Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Resource not accessible by integration" (OSOE-407) #72

Closed
domonkosgabor opened this issue Oct 20, 2022 · 7 comments · Fixed by #81
Closed

"Resource not accessible by integration" (OSOE-407) #72

domonkosgabor opened this issue Oct 20, 2022 · 7 comments · Fixed by #81
Assignees
Labels
bug Something isn't working

Comments

@domonkosgabor
Copy link
Member

domonkosgabor commented Oct 20, 2022

We have this PR where the "Resource not accessible by integration" error comes up.

image

Maybe this could be related to the issue listed here: actions/first-interaction#10

Jira issue

@github-actions github-actions bot changed the title "Resource not accessible by integration" "Resource not accessible by integration" (OSOE-407) Oct 20, 2022
@Piedone Piedone added the bug Something isn't working label Oct 20, 2022
@Piedone
Copy link
Member

Piedone commented Oct 23, 2022

Did anybody see this happening more than once?

@Piedone
Copy link
Member

Piedone commented Oct 25, 2022

We'll get back to this once it happens more than once.

@Piedone
Copy link
Member

Piedone commented Oct 26, 2022

So, this happens if you open a PR from a fork. Then, if the workflow was triggered by pull_request (and not pull_request_target) the run won't have write access to the PR, thus it won't be able to comment or label it either. This fails the Test Report step. I'll look into adding a permission check, so the step is not executed if the current run only has read permissions.

pull_request_target could be used but that gives blanket write access to the run, which has its own issues. So, we shouldn't use it.

actions/labeler#12 also has a lot of useful info.

@Piedone
Copy link
Member

Piedone commented Oct 26, 2022

Am stuck on this: https://github.com/orgs/community/discussions/37395 I'll also check out if there's a way to detect if the run is for a fork PR, since that's the same thing for us.

@Piedone
Copy link
Member

Piedone commented Oct 26, 2022

FYI @DAud-IcI OCC will get this once merged.

@dministro
Copy link
Member

In a nutshell:

  • pull_request_target is a bad boy because of its execution context related security risk
  • some actions, where the given action requires an elevated access level (this is the problem with the forked repo and the root cause of "Resource not accessible by integration") are started conditionally if the PR event is not triggered from a forked repo. Finally, eg. the Merge conflict label does not come up in a PR of a forked repo.

Right? Or I’m in the wrong direction.

@Piedone
Copy link
Member

Piedone commented Oct 27, 2022

Yes, except for “Finally, eg. the Merge conflict label not comes up in a PR of a forked repo.” Even if you submit a PR for a branch in a fork, if it becomes conflicted, the notifying comment and label will be added (since that runs in the context of a push to the target branch, not the fork, so it has write permissions, just as PRs opened for branches within the repo). What won’t happen is the removal of the label when the merge conflict is resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
3 participants