action icon indicating copy to clipboard operation
action copied to clipboard

Published 20 hours ago • verified publisher icon pkg-size

bug: error in the `Comment on PR` phase

Open awmleer opened this issue 2 years ago • 3 comments

Bug description

I'm getting this error in this github action:

Error: Resource not accessible by integration
  Warning: HttpError: Resource not accessible by integration
      at /home/runner/work/_actions/pkg-size/action/v1/dist/index.js:2990:27
      at processTicksAndRejections (internal/process/task_queues.js:93:5)
      at async to (/home/runner/work/_actions/pkg-size/action/v1/dist/index.js:4591:9)
      at async /home/runner/work/_actions/pkg-size/action/v1/dist/index.js:7912:9

Reproduction steps

The github action log is here: https://github.com/ant-design/ant-design-mobile/runs/4029511668?check_suite_focus=true

And the related workflow config is here: https://github.com/ant-design/ant-design-mobile/blob/master/.github/workflows/bundle-size.yml

Environment

  • pkg-size-action version: v1
  • Operating System: ubuntu-18.04
  • Node version: 14

awmleer avatar Oct 28 '21 09:10 awmleer

Thanks for the report and for using pkg-size!

I did some Googling for that error message and they all seem to point at a lack of permissions in the token.

Seems this is happening because it was executed via fork as per this security change: announcement, docs

The permissions for the GITHUB_TOKEN in forked repositories is read-only.

There doesn't seem to be an option to further specify allowing comments.

To work around:

  • You can use a Personal Access Token (PAT) and add that to Secrets. The caveat is that the report will be posted by the account that owns the PAT.
  • I'm reading pull_request_target has read + write permissions so it's possible to use that instead of pull_request, but it seems to run in the base context which I haven't tested yet.

privatenumber avatar Oct 28 '21 21:10 privatenumber

Thanks for replying!

pull_request_target trigger is in the BASE context. If we checkout the HEAD commit, the PR author may inject some malicious code into the "build" script in package.json, which will be executed by this github action. This is dangerous since the PR author can use the GITHUB_TOKEN with write access to run any script. Here is an official guideline: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

As for the Personal Access Token, it seems to have the same security issue.

The guideline above mentioned a recommended solution: split the action into two parts. One for building, collecting package size data and uploading the result (using the pull_request trigger). And the other for downloading the result and commenting it to PR (using the pull_request_target trigger).

awmleer avatar Oct 29 '21 03:10 awmleer

This seems like a common problem: https://github.community/t/token-permissions-for-forks-once-again/16468/6

It doesn't seem like there's a workaround to post comments from a fork.

I wonder if workflow_dispatch can be used to manually trigger the action on approved PRs.

(FWIW since you seem to be security conscious, in general, using any 3rd party GitHub Action via tag is insecure.)

privatenumber avatar Oct 30 '21 18:10 privatenumber