Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Workflows are missing permissions requests #15462

Closed
jsoref opened this issue Jan 29, 2024 · 13 comments · Fixed by #15493, github/codeql-action#2110 or github/codeql-action#2121
Closed

Workflows are missing permissions requests #15462

jsoref opened this issue Jan 29, 2024 · 13 comments · Fixed by #15493, github/codeql-action#2110 or github/codeql-action#2121
Labels
question Further information is requested

Comments

@jsoref
Copy link
Contributor

jsoref commented Jan 29, 2024

https://github.com/check-spelling-sandbox/codeql/actions/runs/7699091660/workflow

https://github.com/check-spelling-sandbox/codeql/actions/runs/7699091660/job/20979906681#step:19:55

Post job cleanup.
Warning: Debugging artifacts are unavailable since the 'init' Action failed before it could produce any.
RequestError [HttpError]: Resource not accessible by integration
    at /home/runner/work/_actions/github/codeql-action/v2/node_modules/@octokit/request/dist-node/index.js:86:21
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async requestWithGraphqlErrorHandling (/home/runner/work/_actions/github/codeql-action/v2/node_modules/@octokit/plugin-retry/dist-node/index.js:71:20)
    at async Job.doExecute (/home/runner/work/_actions/github/codeql-action/v2/node_modules/bottleneck/light.js:405:18) {
  status: 403,
  response: {
    url: 'https://api.github.com/repos/check-spelling-sandbox/codeql/code-scanning/analysis/status',
    status: 403,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      connection: 'close',
      'content-encoding': 'gzip',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: 'Mon, 29 Jan 2024 16:16:02 GMT',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'GitHub.com',
      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
      'transfer-encoding': 'chunked',
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-api-version-selected': '2022-11-28',
      'x-github-media-type': 'github.v3; format=json',
      'x-github-request-id': '94E3:79CB:3878D:7311B:65B7CF42',
      'x-ratelimit-limit': '1000',
      'x-ratelimit-remaining': '961',
      'x-ratelimit-reset': '1706548556',
      'x-ratelimit-resource': 'core',
      'x-ratelimit-used': '39',
      'x-xss-protection': '0'
    },
    data: {
      message: 'Resource not accessible by integration',
      documentation_url: 'https://docs.github.com/rest'
    }
  },
  request: {
    method: 'PUT',
    url: 'https://api.github.com/repos/check-spelling-sandbox/codeql/code-scanning/analysis/status',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'CodeQL-Action/2.23.2 octokit-core.js/3.6.0 Node.js/16.20.2 (linux; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: '{"action_name":"init-post","action_oid":"unknown","action_ref":"v2","action_started_at":"2024-01-29T16:16:02.392Z","action_version":"2.23.2","analysis_key":".github/workflows/ql-for-ql-dataset_measure.yml:measure","commit_oid":"aeae208dc3291109d6c798179bb8944961348823","job_name":"measure","job_run_uuid":"75681a8a-17f0-4c74-b850-172cffab9a66","ref":"refs/heads/main","runner_available_disk_space_bytes":31716970496,"runner_os":"Linux","runner_total_disk_space_bytes":89297309696,"started_at":"2024-01-29T16:16:01.614Z","status":"success","testing_environment":"","workflow_name":"Collect database stats for QL for QL","workflow_run_attempt":1,"workflow_run_id":7699091660,"completed_at":"2024-01-29T16:16:02.416Z","matrix_vars":"{\\n  \\"repo\\": \\"github/codeql\\"\\n}","runner_arch":"X64","runner_image_version":"20240126.1.0","job_status":"JOB_STATUS_UNKNOWN"}',
    request: { agent: [Agent], hook: [Function: bound bound register] }
  }
}
Error: Resource not accessible by integration

I presume that it needs:

permissions:
  security-events: write

or similar, but this api isn't documented in https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28 so I have absolutely no idea.

@jsoref jsoref added the question Further information is requested label Jan 29, 2024
@aibaars
Copy link
Contributor

aibaars commented Jan 29, 2024

I believe /code-scanning/analysis/status is a telemetry related API. It should not fail unless a repository does not have Github Advanced Security or CodeScanning enabled. Advanced Security is a payed feature for private repositories, but for public ones it should just work (as far as I know)

@jsoref
Copy link
Contributor Author

jsoref commented Jan 30, 2024

https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning

Code scanning is available for all public repositories on GitHub.com. Code scanning is also available for private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. For more information, see "About GitHub Advanced Security."

I see no way for me to control it.

This org actively relies on sarif analysis, so it shouldn't be disabled... I certainly don't actively try to turn things like this off...

@aeisenberg
Copy link
Contributor

aeisenberg commented Jan 30, 2024

Thanks for reporting this. Could you try re-running the workflows. It might be that the problem was temporary. If it works now (or doesn't work), this will give us more information for us to address the root cause.

@jsoref
Copy link
Contributor Author

jsoref commented Jan 30, 2024

https://github.com/check-spelling-sandbox/codeql/actions/runs/7699091660/job/21030726761

@jsoref
Copy link
Contributor Author

jsoref commented Jan 30, 2024

https://github.com/check-spelling-sandbox/codeql/actions/runs/7699091660/job/21030726761#step:3:21

response: {
    url: 'https://api.github.com/repos/check-spelling-sandbox/codeql/code-scanning/analysis/status',
    status: 403,
...
      'x-github-request-id': '8442:7780:CB905C:19C3CB6:65B93D93',
...
    data: {
      message: 'Resource not accessible by integration',
      documentation_url: 'https://docs.github.com/rest'
    }
  },
  request: {
    method: 'PUT',
    url: 'https://api.github.com/repos/check-spelling-sandbox/codeql/code-scanning/analysis/status',
...

@jsoref
Copy link
Contributor Author

jsoref commented Jan 31, 2024

It sounds like @angelapwen and co will write a PR to make the /code-scanning/analysis/status API calls themselves non-critical -- my naive understanding is that they're for telemetry and such things really should never be required/fatal, that seems like a good thing, and given that the team is committed to not documenting them as they're internal APIs, that part of things is outside of the scope of what I can do.

That said, I've posted a PR which should cover the general problem that these workflows aren't declaring their required permissions (they don't) which is a problem for paranoid forks -- and ideally most contributors to a project like codeql would configure their forks with the safer permissions settings.

@angelapwen
Copy link
Contributor

Ah, you beat me to writing an update on this issue! Yes, we also just noticed that your workflow began succeeding 🥳 once you added the security-events: write permission earlier. We'll also try to add some validation so that our own workflows that use the Action aren't missing the necessary permission. Thank you for the PR — you've done most of the hard work already ✨

Regarding the API, yes, your understanding is accurate! The change to make the /code-scanning/analysis/status API calls non-critical will be in the CodeQL Action. We're tracking the issue internally and will discuss prioritization shortly.

As a side note, the CodeQL Action is also open source (https://github.com/github/codeql-action/) if you'd like to contribute in the future 😆

@jsoref
Copy link
Contributor Author

jsoref commented Jan 31, 2024

Fwiw, it'd be really nice if the codeql things that make these api calls reported a friendly error when they detect a missing permissions.

check-spelling does this in various places:
check-spelling/check-spelling@0acd92b

@jsoref
Copy link
Contributor Author

jsoref commented Jan 31, 2024

I've contributed to both.

https://github.com/github/codeql-action/pulls?q=is%3Apr+author%3Ajsoref+is%3Aclosed

@angelapwen
Copy link
Contributor

Fwiw, it'd be really nice if the codeql things that make these api calls reported a friendly error when they detect a missing permissions.

check-spelling does this in various places: check-spelling/check-spelling@0acd92b

Thanks for sharing. We'll look at adding this (or some alternative that does something similar) to the CodeQL Action!

@jsoref
Copy link
Contributor Author

jsoref commented Feb 1, 2024

I've posted:

@jsoref
Copy link
Contributor Author

jsoref commented Feb 8, 2024

This isn't actually fixed yet. The downside of splitting things is that I apparently broke the metadata.

@angelapwen
Copy link
Contributor

Oh, yes 😺 Reopening this issue to track.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
4 participants