codeql/upload-sarif@v2 or @main can't integrate on actions

[archermask]

The error is Error: codeql/upload-sarif action failed: Resource not accessible by integration
My case is try to integrate snyk for sast on my golang code, and then upload sarif file to github to look any vulnerabilities summary.

My workflow actions yaml files:

jobs:
  unit_test:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v4
      with:
        go-version: '1.20'
        
    - name: Unit test
      continue-on-error: false 
      run: go test ./...
      
    - name: SAST Test
      uses: snyk/actions/golang@master
      continue-on-error: true 
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      with:
        command: code test
        args: --sarif-file-output=snyk.sarif
    
    - name: Upload SAST Test Result
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: snyk.sarif

[alexet]

You need to add

    permissions:
      security-events: write

To allow your workflow to upload the sarif.

[archermask]

i have add lines on unit_test job:

    permissions:
      contents: read
      security-events: write

still produce same error

[alexet]

Would it be possible to rerun the job and check "Enable debug logging" and show the full logs for the upload-sarif step?

[archermask]

Logs is:

##[debug]Evaluating condition for step: 'Upload SAST Test Result'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Upload SAST Test Result
##[debug]Loading inputs
##[debug]Evaluating: github.workspace
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'workspace'
##[debug]=> '/home/runner/work/golang-pipeline/golang-pipeline'
##[debug]Result: '/home/runner/work/golang-pipeline/golang-pipeline'
##[debug]Evaluating: github.token
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'token'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Evaluating: toJson(matrix)
##[debug]Evaluating toJson:
##[debug]..Evaluating matrix:
##[debug]..=> null
##[debug]=> 'null'
##[debug]Result: 'null'
##[debug]Loading env
Run github/codeql-action/upload-sarif@v2
  with:
    sarif_file: snyk.sarif
    checkout_path: /home/runner/work/golang-pipeline/golang-pipeline
    token: ***
    matrix: null
    wait-for-processing: true
  env:
    REGISTRY: ghcr.io
    USERNAME: archermask
  
Error: codeql/upload-sarif action failed: Resource not accessible by integration
##[debug]Node Action run completed with exit code 1
##[debug]CODEQL_ACTION_FEATURE_MULTI_LANGUAGE='false'
##[debug]CODEQL_ACTION_FEATURE_SANDWICH='false'
##[debug]CODEQL_ACTION_FEATURE_SARIF_COMBINE='true'
##[debug]CODEQL_ACTION_FEATURE_WILL_UPLOAD='true'
##[debug]CODEQL_ACTION_VERSION='2.21.1'
##[debug]Finishing: Upload SAST Test Result

btw, env is for package and release docker image later
I put env on global scope, not on job scope. So, the unit_test job can read those env too.

[SPodjasek]

I'm observing the same issue. Permissions for security-events are set on job level.

[aeisenberg]

@SPodjasek, can you please open a new issue for this and include the relevant debug logs and your workflow file? (Feel free to redact anything non-public.)

[jsoref]

You're almost certainly facing #2125.

The extra point of #2125 (comment) is beyond the scope of this repository, but if I were you and had the energy, I'd talk to support about the misleading output. (Note: I file lots of tickets including to support -- this is still beyond my energy -- and I already paid the cost to work around the problem.)