos and have never used it in a fork, so my answer may not be accurate. but...
|
This response was from Github support: "When workflows are triggered from pull requests(with the pull_request trigger) from forks, the GITHUB_TOKEN is read-only and all other secrets are not available to the workflow run: This means that if you try to perform any write operations, such as creating comments on the pull request using the GITHUB_TOKEN or any other secrets, the operation will fail. GitHub does provide the pull_request_target trigger that can be used to handle such scenarios. This, however, runs against the code on the pull request base, rather than the merge commit. While you can combine this trigger with an explicit checkout of the pull request branch code, GitHub discourages such setups as detailed below: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ The article above provides details on how to use the pull_request in combination with the workflow_run trigger to implement the desired outcome." Thank you Github PAUL! This will fix the issue, you can run a workflow depending on the result on the PR if it's complete or not which will solve the issue using the upload artifacts and download artifacts
|
It seems I am also affected by this. I originally added coverage reports and tested this action against my own repo antoniovazquezblanco/sigutils#3 and it was all fine but when I merged into the original repo it failed... See BatchDrake/sigutils#65 |
It happens to me too when I'm integrating the example in the
|
@antoniovazquezblanco @JustJerem you need to use PAT (personal access token) and pass it via Make sure the token can only be used to create comments on PRs. Otherwise it could be abused by an evil pull request. You will need to approve any PRs from external contributors.
|
The PR checklist workflow seems to fail when dependabot creates a PR. According to dependabot's documentation (https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#changing-github_token-permissions), dependabot defaults to read-only permissions, so I'm configuring the workflow config to also add write permissions. I'm not sure how to test this except wait until next week when dependabot is triggered again, but I think this is low risk and it seems to be what others have tried (marocchino/sticky-pull-request-comment#930) and succeeded.
The PR checklist workflow seems to fail when dependabot creates a PR. According to dependabot's documentation (https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#changing-github_token-permissions), dependabot defaults to read-only permissions, so I'm configuring the workflow config to also add write permissions. I'm not sure how to test this except wait until next week when dependabot is triggered again, but I think this is low risk and it seems to be what others have tried (marocchino/sticky-pull-request-comment#930) and succeeded.
…rce not accessible by integration\' error (https://github.com/DataDog/datadog-agent/actions/runs/10492386442/job/29064358947\?pr\=27573), see discussion here https://github.com/marocchino/sticky-pull-request-comment/issues/930\#issuecomment-1483687007
## Motivation Fix PR checklist on comment ## Implementation information To be able to leave a comment on a pull request we need `pull_request: write` permissions. Unfortunately github won't allow this level of permissions on PRs coming from forks. The way to get the permissions is to use `pull_request_target` as a triggering event. However, there are a lot of possible attack vectors when checking out code when using this event. Therefore we inline commitlint.config.js inside the action to not have to checkout any code and be able to run this action safely. ## Supporting documentation xrel: #11654 #11666 superseeds: #11674 - Why we remove the checkout: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ - Why we need `pull_request_target`: marocchino/sticky-pull-request-comment#930 part of: Kong/team-mesh#302 --------- Signed-off-by: Charly Molter <[email protected]>
I've tried omitting the GITHUB_TOKEN, I've tried creating a custom personal access token with every possible permission yet I'm still getting this error: - Resource not accessible by integration
What could possibly be the issue?
The text was updated successfully, but these errors were encountered: