rustfmt-check icon indicating copy to clipboard operation
rustfmt-check copied to clipboard

Published 20 hours ago verified publisher icon mbrobbel

Problem when adding a workspace

Open joshka opened this issue 1 year ago • 7 comments

In https://github.com/ilai-deutel/kibi/pull/328#issuecomment-2478160733

Run mbrobbel/rustfmt-check@master
  with:
    token: ***
    mode: review
    commit-message: Format Rust code using rustfmt
  env:
    CARGO_TERM_COLOR: always
/home/runner/.cargo/bin/cargo +nightly fmt -- --emit json
[]
[]
Error: Unexpected non-whitespace character after JSON at position 2

I then changed the config to include a --package cargo arg and god:

Run mbrobbel/rustfmt-check@master
  with:
    token: ***
    mode: review
    args: --package kibi
    commit-message: Format Rust code using rustfmt
  env:
    CARGO_TERM_COLOR: always
/home/runner/.cargo/bin/cargo +nightly fmt --package kibi -- --emit json
[]
Error: Resource not accessible by integration

Both problems seem like bugs (either in rustfmt nightly or in this action, but I'm not sure which). Any ideas on how to proceed on this?

joshka avatar Nov 15 '24 08:11 joshka

Thanks for reporting.

This looks like a GitHub actions permission issue. I'll take a look.

mbrobbel avatar Nov 15 '24 09:11 mbrobbel

Looks like this is happening on a PR from a forked repo. Depending on the repo configuration the token may not get the required write permissions, resulting in the Resource not accessible by integration error. More info here https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token.

Can you maybe rerun the failed job and select Enable debug logging.?

mbrobbel avatar Nov 15 '24 09:11 mbrobbel

Makes sense. Thanks for taking a look. I'm not the repo owner on this one. I'll let the owner know.

joshka avatar Nov 15 '24 10:11 joshka

Hi, I just reran the failed job with debug logging, here are the logs: https://gist.github.com/ilai-deutel/67505c1b914805ee2a737c2c33a9c55f

Interestingly, it says:

2024-11-15T14:50:20.3867907Z ##[group]GITHUB_TOKEN Permissions
2024-11-15T14:50:20.3869683Z Checks: read
2024-11-15T14:50:20.3870080Z Metadata: read
2024-11-15T14:50:20.3870600Z PullRequests: read
2024-11-15T14:50:20.3870976Z ##[endgroup]

even though the workflows have "Read and write permissions" and "Allow GitHub Actions to create and approve pull requests" in the project setting, and the action config has:

permissions:
  pull-requests: write
  checks: write

Run

ilai-deutel avatar Nov 15 '24 15:11 ilai-deutel

To make this work, a repo admin must set the (non-default) configuration required to get write permissions for workflows from forks. However, following the principle of least privilege, this is not something I recommend.

Maybe this action should switch to anntations (instead of review comments) when review mode is enabled but the workflow is triggered from a fork?

mbrobbel avatar Nov 18 '24 08:11 mbrobbel

@mbrobbel Yes I think an annotation mode would be great!

ilai-deutel avatar Nov 19 '24 04:11 ilai-deutel

@mbrobbel Yes I think an annotation mode would be great!

I created #1140 to track this addition.

mbrobbel avatar Nov 19 '24 09:11 mbrobbel