digger icon indicating copy to clipboard operation
digger copied to clipboard

Published 20 hours ago verified publisher icon diggerhq

403 Resource not accessible by integration []

Open almereyda opened this issue 1 year ago • 3 comments

When a workflow run using AWS OIDC federation fails with:

error getting pull request: GET https://api.github.com/repos/octo-org/octo-repo/pulls/1/files: 403 Resource not accessible by integration []

we need to explicitly add pull-request: write permissions: as such:

  permissions:
    id-token: write
    contents: read
+   pull-requests: write

Reference

almereyda avatar Jun 20 '23 23:06 almereyda

Thanks for filing @almereyda ! we will look into this asap

ZIJ avatar Jun 21 '23 13:06 ZIJ

We looked into it and it seems that the pull-requests: write permission is required to post PR comments

permissions:
      contents: write      # required to merge PRs
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      statuses: write      # required to validate combined PR status

Also didn't fully understand the relation to OIDC - could you share a bit more detail @almereyda ?

ZIJ avatar Jun 21 '23 17:06 ZIJ

Thank you for looking into this.

OIDC is used implicitly with aws-role-to-assume.

The article linked in the OP references section described the same observed behaviour under very similar circumstances, using AWS "workload identity", and the fix helped.

almereyda avatar Jun 22 '23 00:06 almereyda