starter-workflows icon indicating copy to clipboard operation
starter-workflows copied to clipboard
verified publisher icon actions

Credo - Code Scanning - Add `actions: read` to support non public repos

Open felickz opened this issue 1 year ago • 2 comments

Fixes error seen when running workflow on a non public repo - need to add actions: read permission for the upload action to invoke GET workflow-runs

Warning: Caught an exception while gathering information for telemetry: HttpError: Resource not accessible by integration. Will skip sending status report.
Error: Resource not accessible by integration
RequestError [HttpError]: Resource not accessible by integration
    at /home/runner/work/_actions/github/codeql-action/v3/node_modules/@octokit/request/dist-node/index.js:86:21
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async requestWithGraphqlErrorHandling (/home/runner/work/_actions/github/codeql-action/v3/node_modules/@octokit/plugin-retry/dist-node/index.js:71:20)
    at async Job.doExecute (/home/runner/work/_actions/github/codeql-action/v3/node_modules/bottleneck/light.js:405:18) {
  status: 403,
  response: {
    url: 'https://api.github.com/repos/GomtiDemoOrg1/MY_ELIXIR_PROJECT/actions/runs/8572656704?exclude_pull_requests=true',
    status: 403,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      'content-encoding': 'gzip',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: 'Fri, 05 Apr 2024 16:[12](https://github.com/GomtiDemoOrg1/MY_ELIXIR_PROJECT/actions/runs/8572656704/job/23495700848#step:8:13):44 GMT',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'GitHub.com',
      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
      'transfer-encoding': 'chunked',
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-accepted-github-permissions': 'actions=read',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-api-version-selected': '2022-11-28',
      'x-github-media-type': 'github.v3; format=json',
      'x-github-request-id': '54D0:3A2218:108D320:1B5734A:661022FC',
      'x-ratelimit-limit': '15000',
      'x-ratelimit-remaining': '[14](https://github.com/GomtiDemoOrg1/MY_ELIXIR_PROJECT/actions/runs/8572656704/job/23495700848#step:8:15)986',
      'x-ratelimit-reset': '1712334260',
      'x-ratelimit-resource': 'core',
      'x-ratelimit-used': '14',
      'x-xss-protection': '0'
    },
    data: {
      message: 'Resource not accessible by integration',
      documentation_url: 'https://docs.github.com/rest/actions/workflow-runs#get-a-workflow-run'
    }
  },
  request: {
    method: 'GET',
    url: 'https://api.github.com/repos/GomtiDemoOrg1/MY_ELIXIR_PROJECT/actions/runs/8572656704?exclude_pull_requests=true',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'CodeQL-Action/3.24.10 octokit-core.js/3.6.0 Node.js/[20](https://github.com/GomtiDemoOrg1/MY_ELIXIR_PROJECT/actions/runs/8572656704/job/23495700848#step:8:21).8.1 (linux; x64)',
      authorization: 'token [REDACTED]'
    },
    request: { agent: [Agent], hook: [Function: bound bound register] }
  }
}

Precedent: https://github.com/actions/starter-workflows/blob/607f368fb03ddbf9bfd194f77f160f5da2dd9ab2/code-scanning/codeql.yml#L32-L38

felickz avatar Apr 09 '24 13:04 felickz

This change makes no sense.

https://github.com/actions/starter-workflows/commit/f5cfb3ea9c17d9f3031dc88a7b065108653916e8 added actions: read

So as of today, this should just work: https://github.com/actions/starter-workflows/blob/2435e576016b3fdd46574a49126d65bfd0d4872f/code-scanning/credo.yml#L33-L36

Beyond that, because the job itself already defines permissions, defining additional permissions at the workflow level will have no impact.

For the curious, I'm also trying to fix github/codeql-action/upload-sarif so that it won't need this permission in the future, but that's not really relevant to this PR.

jsoref avatar Apr 25 '24 20:04 jsoref

This pull request has become stale and will be closed automatically within a period of time. Sorry about that.

github-actions[bot] avatar Jul 26 '24 04:07 github-actions[bot]