Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

- Resource not accessible by integration #930

Open
daniel-bogart opened this issue Mar 22, 2023 · 11 comments
Open

- Resource not accessible by integration #930

daniel-bogart opened this issue Mar 22, 2023 · 11 comments

Comments

@daniel-bogart
Copy link

I've tried omitting the GITHUB_TOKEN, I've tried creating a custom personal access token with every possible permission yet I'm still getting this error: - Resource not accessible by integration

What could possibly be the issue?

name: Write deploy comment
on:
  pull_request_target:
    types: [ opened, reopened ]
    branches-ignore:
        - 'production'

jobs:
  trigger:
    name: Write comment with url
    runs-on: ubuntu-latest
    steps:
      - name: Set dev folder
        run: |
          echo "::set-output name=DEV_FOLDER::$(echo ${GITHUB_HEAD_REF} | sed 's|/|-|')"
        id: <organization>

      - name: Write comment
        uses: marocchino/sticky-pull-request-comment@v2
        with:
          GITHUB_TOKEN: <my token with 100% permissions>
          message: |
            <a href="<my dev build url>">Link live dev site for this PR</a>
@marocchino

This comment was marked as outdated.

@jgtvares
Copy link

This is happening to me in a repository created by me (in an organization also created by me).

This is the workflow:

name: PR Checker
on: pull_request

jobs:
  tests:
    runs-on: ubuntu-latest
    name: Run Tests
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2
        with:
          node-version: 18
      - name: Run tests and report coverage
        uses: ArtiomTr/jest-coverage-report-action@v2
        id: coverage
        with:
          output: report-markdown
          test-script: npm run test:coverage
      - uses: marocchino/sticky-pull-request-comment@v2
        with:
          message: ${{ steps.coverage.outputs.report }}

Help!

@marocchino
Copy link
Owner

marocchino commented Mar 25, 2023

You can try permission setting in job.

permissions:
pull-requests: write

I tested it this morning, and pull_request_target runs based on the main branch. If you're currently checking with a pull request and haven't merged it yet, try merging it and then check again.

@jgtvares
Copy link

Thanks @marocchino!
I also had to add contents: read because the checkout action was throwing repository not found error 🤔.
Anyway, your tip took me somewhere 🙏
Thanks again!

Is this a new requirement from Github?
I have other workflows in another organization with the previous configuration and they work fine.
Maybe there is something tweaked in Github settings (?)

@marocchino
Copy link
Owner

marocchino commented Mar 28, 2023

Indeed, it seems to be a relatively recent development, as far as I understand. 😄 Please find the relevant resources below:

GitHub Docs
Modify the default permissions granted to GITHUB_TOKEN.

@TeknoPT
Copy link

TeknoPT commented Apr 19, 2023

Hey @marocchino I have the same issue can't get it to work from forked Pull request, do you have any idea how to make it work

The code is here:

https://github.com/phantasma-io/TOMB/blob/dev/.github/workflows/dotnet-core.yml

If it's an internal PR for example from dev to Master it will work but since it's a PR from a forked repo it won't work.

Any ideas ?

GitHub
TOMB smart contract compiler for Phantasma platform - TOMB/dotnet-core.yml at dev · phantasma-io/TOMB

@marocchino
Copy link
Owner

I created this to use for internal repos and have never used it in a fork, so my answer may not be accurate. but...

  1. try replacing pull_request with pull_request_target.
  2. this part should already be applied to master, not pr.

@TeknoPT
Copy link

TeknoPT commented Apr 20, 2023

This response was from Github support:

"When workflows are triggered from pull requests(with the pull_request trigger) from forks, the GITHUB_TOKEN is read-only and all other secrets are not available to the workflow run:

https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflows-in-forked-repositories

This means that if you try to perform any write operations, such as creating comments on the pull request using the GITHUB_TOKEN or any other secrets, the operation will fail.

GitHub does provide the pull_request_target trigger that can be used to handle such scenarios. This, however, runs against the code on the pull request base, rather than the merge commit. While you can combine this trigger with an explicit checkout of the pull request branch code, GitHub discourages such setups as detailed below:

https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

The article above provides details on how to use the pull_request in combination with the workflow_run trigger to implement the desired outcome."

Thank you Github PAUL!

This will fix the issue, you can run a workflow depending on the result on the PR if it's complete or not which will solve the issue using the upload artifacts and download artifacts
https://github.com/actions/upload-artifact
https://github.com/actions/download-artifact

GitHub Docs
You can configure your workflows to run when specific activity on GitHub happens, at a scheduled time, or when an event outside of GitHub occurs.
GitHub Security Lab
In this article, we’ll discuss some common security malpractices for GitHub Actions and workflows, and how to best avoid them. Our examples are based on real-world GitHub workflow implementation vulnerabilities the GitHub Security Lab has reported to maintainers.
GitHub
Contribute to actions/upload-artifact development by creating an account on GitHub.
GitHub
Contribute to actions/download-artifact development by creating an account on GitHub.

@antoniovazquezblanco
Copy link

It seems I am also affected by this.

I originally added coverage reports and tested this action against my own repo antoniovazquezblanco/sigutils#3 and it was all fine but when I merged into the original repo it failed... See BatchDrake/sigutils#65

@JustJerem
Copy link

It happens to me too when I'm integrating the example in the Outputs part of semantic-pull-request.

Run marocchino/sticky-pull-request-comment@v2
  with:
    header: pr-title-lint-error
    message: Hey there and thank you for opening this pull request! 👋🏼
  
  We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted.
  
  Details:
  
  No release type found in pull request title "This is a test, delete branch". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/
  
  Available types:
   - feat: A new feature
   - fix: A bug fix
   - docs: Documentation only changes
   - style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
   - refactor: A code change that neither fixes a bug nor adds a feature
   - perf: A code change that improves performance
   - test: Adding missing tests or correcting existing tests
   - build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
   - ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
   - chore: Other changes that don't modify src or test files
   - revert: Reverts a previous commit
  
    append: false
    recreate: false
    delete: false
    only_create: false
    only_update: false
    hide_details: false
    hide: false
    hide_and_recreate: false
    hide_classify: OUTDATED
    ignore_empty: false
    follow_symbolic_links: false
    GITHUB_TOKEN: ***
Error: Resource not accessible by integration

@ricardoboss
Copy link

ricardoboss commented Aug 15, 2023

@antoniovazquezblanco @JustJerem you need to use PAT (personal access token) and pass it via GITHUB_TOKEN in the inputs. I'd recommend fine grained tokens (beta): https://github.com/settings/tokens?type=beta

Make sure the token can only be used to create comments on PRs. Otherwise it could be abused by an evil pull request. You will need to approve any PRs from external contributors.

GitHub
GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 330 million projects.

amchiclet added a commit to semgrep/semgrep that referenced this issue Sep 21, 2023
The PR checklist workflow seems to fail when dependabot creates a PR.

According to dependabot's documentation
(https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#changing-github_token-permissions),
dependabot defaults to read-only permissions, so I'm configuring the
workflow config to also add write permissions.

I'm not sure how to test this except wait until next week when dependabot
is triggered again, but I think this is low risk and it seems to be what others
have tried (marocchino/sticky-pull-request-comment#930)
and succeeded.
cretoxyrhina pushed a commit to cretoxyrhina/semgrep that referenced this issue Oct 17, 2023
The PR checklist workflow seems to fail when dependabot creates a PR.

According to dependabot's documentation
(https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#changing-github_token-permissions),
dependabot defaults to read-only permissions, so I'm configuring the
workflow config to also add write permissions.

I'm not sure how to test this except wait until next week when dependabot
is triggered again, but I think this is low risk and it seems to be what others
have tried (marocchino/sticky-pull-request-comment#930)
and succeeded.
lahabana added a commit to kumahq/kuma that referenced this issue Dec 6, 2024
## Motivation

Fix PR checklist on comment

## Implementation information

To be able to leave a comment on a pull request we need `pull_request:
write` permissions. Unfortunately github won't allow this level of
permissions on PRs coming from forks.
The way to get the permissions is to use `pull_request_target` as a
triggering event.
However, there are a lot of possible attack vectors when checking out
code when using this event.
Therefore we inline commitlint.config.js inside the action to not have
to checkout any code and be able to run this action safely.

## Supporting documentation

xrel: #11654
#11666
superseeds: #11674

- Why we remove the checkout:
https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
- Why we need `pull_request_target`:
marocchino/sticky-pull-request-comment#930

part of: Kong/team-mesh#302

---------

Signed-off-by: Charly Molter <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants