jest-report-action
jest-report-action copied to clipboard
IgnusG
Error: Resource not accessible by integration on PRs raised by dependabot
When a PR is raised by Dependabot (or anyone without write access to a repo), although all the tests pass, the action is unable to annotate the PR, instead throwing an error e.g. and the workflow fails:
0s
Run IgnusG/[email protected]
with:
access-token: ***
junit-file: junit.xml
run-name: build
check-name: Jest
working-directory: .
Error: Something went wrong: Error: Request to create annotations failed - request: {"owner":"mnbf9rca","repo":"IsTheTubeRunning","head_sha":"8e7ba3d9835e3a4070fba[1](https://github.com/mnbf9rca/IsTheTubeRunning/actions/runs/3926652650/jobs/6716566541#step:6:1)994b40b5[2](https://github.com/mnbf9rca/IsTheTubeRunning/actions/runs/3926652650/jobs/6716566541#step:6:2)14[3](https://github.com/mnbf9rca/IsTheTubeRunning/actions/runs/3926652650/jobs/6716566541#step:6:3)69da6c","name":"Jest","conclusion":"success","output":{"title":"Jest Test Results","summary":"#### These are all the test results I was able to find from your jest-junit reporter\n**60** tests were completed in **[5](https://github.com/mnbf9rca/IsTheTubeRunning/actions/runs/3926652650/jobs/6716566541#step:6:5).557s** with **[6](https://github.com/mnbf9rca/IsTheTubeRunning/actions/runs/3926652650/jobs/6716566541#step:6:6)0** passed ✔ and **0** failed ✖ tests.","annotations":[]}} - error: Resource not accessible by integration
I believe this will happen whenever someone raises a PR against a repo that they don't have write access to.
Another action which i use for Python coverage reporting (python-coverage-comment) solves this by publishing the coverage report as an artefact when the tests are executed, and then fetching it in a separate workflow to report. Is that possible with this action?
here's the broken JS workflow:
name: Tests CI
on: [push, pull_request]
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: check out source code
uses: actions/checkout@v3
- name: set up Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
- run: npm install
name: run npm install
env:
DOTENV_KEY: ${{ secrets.DOTENV_KEY }}
- run: npm run test:ci
name: execute tests
env:
DOTENV_KEY: ${{ secrets.DOTENV_KEY }}
- name: report junit results
uses: IgnusG/[email protected]
if: always() # Or use "continue-on-error: true" in previous test step
with:
access-token: ${{ secrets.GITHUB_TOKEN }}
Hey @mnbf9rca! Unfortunately this is actually a security feature of dependabot's integration in GitHub. PRs that are triggered by dependabot (either push or pull_request) are assumed to run in a non-secure environment and therefore do not have access to secrets. So jest-report-action actually receives and empty string in access-token: ${{ secrets.GITHUB_TOKEN }} and therefore the request to create the PR annotations fails.
Here's the link to the official information regarding this change: https://github.com/dependabot/dependabot-core/issues/3253#issuecomment-797125425
As to a solution, yes python-coverage-comment is using is the correct workaround for this issue. Since jest-report-action only expects the report file you can use another action to upload the junit.xml to an artifact and then have the next workflow pick it up/downloading it and running jest-report-action with that junit.xml file as input.
You can use https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts#sharing-data-between-workflow-runs as inspiration for how to make the artifact upload/download work.
Take a look at the dependabot link for tips on how to trigger the second workflow run so that it has access to the secrets.
