workflow-dispatch icon indicating copy to clipboard operation
workflow-dispatch copied to clipboard

Published 20 hours ago verified publisher icon benc-uk

Regression on token permissions

Open ddelange opened this issue 2 years ago • 7 comments

Hi 👋

Just tried out your action (thanks 💥) and didn't get it to work (logs):

Error: Resource not accessible by integration

The yaml is pretty straight-forward:

  • default token
  • same repo
name: Trigger release-runners.yaml daily

on:
  schedule:
    - cron: "4 2 * * *"
  workflow_dispatch:

jobs:
  trigger-build:
    runs-on: ubuntu-latest
    steps:
      - name: Invoke workflow
        uses: benc-uk/[email protected]
        with:
          workflow: release-runners.yaml
          inputs: '{"push_to_registries": true}'

Maybe something changed on gh side?

ddelange avatar Jan 17 '23 14:01 ddelange

Fyi - I'm seeing the same behavior when trying to trigger a workflow within a single repository without passing a github token.

jamiezieziula avatar Feb 15 '23 22:02 jamiezieziula

Actually, I was able to get this working by providing the following permissions to me action:

---
name: workflow

on:
  push:
    branches:
      - main

permissions: {}

jobs:
  job:
    permissions:
      actions: write

.... abbreviated 

      - uses: benc-uk/[email protected]
        with:
          ref: main
          workflow: workflowyaml
          token:  ${{ secrets.github_token }}

jamiezieziula avatar Feb 17 '23 15:02 jamiezieziula

thanks @jamiezieziula, can confirm your fix:

name: Trigger release-runners.yaml daily

on:
  schedule:
    - cron: "4 2 * * *"
  workflow_dispatch:

jobs:
  trigger-build:
+   permissions:
+     actions: write
    runs-on: ubuntu-latest
    steps:
      - name: Invoke workflow
        uses: benc-uk/[email protected]
        with:
          workflow: release-runners.yaml
-         inputs: '{"push_to_registries": true}' # ERROR: For 'additionalProperties', true is not a string.
+         inputs: '{"push_to_registries": "true"}'

error ref https://github.com/ddelange/actions-runner-controller-releases/actions/runs/4224549792/jobs/7335647715#step:2:12

ddelange avatar Feb 20 '23 14:02 ddelange

@benc-uk does this warrant an update of the README?

ddelange avatar Feb 20 '23 14:02 ddelange

I'm seeing the same behavior, only on pull_request event from forks. Works fine on pull_request from a member, and push.

I will try adding the permissions section and report back.

Update: Now working for dependabot PRs! Update 2: NOT working for fork PRs... not sure why it works for dependabot but not fork PRs.

ReenigneArcher avatar Mar 30 '23 13:03 ReenigneArcher

In your Repo go to: Settings > Actions > General
and change this options:

image

dersimn avatar Sep 08 '23 15:09 dersimn

@dersimn thanks for the suggestion, but I already have that enabled for every repository in our org.

image

And actually to update my last comment.

It only works for org admins, and dependabot. It does not work for other members (who have write permission) on a repo.

ReenigneArcher avatar Sep 13 '23 17:09 ReenigneArcher

I also hit this and required me to add actions: write permission to the job that used benc-uk/workflow-dispatch. No need to change repo settings or other job settings.

antitoxic avatar May 05 '25 04:05 antitoxic