CodeQL failed to upload alerts and generated a error as "RequestError [HttpError]: Resource not accessible by integration"

[hisashin0728]

Summary

CodeQL failed to upload alerts and generated a error as "RequestError [HttpError]: Resource not accessible by integration"

Details

CodeQL generted errors and can't upload sarif files to repositories.

RequestError [HttpError]: Resource not accessible by integration
    at D:\a\_actions\github\codeql-action\v2\node_modules\@octokit\request\dist-node\index.js:66:23
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async Job.doExecute (D:\a\_actions\github\codeql-action\v2\node_modules\bottleneck\light.js:405:18) {
  status: 403,
  headers: {
    'access-control-allow-origin': '*',
    'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
    connection: 'close',
    'content-encoding': 'gzip',
    'content-security-policy': "default-src 'none'",
    'content-type': 'application/json; charset=utf-8',
    date: 'Mon, 05 Jun 2023 22:37:57 GMT',
    'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
    server: 'GitHub.com',
    'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
    'transfer-encoding': 'chunked',
    vary: 'Accept-Encoding, Accept, X-Requested-With',
    'x-content-type-options': 'nosniff',
    'x-frame-options': 'deny',
    'x-github-api-version-selected': '2022-[11](https://github.com/hisashin0728/PoCMDCIaC/actions/runs/5182535793/jobs/9339428218#step:5:12)-28',
    'x-github-media-type': 'github.v3; format=json',
    'x-github-request-id': '1406:6C90:64E71DC:CEBA229:647E63C5',
    'x-ratelimit-limit': '1000',
    'x-ratelimit-remaining': '998',
    'x-ratelimit-reset': '1686008277',
    'x-ratelimit-resource': 'core',
    'x-ratelimit-used': '2',
    'x-xss-protection': '0'
  },
  request: {
    method: 'PUT',
    url: 'https://api.github.com/repos/hisashin0728/PoCMDCIaC/code-scanning/analysis/status',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'CodeQL-Action/2.3.6 octokit-core.js/3.1.2 Node.js/16.16.0 (win32; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: '{"workflow_run_id":5182535793,"workflow_run_attempt":1,"workflow_name":"MSDO windows-latest","job_name":"sample","analysis_key":".github/workflows/msdevopssec.yml:sample","commit_oid":"4c8fec07d611c3220[13](https://github.com/hisashin0728/PoCMDCIaC/actions/runs/5182535793/jobs/9339428218#step:5:14)62fe9f39[14](https://github.com/hisashin0728/PoCMDCIaC/actions/runs/5182535793/jobs/9339428218#step:5:15)82439446021","ref":"refs/heads/main","action_name":"upload-sarif","action_ref":"v2","action_oid":"unknown","started_at":"[20](https://github.com/hisashin0728/PoCMDCIaC/actions/runs/5182535793/jobs/9339428218#step:5:21)23-06-05T[22](https://github.com/hisashin0728/PoCMDCIaC/actions/runs/5182535793/jobs/9339428218#step:5:23):37:56.855Z","action_started_at":"20[23](https://github.com/hisashin0728/PoCMDCIaC/actions/runs/5182535793/jobs/9339428218#step:5:24)-06-05T22:37:56.855Z","status":"starting","testing_environment":"","runner_os":"Windows","action_version":"2.3.6","matrix_vars":"null","runner_arch":"X64","runner_os_release":"10.0.20[34](https://github.com/hisashin0728/PoCMDCIaC/actions/runs/5182535793/jobs/9339428218#step:5:35)8"}',
    request: { agent: [Agent], hook: [Function: bound bound register] }
  },
  documentation_url: 'https://docs.github.com/rest'
}
Error: Resource not accessible by integration

Here is my configuration YAML file.

name: MSDO windows-latest
on:
  push:
    branches:
      - main

jobs:
  sample:
    name: Microsoft Security DevOps Analysis
    runs-on: windows-latest

    steps:

      # Checkout your code repository to scan
    - uses: actions/checkout@v3

      # Install dotnet, used by MSDO
    - uses: actions/setup-dotnet@v3
      with:
        dotnet-version: |
          5.0.x
          6.0.x

      # Run analyzers
    - name: Run Microsoft Security DevOps Analysis
      uses: microsoft/security-devops-action@preview
      id: msdo
      # For IaC Only
      with:
        categories: 'IaC'

      # Upload alerts to the Security tab
    - name: Upload alerts to Security tab
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: ${{ steps.msdo.outputs.sarifFile }}

      # Upload alerts file as a workflow artifact
    - name: Upload alerts file as a workflow artifact
      uses: actions/upload-artifact@v3
      with:  
        name: alerts
        path: ${{ steps.msdo.outputs.sarifFile }}

[aeisenberg]

Apologies for the late response here. Your workflow file will need to specify custom permissions. You can add this chunk at the top-level of the file:

permissions:
  actions: read
  contents: read
  security-events: write

[rursprung]

it'd be great if you could document that this is needed when running the build not just against PRs but also against branches (i run it against all PRs as well as the master branch). also, only security-events: write is needed, the rest can be left at its default.

when searching the documentation i only found something about dependabot, which clearly wasn't the case for me.