first-interaction
first-interaction copied to clipboard
actions
"Resource not accessible by integration"
https://github.com/ppb/pursuedpybear/pull/359/checks?check_run_id=211188070
https://github.com/ppb/pursuedpybear/blob/master/.github/workflows/greetings.yml
This happens as soon as the person creating the PR does not have permission to the repository. I've been all day with this, and there does not seem to be a solution. Same problem as here actions/labeler#12.
Actions run as an user, but when they are running in a fork there are potential security problems, so they are degraded to "read-only"
I'm confused. This is an action configured in the main repo for a PR in the main repo?
Oh, PR events are sent to the fork under the source branch, not to to the target repo/branch?
Ok, github needs to fix this. I'm facing the same thing while trying to create an action.
We faced similar issue when trying to use greeting for Airflow project (https://github.com/apache/airflow). So we developed a Github app which is working well for us in case someone faces similar issue:
https://github.com/kaxil/boring-cyborg
Is this the same issue as with labeler? https://github.com/actions/labeler/pull/50
If so, can the same solution also be applied (at least as a stopgap)? Very frustrating that Github seems to push these actions hard in their UI but then they don't work with the most common use case on GitHub for OSS projects.
Getting this too: https://github.com/unidoc/unipdf/pull/269/checks?check_run_id=486244746 Would make sense to skip the action if needed resources are not available? Or an option to make it required/optional. Some actions might be required, but a greeting hardly, but this is flagging a valid PR as failing due to this.
Some actions might be required, but a greeting hardly, but this is flagging a valid PR as failing due to this.
Yes, very good point also. Not all actions are created equal (in that they should kill the whole workflow from moving forward).
the same issue also here - https://github.com/PyTorchLightning/pytorch-lightning/pull/1101/checks?check_run_id=496573752
Anyone alive here: Is this the same issue as with labeler? https://github.com/actions/labeler/pull/50
I added this to a project but I guess I'm about to rip it out - the use case seems extremely limited - not at all suited for large OSS projects with many contributors. And those are exactly the projects where this type of thing would be most helpful.
Unfortunately this is not specific to a given action / repository.
Anyone hit by this, please read this long comment I wrote and feel free to upvote it.
Seeing the same here, clicking View raw logs takes you here, showing this:
2020-05-16T11:19:09.9683482Z ##[section]Starting: Request a runner to run this job
2020-05-16T11:19:10.1475479Z Can't find any online and idle self-hosted runner in current repository that matches the required labels: 'ubuntu-latest'
2020-05-16T11:19:10.1475518Z Can't find any online and idle self-hosted runner in current repository's account/organization that matches the required labels: 'ubuntu-latest'
2020-05-16T11:19:10.1475545Z Found online and idle hosted runner in current repository's account/organization that matches the required labels: 'ubuntu-latest'
2020-05-16T11:19:10.2831833Z ##[section]Finishing: Request a runner to run this job
2020-05-16T11:19:22.7547411Z Current runner version: '2.262.1'
2020-05-16T11:19:22.7814760Z ##[group]Operating System
2020-05-16T11:19:22.7815595Z Ubuntu
2020-05-16T11:19:22.7815791Z 18.04.4
2020-05-16T11:19:22.7815937Z LTS
2020-05-16T11:19:22.7816043Z ##[endgroup]
2020-05-16T11:19:22.7816216Z ##[group]Virtual Environment
2020-05-16T11:19:22.7816393Z Environment: ubuntu-18.04
2020-05-16T11:19:22.7816542Z Version: 20200430.1
2020-05-16T11:19:22.7816739Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu18/20200430.1/images/linux/Ubuntu1804-README.md
2020-05-16T11:19:22.7816939Z ##[endgroup]
2020-05-16T11:19:22.7817875Z Prepare workflow directory
2020-05-16T11:19:22.7982169Z Prepare all required actions
2020-05-16T11:19:22.7991418Z Download action repository 'actions/first-interaction@v1'
2020-05-16T11:19:25.4211254Z Build container for action use: '/home/runner/work/_actions/actions/first-interaction/v1/Dockerfile'.
2020-05-16T11:19:25.4259294Z ##[command]/usr/bin/docker build -t be76db:f9ec8e15eb204b4c8fce429747955bb4 -f "/home/runner/work/_actions/actions/first-interaction/v1/Dockerfile" "/home/runner/work/_actions/actions/first-interaction/v1"
2020-05-16T11:19:30.7684775Z Sending build context to Docker daemon 180.2kB
2020-05-16T11:19:30.7685241Z
2020-05-16T11:19:30.7999714Z Step 1/4 : FROM node:slim
2020-05-16T11:19:31.0407250Z slim: Pulling from library/node
2020-05-16T11:19:31.1037852Z e62d08fa1eb1: Pulling fs layer
2020-05-16T11:19:31.1121801Z faf966cc3d43: Pulling fs layer
2020-05-16T11:19:31.1121976Z f8bb4fff4a5e: Pulling fs layer
2020-05-16T11:19:31.1122089Z 3edd92003cc0: Pulling fs layer
2020-05-16T11:19:31.1122198Z c4fbf6de64ba: Pulling fs layer
2020-05-16T11:19:31.1126576Z 3edd92003cc0: Waiting
2020-05-16T11:19:31.1126770Z c4fbf6de64ba: Waiting
2020-05-16T11:19:31.1805255Z faf966cc3d43: Verifying Checksum
2020-05-16T11:19:31.1805546Z faf966cc3d43: Download complete
2020-05-16T11:19:31.3817655Z e62d08fa1eb1: Verifying Checksum
2020-05-16T11:19:31.3819433Z e62d08fa1eb1: Download complete
2020-05-16T11:19:31.4827566Z f8bb4fff4a5e: Verifying Checksum
2020-05-16T11:19:31.4829438Z f8bb4fff4a5e: Download complete
2020-05-16T11:19:31.4878021Z c4fbf6de64ba: Verifying Checksum
2020-05-16T11:19:31.4880210Z c4fbf6de64ba: Download complete
2020-05-16T11:19:31.5415966Z 3edd92003cc0: Verifying Checksum
2020-05-16T11:19:31.5418126Z 3edd92003cc0: Download complete
2020-05-16T11:19:32.5235412Z e62d08fa1eb1: Pull complete
2020-05-16T11:19:32.7380894Z faf966cc3d43: Pull complete
2020-05-16T11:19:34.0368883Z f8bb4fff4a5e: Pull complete
2020-05-16T11:19:34.1939267Z 3edd92003cc0: Pull complete
2020-05-16T11:19:34.3154702Z c4fbf6de64ba: Pull complete
2020-05-16T11:19:34.3344945Z Digest: sha256:bd1af8b62e6f37ca961b0c5e01e83ce633dcbceb7d4261777f02a60ab8b81c93
2020-05-16T11:19:34.3655016Z Status: Downloaded newer image for node:slim
2020-05-16T11:19:34.3672333Z ---> a30d4e2fedca
2020-05-16T11:19:34.3676649Z Step 2/4 : COPY . .
2020-05-16T11:19:39.5173575Z ---> 309226db7be8
2020-05-16T11:19:39.5173877Z Step 3/4 : RUN npm install --production
2020-05-16T11:19:39.6417766Z ---> Running in bdceb6669f69
2020-05-16T11:19:44.8069178Z [91mnpm WARN deprecated [email protected]: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
2020-05-16T11:19:44.8070366Z [0m[91mnpm WARN deprecated [email protected]: use String.prototype.padStart()
2020-05-16T11:19:44.8070916Z [0m[91mnpm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
2020-05-16T11:19:45.2974466Z [0m[91mnpm WARN deprecated[0m[91m [email protected]: https://github.com/lydell/resolve-url#deprecated
2020-05-16T11:19:45.3009893Z [0m[91mnpm WARN deprecated[0m[91m [email protected]: Please see https://github.com/lydell/urix#deprecated
2020-05-16T11:19:51.8055528Z [0m[91mnpm notice[0m[91m created a lockfile as package-lock.json. You should commit this file.
2020-05-16T11:19:51.8076993Z [0m[91mnpm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^1.2.7 (node_modules/jest-haste-map/node_modules/fsevents):
2020-05-16T11:19:51.8090575Z npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
2020-05-16T11:19:51.8091882Z [0m[91m
2020-05-16T11:19:51.8092461Z [0madded 60 packages from 76 contributors in 10.186s
2020-05-16T11:19:52.0154280Z
2020-05-16T11:19:52.0168221Z 2 packages are looking for funding
2020-05-16T11:19:52.0168845Z run `npm fund` for details
2020-05-16T11:19:52.0169125Z
2020-05-16T11:19:57.3743440Z Removing intermediate container bdceb6669f69
2020-05-16T11:19:57.3743790Z ---> 1e98ad53c578
2020-05-16T11:19:57.3743864Z Step 4/4 : ENTRYPOINT ["node", "/lib/main.js"]
2020-05-16T11:19:57.5251339Z ---> Running in 4f3ed799c7f3
2020-05-16T11:19:58.2105847Z Removing intermediate container 4f3ed799c7f3
2020-05-16T11:19:58.2106567Z ---> edb70ec222b6
2020-05-16T11:19:58.2113458Z Successfully built edb70ec222b6
2020-05-16T11:19:58.2853353Z Successfully tagged be76db:f9ec8e15eb204b4c8fce429747955bb4
2020-05-16T11:19:58.3140166Z ##[group]Run actions/first-interaction@v1
2020-05-16T11:19:58.3140428Z with:
2020-05-16T11:19:58.3141246Z repo-token: ***
2020-05-16T11:19:58.3141470Z pr-message: Welcome to Apache Fineract!!
Have you read https://github.com/apache/fineract/#pull-requests?
Already subscribed to our mailing list, by sending an (empty) email to [email protected]?
Created your JIRA account on https://issues.apache.org/jira/projects/FINERACT/?
Played with our server at https://www.fineract.dev?
We're very excited to have you onboard contributing.
2020-05-16T11:19:58.3141641Z ##[endgroup]
2020-05-16T11:19:58.3195303Z ##[command]/usr/bin/docker run --name be76dbf9ec8e15eb204b4c8fce429747955bb4_b02700 --label be76db --workdir /github/workspace --rm -e INPUT_REPO-TOKEN -e INPUT_PR-MESSAGE -e INPUT_ISSUE-MESSAGE -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/fineract/fineract":"/github/workspace" be76db:f9ec8e15eb204b4c8fce429747955bb4
2020-05-16T11:19:59.0634356Z [@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
2020-05-16T11:19:59.0770654Z [@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
2020-05-16T11:19:59.0820713Z Checking if its the users first contribution
2020-05-16T11:19:59.0824423Z Checking...
2020-05-16T11:20:01.4985045Z Checking...
2020-05-16T11:20:03.7064930Z Checking...
2020-05-16T11:20:05.7993196Z Checking...
2020-05-16T11:20:08.1520036Z Checking...
2020-05-16T11:20:11.6824121Z Checking...
2020-05-16T11:20:13.8462005Z Checking...
2020-05-16T11:20:15.9628596Z Checking...
2020-05-16T11:20:18.0043279Z Checking...
2020-05-16T11:20:20.4625850Z Checking...
2020-05-16T11:20:21.0453582Z Adding message: Welcome to Apache Fineract!!
2020-05-16T11:20:21.0454513Z Have you read https://github.com/apache/fineract/#pull-requests?
2020-05-16T11:20:21.0455022Z Already subscribed to our mailing list, by sending an (empty) email to [email protected]?
2020-05-16T11:20:21.0456356Z Created your JIRA account on https://issues.apache.org/jira/projects/FINERACT/?
2020-05-16T11:20:21.0456768Z Played with our server at https://www.fineract.dev?
2020-05-16T11:20:21.0457161Z We're very excited to have you onboard contributing. to pull request 895
2020-05-16T11:20:21.1576819Z ##[error]Resource not accessible by integration
2020-05-16T11:20:21.4486360Z Cleaning up orphan processes
I've briefly looked a little bit into it; from what little I understand of Actions, that with: and repo-token: ${{ secrets.GITHUB_TOKEN }} sonehow passes a Bot token that should be able to comment? The same seems to work e.g. in https://github.com/actions/stale... no idea why it does not here.
I ran today into the same issue in the https://github.com/TrinityCore/TrinityCore project where we host 2 active branches and a GitHub action should have labeled the PRs with a branch label.
Quite sad that the 2nd action I built already has such a blocking issue.
For the record, I'm working around this by running a bot on heroku.
It takes a little bit of setup, but writing additional webhook handlers is about the same complexity as writing a github action.
Well this is incredibly disappointing and invalidates 2/3rd of all action usecases. Guess I won't be using it after all, and likely never again. How a super breaking bug like this can stay open for almost a year is beyond me. Really flawed design.
tl;dr, change
on:
- pull_request
to
on:
- pull_request_target
GitHub has introduced a new event type: pull_request_target, which allows to run workflows from base branch and pass a token with write permission.
In order to solve this, we’ve added a new
pull_request_targetevent, which behaves in an almost identical way to thepull_requestevent with the same set of filters and payload. However, instead of running against the workflow and code from the merge commit, the event runs against the workflow and code from the base of the pull request. This means the workflow is running from a trusted source and is given access to a read/write token as well as secrets enabling the maintainer to safely comment on or label a pull request. This event can be used in combination with the private repository settings as well.
@abu-hasib see https://github.com/actions/first-interaction/issues/10#issuecomment-670968624.
[@octokit/rest] const Octokit = require("@octokit/rest") is deprecated. Use const { Octokit } = require("@octokit/rest") instead
[@octokit/rest] const Octokit = require("@octokit/rest") is deprecated. Use const { Octokit } = require("@octokit/rest") instead
Hey everyone, I'm confused as to whether this relates to the issue I encountered.
I see this comment on the Check Runs action API documentation
Note: The Checks API only looks for pushes in the repository where the check suite or check run were created. Pushes to a branch in a forked repository are not detected and return an empty pull_requests array.
Does this mean I CANNOT use the API to initiate a check run on a branch which lives on a fork? The API says I should expect an empty pull_requests array, but instead I get this error message:
{
"message": "Resource not accessible by integration",
"documentation_url": "https://docs.github.com/rest/reference/checks#create-a-check-run"
}
Thanks @JJ .
So for my case, I found out that I was going about this wrong.
Someone was trying to make a PR to the origin repository A from a branch that existed on their fork repository B (a fork of A which I do not have access to).
I was trying to run tests on their PR by calling this API /repos/{owner}/{repo}/statuses/{sha} like /repos/<THEM>/<FORK_REPO_B>/statuses/<SHA_OF_THEIR_BRANCH>.
I didn't realize that when they create a PR, that SHA exists on my repo A (which I do have access to).
So I could run /repos/ME/<REPO_A>/statuses/<SHA_OF_THEIR_BRANCH> and it worked to run tests on their PR!
Why not make a whitelist of actions that get write access?
This would pretty much mitigate most security issues as then every action needs to be enabled manually and that overall means the person being able to do so was at least in theory aware of the consequences.
Regardless this is a serious issue as that makes GitHub actions useless to anyone that already has a CI and just wants to use them to offer automated checks for PRs. I mean even simple things as adding test results/reports to the run are blocked.
Frankly it's a joke that this issue is open for more than a year. And that without any official stance on the whole matter.
@BrainStone Check out https://github.com/actions/first-interaction/issues/10#issuecomment-670968624.
Before you realize the pull_request_target doesn't checkout the pull request files by default and fix it to explicitly checkout head.ref I suggest you reading https://securitylab.github.com/research/github-actions-preventing-pwn-requests
