- Resource not accessible by integration

[daniel-bogart]

I've tried omitting the GITHUB_TOKEN, I've tried creating a custom personal access token with every possible permission yet I'm still getting this error: - Resource not accessible by integration

What could possibly be the issue?

name: Write deploy comment
on:
  pull_request_target:
    types: [ opened, reopened ]
    branches-ignore:
        - 'production'

jobs:
  trigger:
    name: Write comment with url
    runs-on: ubuntu-latest
    steps:
      - name: Set dev folder
        run: |
          echo "::set-output name=DEV_FOLDER::$(echo ${GITHUB_HEAD_REF} | sed 's|/|-|')"
        id: <organization>

      - name: Write comment
        uses: marocchino/sticky-pull-request-comment@v2
        with:
          GITHUB_TOKEN: <my token with 100% permissions>
          message: |
            <a href="<my dev build url>">Link live dev site for this PR</a>

[jgtvares]

This is happening to me in a repository created by me (in an organization also created by me).

This is the workflow:

name: PR Checker
on: pull_request

jobs:
  tests:
    runs-on: ubuntu-latest
    name: Run Tests
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2
        with:
          node-version: 18
      - name: Run tests and report coverage
        uses: ArtiomTr/jest-coverage-report-action@v2
        id: coverage
        with:
          output: report-markdown
          test-script: npm run test:coverage
      - uses: marocchino/sticky-pull-request-comment@v2
        with:
          message: ${{ steps.coverage.outputs.report }}

Help!

[marocchino]

You can try permission setting in job.

sticky-pull-request-comment/.github/workflows/test.yml

Lines 11 to 12 in b3a1b92

	permissions:
	pull-requests: write

I tested it this morning, and pull_request_target runs based on the main branch. If you're currently checking with a pull request and haven't merged it yet, try merging it and then check again.

[jgtvares]

Thanks @marocchino!
I also had to add contents: read because the checkout action was throwing repository not found error 🤔.
Anyway, your tip took me somewhere 🙏
Thanks again!

Is this a new requirement from Github?
I have other workflows in another organization with the previous configuration and they work fine.
Maybe there is something tweaked in Github settings (?)

[marocchino]

Indeed, it seems to be a relatively recent development, as far as I understand. 😄 Please find the relevant resources below:

• https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
• https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token

GitHub Docs

Assigning permissions to jobs - GitHub Docs

Modify the default permissions granted to GITHUB_TOKEN.

[TeknoPT]

Hey @marocchino I have the same issue can't get it to work from forked Pull request, do you have any idea how to make it work

The code is here:

https://github.com/phantasma-io/TOMB/blob/dev/.github/workflows/dotnet-core.yml

If it's an internal PR for example from dev to Master it will work but since it's a PR from a forked repo it won't work.

Any ideas ?

GitHub

TOMB/dotnet-core.yml at dev · phantasma-io/TOMB

TOMB smart contract compiler for Phantasma platform - TOMB/dotnet-core.yml at dev · phantasma-io/TOMB

[marocchino]

I created this to use for internal repos and have never used it in a fork, so my answer may not be accurate. but...

1. try replacing pull_request with pull_request_target.
2. this part should already be applied to master, not pr.

[TeknoPT]

This response was from Github support:

"When workflows are triggered from pull requests(with the pull_request trigger) from forks, the GITHUB_TOKEN is read-only and all other secrets are not available to the workflow run:

https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflows-in-forked-repositories

This means that if you try to perform any write operations, such as creating comments on the pull request using the GITHUB_TOKEN or any other secrets, the operation will fail.

GitHub does provide the pull_request_target trigger that can be used to handle such scenarios. This, however, runs against the code on the pull request base, rather than the merge commit. While you can combine this trigger with an explicit checkout of the pull request branch code, GitHub discourages such setups as detailed below:

https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

The article above provides details on how to use the pull_request in combination with the workflow_run trigger to implement the desired outcome."

Thank you Github PAUL!

This will fix the issue, you can run a workflow depending on the result on the PR if it's complete or not which will solve the issue using the upload artifacts and download artifacts
https://github.com/actions/upload-artifact
https://github.com/actions/download-artifact

GitHub Docs

Events that trigger workflows - GitHub Docs

You can configure your workflows to run when specific activity on GitHub happens, at a scheduled time, or when an event outside of GitHub occurs.

GitHub Security Lab

Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

In this article, we’ll discuss some common security malpractices for GitHub Actions and workflows, and how to best avoid them. Our examples are based on real-world GitHub workflow implementation vulnerabilities the GitHub Security Lab has reported to maintainers.

GitHub

GitHub - actions/upload-artifact

Contribute to actions/upload-artifact development by creating an account on GitHub.

GitHub

GitHub - actions/download-artifact

Contribute to actions/download-artifact development by creating an account on GitHub.

[antoniovazquezblanco]

It seems I am also affected by this.

I originally added coverage reports and tested this action against my own repo antoniovazquezblanco/sigutils#3 and it was all fine but when I merged into the original repo it failed... See BatchDrake/sigutils#65

[JustJerem]

It happens to me too when I'm integrating the example in the Outputs part of semantic-pull-request.

Run marocchino/sticky-pull-request-comment@v2
  with:
    header: pr-title-lint-error
    message: Hey there and thank you for opening this pull request! 👋🏼
  
  We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted.
  
  Details:
  
  No release type found in pull request title "This is a test, delete branch". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/
  
  Available types:
   - feat: A new feature
   - fix: A bug fix
   - docs: Documentation only changes
   - style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
   - refactor: A code change that neither fixes a bug nor adds a feature
   - perf: A code change that improves performance
   - test: Adding missing tests or correcting existing tests
   - build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
   - ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
   - chore: Other changes that don't modify src or test files
   - revert: Reverts a previous commit
  
    append: false
    recreate: false
    delete: false
    only_create: false
    only_update: false
    hide_details: false
    hide: false
    hide_and_recreate: false
    hide_classify: OUTDATED
    ignore_empty: false
    follow_symbolic_links: false
    GITHUB_TOKEN: ***
Error: Resource not accessible by integration

[ricardoboss]

@antoniovazquezblanco @JustJerem you need to use PAT (personal access token) and pass it via GITHUB_TOKEN in the inputs. I'd recommend fine grained tokens (beta): https://github.com/settings/tokens?type=beta

Make sure the token can only be used to create comments on PRs. Otherwise it could be abused by an evil pull request. You will need to approve any PRs from external contributors.

GitHub

Build software better, together

GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 330 million projects.