action-surefire-report icon indicating copy to clipboard operation
action-surefire-report copied to clipboard

Published 20 hours ago verified publisher icon ScaCap

Resource not accessible by integration when using from fork PRs

Open rchiodo opened this issue 4 years ago • 10 comments

Getting this error here when this action runs from a PR from a fork:

Posting status 'completed' with conclusion 'failure' to https://github.com/microsoft/vscode-python/pull/14326 (sha: f4e60b0f743a056b5bfdfe4c85388eeff145b22e)
Error: Resource not accessible by integration

I believe that's because of this: https://docs.github.com/en/free-pro-team@latest/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token

Fork PRs don't get write access.

Is there a way to get the report to work without requiring write access?

rchiodo avatar Oct 09 '20 00:10 rchiodo

Hi @rchiodo, I don't know, but I know people have problems with forks/PRs and GitHub actions in general. Please let me know when you find out and something needs to be fixed in this repo.

jmisur avatar Oct 15 '20 11:10 jmisur

Thanks. Other junit reporters seem to have the same problem. This may be the way to fix it? https://github.com/shyim/junit-report-annotations-action/issues/3

rchiodo avatar Oct 15 '20 16:10 rchiodo

Maybe workflow_run event can help in this case

https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows#workflow_run

slawekjaranowski avatar Dec 02 '20 12:12 slawekjaranowski

This may be solvable using the workflow_run event trigger. There is an example here.

Unfortunately, it requires a bunch of extra action configuration.

action-surefire-report very important for our dev workflow though, so I'm going to be working up a solution soon - I'll make sure to link back to here for context.

devinrsmith avatar May 08 '21 12:05 devinrsmith

For reference, https://github.com/deephaven/deephaven-core/pull/547

devinrsmith avatar May 10 '21 18:05 devinrsmith

@jmisur can you use pull_request_target instead of pull_request?

jamie-wearsafe avatar Jul 13 '21 19:07 jamie-wearsafe

@jmisur can you use pull_request_target instead of pull_request?

Definitely not as it's not secure https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

I might however tinker with workflow_run style, but it's super unfortunate that such hacks are necessary.

jmisur avatar Jul 15 '21 07:07 jmisur

Is there any update on this?I mean it has been open a while now...

Since using dependabot more and more we run into this problem more and more :(

huehnerlady avatar Nov 12 '21 07:11 huehnerlady

It seems you can add permissions to the workflow, I got the build to work again once I added the following to the job:

    permissions:
      checks: write
      contents: read
      issues: read
      pull-requests: write

see also here

huehnerlady avatar Nov 19 '21 11:11 huehnerlady

It seems you can add permissions to the workflow, I got the build to work again once I added the following to the job:

I tried to add write permission to the workflow for everything, but it does not help. Could you please prompt me what I am doing wrong? My workflow: https://github.com/mak-42/action-surefire-report-bug1/blob/master/.github/workflows/maven.yml It works locally well, but failed when running a pull request from a fork: https://github.com/mak-42/action-surefire-report-bug1/actions/runs/6768710772/job/18399735881?pr=3#logs

mak-42 avatar Nov 06 '23 13:11 mak-42