codeowners-validator icon indicating copy to clipboard operation
codeowners-validator copied to clipboard
verified publisher icon mszostok

Recommended App permissions don't appear to be sufficient

Open ewiner opened this issue 3 years ago • 2 comments

Description

I created and installed a Github App as described in the docs, giving it only the "Members: Read" permission. But when running the action, I see this error:

Run mszostok/[email protected]
  with:
    checks: files,owners,duppatterns,syntax
    github_app_id: ***
    github_app_installation_id: ***
    github_app_private_key: ***
    github_base_url: ***
    repository_path: .
    owner_checker_repository: ***
    owner_checker_allow_unowned_patterns: true
    owner_checker_owners_must_be_teams: false
    not_owned_checker_trust_workspace: true
/usr/bin/docker run --name ghcriomszostokcodeownersvalidatorv074_7b39 --label 8d5581 --workdir /github/workspace --rm -e "INPUT_CHECKS" -e "INPUT_GITHUB_APP_ID" -e "INPUT_GITHUB_APP_INSTALLATION_ID" -e "INPUT_GITHUB_APP_PRIVATE_KEY" -e "INPUT_GITHUB_BASE_URL" -e "INPUT_GITHUB_ACCESS_TOKEN" -e "INPUT_GITHUB_UPLOAD_URL" -e "INPUT_EXPERIMENTAL_CHECKS" -e "INPUT_REPOSITORY_PATH" -e "INPUT_CHECK_FAILURE_LEVEL" -e "INPUT_NOT_OWNED_CHECKER_SKIP_PATTERNS" -e "INPUT_OWNER_CHECKER_REPOSITORY" -e "INPUT_OWNER_CHECKER_IGNORED_OWNERS" -e "INPUT_OWNER_CHECKER_ALLOW_UNOWNED_PATTERNS" -e "INPUT_OWNER_CHECKER_OWNERS_MUST_BE_TEAMS" -e "INPUT_NOT_OWNED_CHECKER_SUBDIRECTORIES" -e "INPUT_NOT_OWNED_CHECKER_TRUST_WORKSPACE" -e "ENVS_PREFIX" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/***/***":"/github/workspace" ghcr.io/mszostok/codeowners-validator:v0.4
time="2022-11:54:56Z" level=fatal msg="while checking if 'owners' checker is satisfied: repository *** not found, or it's private and token doesn't have enough permission"

Are there any other permissions required for the linter to run on my private repo? Here's what the App Installation page looks like: image

I looked through the list of available permissions, and I didn't see an obvious candidate apart from full read access - is that what's necessary?

ewiner avatar Nov 11 '22 16:11 ewiner

For future viewers, the following app settings worked for me:

  • Repository Permissions -> Content -> Read Only
  • Organization Permissions -> Members -> Read Only

chadxz avatar Aug 18 '25 22:08 chadxz

Had same issue. Think the docs need updating to reflect the comment from @chadxz.

codeinthehole avatar Aug 27 '25 15:08 codeinthehole