peter-evans
Update from 7.0.9 to 7.0.11: Error creating blob for file: Resource not accessible by integration
In one of the repos I'm involved with, we currently have a PR open to update the peter-evans/create-pull-request action runner from version v7.0.9 to v7.0.11.
We use the action runner in two workflows:
- Update website workflow
- Update a file from an external source
This second workflow is set up as a re-usable workflow with a
workflow_calltrigger and is called by two workflows:- https://github.com/WordPress/Requests/blob/develop/.github/workflows/update-cacert.yml (PRs, pushes)
- https://github.com/WordPress/Requests/blob/develop/.github/workflows/update-cacert-cron.yml (cron job)
The above setup with the reusable workflow is deliberate to prevent builds for new PRs not running if GH would disable the cron job workflow after two months of no activity in a repo.
The first workflow appears to be fine with the update and has successfully opened PR WordPress/Requests#1010.
The second workflow, however, is failing with the following error:
Pushing pull request branch to 'origin/feature/auto-update-cacert-1009'
/usr/bin/git stash push --include-untracked
No local changes to save
/usr/bin/git checkout --progress feature/auto-update-cacert-1009 --
Previous HEAD position was 91d58d6 Merge fb17069d77a320b627c9e0aa344e0d4800a8c152 into 95d03196b5edb5047bcae35c62ea6e3d6ae148f5
Switched to branch 'feature/auto-update-cacert-1009'
Creating tree objects for local commit b94b93bd1e40c5e404e7e198a17c51e023a70b5b
/usr/bin/git show b94b93bd1e40c5e404e7e198a17c51e023a70b5b:certificates/cacert.pem
/usr/bin/git show b94b93bd1e40c5e404e7e198a17c51e023a70b5b:certificates/cacert.pem.sha256
Error: Error creating blob for file 'certificates/cacert.pem.sha256': Resource not accessible by integration - https://docs.github.com/rest/git/blobs#create-a-blob
Error: Resource not accessible by integration - https://docs.github.com/rest/git/blobs#create-a-blob
Workflow transscript: https://github.com/WordPress/Requests/actions/runs/20032217262
Previous run of the same workflow using peter-evans/create-pull-request v7.0.9, which succeeds: https://github.com/WordPress/Requests/actions/runs/20032173457
If I look at the changelog for the 7.0.10 and 7.0.11 releases, I do not see anything which gives me a clue as to why the build is suddenly failing.
- The workflows are not run via a self-hosted runner.
- The PR is not coming from a fork, but directly from the "base" repo.
- Previous Dependabot PRs updating the action runner did not cause the builds to fail (which could indicate Dependabot missing access to a secret, but that doesn't appear to be the problem).
Any insights appreciated. Also: I'm happy to test things in the repo if it helps to debug this.
Hi @jrfnl
The Resource not accessible by integration error normally indicates a permissions issue, and it's highly likely that it occurs because a dependabot doesn't have access to all the secrets it needs.
Looking at the previous dependabot PR:
- https://github.com/WordPress/Requests/pull/992
- This workflow didn't fail in the past only because the action didn't attempt to create a pull request.
- https://github.com/WordPress/Requests/actions/runs/19628707608/job/56203099618
This time, that same workflow has found a diff and tried to create a pull request, leading to the failure.
@peter-evans Thank you for your response.
I'm trying to understand what you are saying, but my brain is short-circuiting on the following:
If Dependabot would be missing a secret, how can it be that within the same repo, where Dependabot has access to the exact same secrets, workflow A (website) can successfully commit & open a PR, while workflow B (certificate update) fails ?
Hi @jrfnl
I don't know that without spending time looking at the differences between your workflows, but I can tell you that this error is an auth issue and I'm confident that it has nothing to do with the fixes in v7.0.10 and v7.0.11.
@peter-evans Okay, I will continue to look into this. Thanks for pointing me in the right direction.