Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regression on token permissions #52

Open
ddelange opened this issue Jan 17, 2023 · 7 comments
Open

Regression on token permissions #52

ddelange opened this issue Jan 17, 2023 · 7 comments

Comments

@ddelange
Copy link

ddelange commented Jan 17, 2023
edited
Loading

Hi 👋

Just tried out your action (thanks 💥) and didn't get it to work (logs):

Error: Resource not accessible by integration

The yaml is pretty straight-forward:

  • default token
  • same repo
name: Trigger release-runners.yaml daily

on:
  schedule:
    - cron: "4 2 * * *"
  workflow_dispatch:

jobs:
  trigger-build:
    runs-on: ubuntu-latest
    steps:
      - name: Invoke workflow
        uses: benc-uk/[email protected]
        with:
          workflow: release-runners.yaml
          inputs: '{"push_to_registries": true}'

Maybe something changed on gh side?
@jamiezieziula
Copy link

Fyi - I'm seeing the same behavior when trying to trigger a workflow within a single repository without passing a github token.

@jamiezieziula
Copy link

Actually, I was able to get this working by providing the following permissions to me action:

---
name: workflow

on:
  push:
    branches:
      - main

permissions: {}

jobs:
  job:
    permissions:
      actions: write

.... abbreviated 

      - uses: benc-uk/[email protected]
        with:
          ref: main
          workflow: workflowyaml
          token:  ${{ secrets.github_token }}

@ddelange
Copy link
Author

thanks @jamiezieziula, can confirm your fix:

name: Trigger release-runners.yaml daily

on:
  schedule:
    - cron: "4 2 * * *"
  workflow_dispatch:

jobs:
  trigger-build:
+   permissions:
+     actions: write
    runs-on: ubuntu-latest
    steps:
      - name: Invoke workflow
        uses: benc-uk/[email protected]
        with:
          workflow: release-runners.yaml
-         inputs: '{"push_to_registries": true}' # ERROR: For 'additionalProperties', true is not a string.
+         inputs: '{"push_to_registries": "true"}'

error ref https://github.com/ddelange/actions-runner-controller-releases/actions/runs/4224549792/jobs/7335647715#step:2:12

@ddelange
Copy link
Author

@benc-uk does this warrant an update of the README?

@ReenigneArcher
Copy link

ReenigneArcher commented Mar 30, 2023
edited
Loading

I'm seeing the same behavior, only on pull_request event from forks. Works fine on pull_request from a member, and push.

I will try adding the permissions section and report back.

Update: Now working for dependabot PRs!
Update 2: NOT working for fork PRs... not sure why it works for dependabot but not fork PRs.

@ReenigneArcher ReenigneArcher mentioned this issue Mar 30, 2023
Merged
11 tasks
@TomasHubelbauer TomasHubelbauer mentioned this issue May 19, 2023
Draft
10 tasks
@dersimn
Copy link

dersimn commented Sep 8, 2023

In your Repo go to: Settings > Actions > General
and change this options:

image

@ReenigneArcher
Copy link

@dersimn thanks for the suggestion, but I already have that enabled for every repository in our org.

image

And actually to update my last comment.

It only works for org admins, and dependabot. It does not work for other members (who have write permission) on a repo.

@mara004 mara004 mentioned this issue Oct 11, 2023
Closed
@alessbell alessbell mentioned this issue Apr 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dersimn @ddelange @jamiezieziula @ReenigneArcher