coverage
coverage copied to clipboard
orgoro
HttpError: Resource not accessible by integration
Hi, up until the last few days v3 was working fine and then the below error started. I tried v3.1 too but get the same.
Has something changed that the action relies on?
‘’’ HttpError: Resource not accessible by integration at /home/runner/work/_actions/orgoro/coverage/v3.1/webpack:/typescript-action/node_modules/@octokit/request/dist-node/index.js:86:1 at processTicksAndRejections (node:internal/process/task_queues:96:5) ‘’’
We are also seeing this. Thought at first it was an issue on our end, but I have confirmed paths are correct and token has R/W permissions. Any ideas?
You can check the permission set on your GITHUB_TOKEN variable by checking the Set up step in your workflow run.
Here for example https://github.com/MTES-MCT/apilos/actions/runs/5398219719/jobs/9896520270 you can see that it has read only permissions
These permissions can be forced on a per-workflow basis following this documentation https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
Note : this is the default for actions ran by Dependabot
By default, GitHub Actions workflows triggered by Dependabot get a GITHUB_TOKEN with read-only permissions. You can use the permissions key in your workflow to increase the access for the token:
@fabienheureux do you know which permissions are required to make this Action work? I tried searching GitHub to see how other folks were using this Action, but this didn't work:
permissions:
contents: read
pull-requests: write
In my case, permissions below were enough
permissions:
pull-requests: write
as seen in this PR https://github.com/MTES-MCT/apilos/pull/854/files
For some reason the
permissions:
pull-requests: write
doesn't fix the issue for us. https://github.com/arc53/DocsGPT/actions/runs/5925817289/job/16065989742?pr=306
Any ideas?
For those stumbling across this issue, it's likely when this is run via a fork, rather then a branch in the same repo. There are security implications for allowing a checkout of code from a fork to have permissions.
See -> https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
To do safely, it likely requires two workflows. A workflow to generate the coverage, and one to process/add to the pr.
The only way to do this securely for forks, is to use a workflow_run. However the logic would need to check the event payload (github.event.workflow_run.pull_requests) for the pull request details.
Example Coverage Builder
name: Build Coverage
on:
pull_request:
branches:
- main
jobs:
coverage-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
cache: pip
- name: Install test dependencies
run: pip install .[test]
- name: Run Coverage
run: |
coverage run -m pytest
coverage xml
- name: Upload Coverage
uses: actions/upload-artifact@v4
with:
name: coverage.xml
path: coverage.xml
retention-days: 1
Example Coverage Reporter - this must be in the default branch before it will run.
name: Report Coverage
on:
workflow_run:
workflows: ["Build Coverage"]
types:
- completed
permissions:
actions: read
contents: read
pull-requests: write
jobs:
coverage-report:
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }}
steps:
- uses: actions/download-artifact@v4
with:
name: coverage.xml
run-id: ${{ github.event.workflow_run.id }}
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Get Cover
uses: orgoro/coverage@v3
with:
coverageFile: coverage.xml
token: ${{ secrets.GITHUB_TOKEN }}
If I get a moment over the next couple of days I'll look into what's required to make it work, but won't be offended if someone beats me to it.
PR #281 address this, welcome feedback on my typescript! Not something I write all that often :slightly_smiling_face:
This was closed - but isn't solved yet, correct? Like #281 hasn't landed, for example.
Can this be re-opened, re-examined?
