scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

error: Branch-Protection: internal error: error during branch protection check

Open securestep9 opened this issue 2 years ago • 8 comments

Describe the bug

error during command execution: check runtime error: Branch-Protection: internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by personal access token

Reproduction steps Steps to reproduce the behavior:

  1. Create a new GitHub PAT token with public repo access
  2. Run scorecard from the latest Docker image on any GItHub repo
  3. observe error

Expected behavior no errors -> scorecard generated

Additional context Actual behaviour - getting error on Branch Protection checks

docker run -e GITHUB_TOKEN=github_pat_xxxxxxxxxxxxxxx gcr.io/openssf/scorecard --repo https://github.com/ossf/scorecard

Starting [CII-Best-Practices]
Starting [Security-Policy]
Starting [Fuzzing]
Starting [Branch-Protection]
Starting [Pinned-Dependencies]
Starting [Token-Permissions]
Starting [CI-Tests]
Starting [Packaging]
Starting [Maintained]
Starting [SAST]
Starting [Dangerous-Workflow]
Starting [License]
Starting [Code-Review]
Starting [Contributors]
Starting [Signed-Releases]
Starting [Vulnerabilities]
Starting [Dependency-Update-Tool]
Starting [Binary-Artifacts]

Error: check runtime error: Branch-Protection: internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by personal access token
2023/09/20 09:27:54 error during command execution: check runtime error: Branch-Protection: internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by personal access token

securestep9 avatar Sep 20 '23 11:09 securestep9

Based on the prefix (github_pat) was this a fine-grained PAT token?

spencerschrock avatar Sep 20 '23 21:09 spencerschrock

Hi all,

I also got this error when I setup scorecard for Kokkos (github.com/kokkos/kokkos):

Reason
internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration

See: https://securityscorecards.dev/viewer/?uri=github.com/kokkos/kokkos

I did not setup any specific tokens, I simply took the default scorecard yaml file and added it to our development branch with the only modifications being defining both "master" and "develop" as branches to act on upon push.

crtrott avatar Feb 13 '24 00:02 crtrott

@crtrott This is a known limitation with GitHub's classic branch protection, and something that is documented here: https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional

While you can make either a classic PAT, or a fine-grained PAT with admin read permissions, we recommend not doing so. If you switch your repository over to repo rules instead of classic Branch Protection, Scorecard Action can read it with the default token.

spencerschrock avatar Feb 13 '24 00:02 spencerschrock

Ah thank you I will look into that.

crtrott avatar Feb 13 '24 00:02 crtrott

@crtrott This is a known limitation with GitHub's classic branch protection, and something that is documented here: https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional

While you can make either a classic PAT, or a fine-grained PAT with admin read permissions, we recommend not doing so. If you switch your repository over to repo rules instead of classic Branch Protection, Scorecard Action can read it with the default token.

@spencerschrock any thoughts on why a fine-grained PAT (created following the above guidelines) would only work on repositories which do not have branch protection enabled? To confirm, these are the minimal permissions I granted the token:

fine_grained_token_permissions

The token was created under our service account, which is a GitHub organization owner for all the orgs/repos we run Scorecard against.

After hearing a report from a maintainer about the branch protection check missing from the report on securityscorecards.dev, I created a barebones project in the same org, and ran the Scorecard Action using the same token:

before_enabling_branch_protection

I then enabled some basic branch protection rules in the Settings UI, reran Scorecard, and refreshed the results on securityscorecards.dev:

after_enabling_branch_protection

If I run Scorecard locally using the CLI and pass in the same fine-grained PAT for the value of GITHUB_AUTH_TOKEN, the branch protection check also fails (notably, on not accessible by personal access token rather than not accessible by integration)

Error: check runtime error: Branch-Protection: internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by personal access token

If I swap in a classic-style token (which is strongly discouraged in the docs) with scope: public_repo and run the CLI again, the check works:

 3 / 10  | Branch-Protection | branch protection is not maximal on development and all release branches  |

Yet if I swap that exact same token in as the underlying value of ${{ secrets.SCORECARD_TOKEN }} in the Scorecard Action workflow input, securityscorecards.dev still reports Resource not accessible by integration until / unless I remove branch protection from the repository.

Happy to provide more information or workflow artifacts if it would help!

lelia avatar Feb 28 '24 00:02 lelia

any thoughts on why a fine-grained PAT (created following the above guidelines) would only work on repositories which do not have branch protection enabled? To confirm, these are the minimal permissions I granted the token:

The fine grained permission screen can be ambiguous. "Your" can refer to several things here

3 permissions for all your repositories

On the fine-grained PAT creation screen, did the Resource owner field correspond the the service account, or the org for the repos you're trying to look at?

spencerschrock avatar Feb 29 '24 18:02 spencerschrock

This issue has been marked stale because it has been open for 60 days with no activity.

github-actions[bot] avatar May 15 '24 01:05 github-actions[bot]

Hi! It seems that this issue still exists. For example, in https://scorecard.dev/viewer/?uri=github.com/ossf/scorecard it happens the error internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration. But if you replace the fine-grained PAT by a classical token, you will get a score:

{
            "details": [
                "Info: 'allow deletion' disabled on branch 'main'",
                "Info: 'force pushes' disabled on branch 'main'",
                "Warn: required approving review count is 1 on branch 'main'",
                "Warn: codeowners review is not required on branch 'main'",
                "Info: status check found to merge onto on branch 'main'",
                "Info: PRs are required in order to make changes on branch 'main'"
            ],
            "score": 8,
            "reason": "branch protection is not maximal on development and all release branches",
            "name": "Branch-Protection",
            "documentation": {
                "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection",
                "short": "Determines if the default and release branches are protected with GitHub's branch protection settings."
            }
        }

gcanlin avatar Jun 25 '25 07:06 gcanlin

This issue has been marked stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Aug 27 '25 02:08 github-actions[bot]