add-to-project icon indicating copy to clipboard operation
add-to-project copied to clipboard

Published 20 hours ago verified publisher icon actions

Authentication via GitHub Apps

Open aaronshurley opened this issue 2 years ago • 15 comments

I'm trying to set up automation for an organization project. Following this guidance, I would need to use a GitHub App for an organization project. Currently, this action's configuration requires a personal access token but I don't believe that will provide access to an organization project. Therefore, I'm requesting the capability of authenticating via a GitHub App.

Please let me know if I have any misunderstandings. Thanks!

aaronshurley avatar Jul 19 '22 22:07 aaronshurley

I also want to know what minimal permissions and scope we add to a GitHub App.

peaceiris avatar Jul 26 '22 13:07 peaceiris

@mattcosta7 running into this issue with a customer of mine. They're using a GitHub app to generate a token, but they're getting the following error when running this action:

Resource not accessible by integration

ssulei7 avatar Aug 01 '22 18:08 ssulei7

passing this on for triage

mattcosta7 avatar Aug 01 '22 18:08 mattcosta7

I would also like to implement this in this way.

wadefletch avatar Aug 03 '22 16:08 wadefletch

👋 Thank you for reporting this issue! I wanted to post an update here to let you know that we are aware of this issue and have bumped it up in priority and are tracking it in our internal backlog. I'm sorry we don't have a resolution here yet (other than using a PAT), but we are looking into it, and we will post back when we have an update.

camchenry avatar Aug 26 '22 15:08 camchenry

FWIW I'm using this successfully with GitHub Apps using https://github.com/vidavidorra/github-app-token with following permissions. Example workflow: https://github.com/vidavidorra/roadmap/blob/main/.github/workflows/triage.yml.

image

workflow code 
name: Add issue to project
on:
  issues:
    types: opened
jobs:
  add-issue-to-project:
    name: Add issue to project
    runs-on: ubuntu-latest
    steps:
      - name: Generate token
        id: generate_token
        uses: vidavidorra/github-app-token
        with:
          appId: ${{ secrets.TRIAGE_APP_ID }}
          privateKey: ${{ secrets.TRIAGE_PRIVATE_KEY }}
      - uses: actions/add-to-project@a9f041ddd462ed185893ea1024cec954f50dbe42 # renovate: tag=v0.3.0
        with:
          project-url: https://github.com/orgs/vidavidorra/projects/2
          github-token: ${{ steps.generate_token.outputs.token }}

jdbruijn avatar Aug 29 '22 07:08 jdbruijn

I'm not sure what issues people are running into here, similar to @jdbruijn I was able to get this to work using tibdex/github-app-token that is in the example docs: https://docs.github.com/en/issues/planning-and-tracking-with-projects/automating-your-project/automating-projects-using-actions#github-actions-workflows

Full workflow:

name: Add new issue/PR to project

on:
  issues:
    types:
      - opened

  pull_request_target:
    types:
      - opened

jobs:
  add-to-project:
    name: Add issue or PR to project
    runs-on: ubuntu-latest
    steps:
      - name: Generate token
        id: generate_token
        uses: tibdex/github-app-token@36464acb844fc53b9b8b2401da68844f6b05ebb0
        with:
          app_id: ${{ secrets.CCCL_AUTH_APP_ID }}
          private_key: ${{ secrets.CCCL_AUTH_APP_PEM }}
      - name: Add to Project
        env:
          TOKEN: ${{ steps.generate_token.outputs.token }}
        uses: actions/add-to-project@a9f041ddd462ed185893ea1024cec954f50dbe42
        with:
          project-url: https://github.com/orgs/NVIDIA/projects/6
          github-token: ${{ env.TOKEN }}

jrhemstad avatar Aug 31 '22 02:08 jrhemstad

Thanks for your patience with us everyone. I've deployed a fix to the GraphQL API for Projects which should allow private projects to be visible to GitHub Apps where they have been granted read or write permissions to the organization.

I also want to know what minimal permissions and scope we add to a GitHub App.

@peaceiris The GitHub app will need read and write access to the organization to be able to add items to the project:

running into this issue with a customer of mine. They're using a GitHub app to generate a token, but they're getting the following error when running this action: Resource not accessible by integration

@ssulei7 I'd recommend checking they gave the application write access to the organization projects (and also ensured the installation was updated if they changed settings) as this sounds like the GraphQL endpoint being called by the action blocked the app from adding an item to the project.

I'll check back in after the weekend to see if anyone else is still encountering issues in this area.

shiftkey avatar Sep 02 '22 18:09 shiftkey

Uploading Excel_2013_English_ba55c3bb-de1f-4878-a005-95e103539bcf.pdf…

mervyd avatar Sep 05 '22 01:09 mervyd

README-cloudshell.txt

mervyd avatar Sep 05 '22 01:09 mervyd

Uploading facebook-100084049666443.zip…

mervyd avatar Sep 05 '22 01:09 mervyd

tinymce-advanced.5.6.0.zip

mervyd avatar Sep 05 '22 01:09 mervyd

Hello! I was pointed here by support from a ticket. We are still encountering this issue when trying to send issues from a private repo to a private project. The GitHub App (which we're using to generate tokens) has been confirmed to have the correct permissions, but we're still getting the Resource not accessible by integration error.

sarahetter avatar Oct 11 '22 16:10 sarahetter

If the required usage with org level projects is to use a GitHub app rather than a PAT, can the README please be updated with that info?

natke avatar Jan 05 '23 19:01 natke

Screen Shot 2023-01-05 at 2 21 27 PM Screen Shot 2023-01-05 at 2 20 46 PM @jrhemstad I followed your workflow but I get "Error: Error: Failed to read private key"

mavaylon1 avatar Jan 05 '23 22:01 mavaylon1