Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error: Failed to create checks using the provided token. (HttpError: Not Found) #23

Closed
knaktrevor opened this issue Jan 22, 2021 · 10 comments

Comments

@knaktrevor
Copy link

The link below returns a 404. Not sure if it use to contain relevant information to help with the related error, but information on what permissions are required for the token would be helpful too.

Warning: This usually indicates insufficient permissions. More details: #32

@knaktrevor
Copy link
Author

Works correctly if you use the default token provided by GitHub:
https://docs.github.com/en/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token

Maybe include something about this in the documentation, but if it's possible to use a personal access token to limit the scope, that would be beneficial too.

@mikepenz
Copy link
Owner

mikepenz commented Jan 22, 2021

Oh thanks for the info that the link is now broken. I have updated the action with the typescript template and due to that I created a new repo.

The link to the details is: mikepenz/action-junit-report-legacy#32

This limitation is not really a limitation of the action but more how github actions functions.

It's ultimately a security risk if GitHub actions would allow this for forked repos: mikepenz/action-junit-report-legacy#32 (comment)

@mikepenz
Copy link
Owner

In this special situation as of yours it was not really the security issue to to pwn requests, but you tried to use a different PAT which limited access.

In the locations we use this action we usually use the provided token from the action as it is special, and specially created for actions to be used.

I fully agree that trusting github actions available on the marketplace is always risky, as such lowering risk by giving an action as little power as possible. For that I would love to learn more which options there are to create a token with as little power as possible for this.

Beside that. Please always feel free to read the source code and recompile the action to see that it will result in the same sources (I use exact the statements as documented in the README)

Sadly there is no current way for me to get verified on the GitHub actions marketplace as I am not a. company, nor is there a review process which all would be amazing to add additional security to the github actions ecosystem.

If you have additional ideas to improve this or suggestions. Happy to have a chat about these.

@iBotPeaches
Copy link

If anyone gets sent to this page, but a slightly different error like:

❌ Failed to create checks using the provided token. (HttpError: Resource not accessible by integration)

You probably have on top of workflow something like this:

permissions:
    contents: read
    checks: write
    id-token: write

This package needs checks: write and good to go. So add that if missing.

@mikepenz
Copy link
Owner

mikepenz commented Feb 1, 2023

@iBotPeaches is the id-token one also required?

It's probably helpful to increase the visibility in the README with checks: write only being noted in the collapsed example

@iBotPeaches
Copy link

@iBotPeaches is the id-token one also required?

It's probably helpful to increase the visibility in the README with checks: write only being noted in the collapsed example

It isn't. id-token is what I added to enable OIDC for AWS deploys. Since I added it all the others defaulted to less permission instead of their default and thus an error. I needed contents for actions/checkout action and then checks for this action.

@mikepenz
Copy link
Owner

mikepenz commented Feb 1, 2023

Thank you very much. I'll update the README to add some more transparency to it.

shogo82148 added a commit to shogo82148/CPAN-Meta-Requirements that referenced this issue Jun 6, 2023
I got some errors on GitHub Actions.

```
  ℹ️ - JUnit Report (5.10) - 143 tests run, 143 passed, 0 skipped, 0 failed.
  ℹ️ - JUnit Report (5.10) - Creating check for
  Error: ❌ Failed to create checks using the provided token. (HttpError: Resource not accessible by integration)
  Warning: ⚠️ This usually indicates insufficient permissions. More details: mikepenz/action-junit-report#23
```

Because the default permissions have changed,
permissions must be set explicitly..
chizmw added a commit to chizmw/botc-custom-script-json2pdf that referenced this issue Jul 12, 2023
chizmw added a commit to chizmw/botc-custom-script-json2pdf that referenced this issue Jul 22, 2023
@josefbacik
Copy link

I'm seeing the same issue, and I think I've followed all the suggestions offered in the documentation, and I'm still getting this error.

Weirdly I'm also getting the properly parsed results, so it appears to just be noisy? You can see an example here

https://github.com/btrfs/linux/actions/runs/6148653491

the "test-zoned" for example had 1 failure, and the results are properly posted for that, but there's also errors from the tool about a token. Any idea what's going on here?

@mikepenz
Copy link
Owner

Good day @josefbacik

What you are seeing is the summary which gets posted to your build:
Screenshot 2023-09-13 at 15 52 51

However, it fails to create the checks which is done here:

If you do not want a check to be created, you can for example only have annotations by setting annotateOnly.

Related the issue. For checks to be created, the token requires the specific permission.
https://github.com/mikepenz/action-junit-report?tab=readme-ov-file#pr-run-permissions
(if you use a different token than the GitHub Actions provided token, make sure it allows for checks to be created)

@josefbacik
Copy link

@mikepenz thanks! The permissions thing doesn't work for "external pull requests" because of the restricted permissions GH does. I'll use the atnnotateOnly thing, that's perfect, thanks so much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants
@josefbacik @iBotPeaches @mikepenz @knaktrevor and others