Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When a PR is created by someone who is not a maintainer, getting Resource not accessible by integration #67

Closed
cunla opened this issue Jan 5, 2023 · 4 comments
Closed

When a PR is created by someone who is not a maintainer, getting Resource not accessible by integration #67

cunla opened this issue Jan 5, 2023 · 4 comments
Labels
investigate

Comments

@cunla
Copy link

cunla commented Jan 5, 2023

Hi,

I am working on fakeredis-py and using add-pr-comment to add test coverage to PRs - it works very well! (thank you).
When someone not listed as a collaborator on the repository is creating a PR, it fails to create the PR comment with the error Resource not accessible by integration, see example here.

I think this is more of a GitHub issue, but not sure who to refer to.
@kubukoz
Copy link

kubukoz commented Feb 9, 2023
edited
Loading

funny thing, I'm also hitting this even when I (a repo admin) open the pull request...

update: my job was limiting its token permissions (having less than the workflow).

@mshick
Copy link
Owner

mshick commented Apr 14, 2023

Hi @cunla that sounds like it was a permissions issue. Did you get it sorted out? If not I should be able to devote a little more time to this repo in the coming week, and maybe I can dig in further if you have some current (non-expired) logs.

@cunla
Copy link
Author

cunla commented Apr 14, 2023

Create a PR on fakeredis (It doesn't have to do anything, just want to give you access to see it real time) - I will approve running the flow and you can see what's going on in the logs.
It only happens when the PR author is not a maintainer of the repo.

@mshick
Copy link
Owner

mshick commented Apr 26, 2023

@cunla It looks like the issue is the default ${{ secrets.GITHUB_TOKEN }} permissions. I found a clear doc about it here: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

I've also had similar issues on PRs here. The reason: writing a comment requires write permissions on issues, but the default tokens are prohibited from any write permissions on forks from public repos. Even setting granular permissions in the workflow won't do the trick if the workflow is run in the context of the PR itself because the maximum permissions allowed to that token are read-only.

You can try switching to use pull_request_target as the event, which will cause the workflow to run in your branch context — the target of the PR itself. I think that will get the default GITHUB_TOKEN working, or you could optionally provide your own token as a secret on your repo and it will get picked up even if a fork triggered the run.

One minor caveat to pull_request_target that I've noticed is that it makes workflow development somewhat more difficult, since the workflow and action changes in an active PR won't be picked up. Not a huge issue, but worth being aware of.

@cunla cunla closed this as completed May 1, 2023
@digitalmoksha digitalmoksha mentioned this issue Sep 30, 2023
Open
@trevorwhitney trevorwhitney mentioned this issue Nov 13, 2023
Closed
@mirpedrol mirpedrol mentioned this issue Nov 27, 2023
Merged
@jangeiger jangeiger mentioned this issue Sep 5, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
investigate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mshick @kubukoz @cunla