Permissions failing despite correct config

[scottgigante-hubflow]

I'm getting a permissions error despite copying the permissions from your docs. What am I doing wrong here? Is my submodules config the problem?

Error:

Run py-cov-action/python-coverage-comment-action@91aaf3b39c7e2331c6bc77767ce017f5160c5f11
/usr/bin/docker run --name e9b9989b1b58f92314aa2b10871d5f9f8aad6_64220e --label 4e9b99 --workdir /github/workspace --rm -e "database_url" -e "tms_adapter_base_url" -e "clerk_app_secret_key" -e "allowed_origins" -e "openai_api_key" -e "google_api_key" -e "debug" -e "slack_users" -e "slack_webhook_url" -e "allowed_hosts" -e "bypass_auth_creds" -e "browserbase_api_key" -e "hyperbrowser_api_key" -e "browserbase_project_id" -e "api_key_signing_key" -e "hubflow_api_url" -e "screenshots_bucket_name" -e "pythonLocation" -e "PKG_CONFIG_PATH" -e "Python_ROOT_DIR" -e "Python2_ROOT_DIR" -e "Python3_ROOT_DIR" -e "LD_LIBRARY_PATH" -e "PGSERVICEFILE" -e "INPUT_GITHUB_TOKEN" -e "INPUT_GITHUB_BASE_URL" -e "INPUT_GITHUB_PR_RUN_ID" -e "INPUT_COMMENT_TEMPLATE" -e "INPUT_COVERAGE_DATA_BRANCH" -e "INPUT_COVERAGE_PATH" -e "INPUT_COMMENT_ARTIFACT_NAME" -e "INPUT_COMMENT_FILENAME" -e "INPUT_SUBPROJECT_ID" -e "INPUT_MINIMUM_GREEN" -e "INPUT_MINIMUM_ORANGE" -e "INPUT_MAX_FILES_IN_COMMENT" -e "INPUT_MERGE_COVERAGE_FILES" -e "INPUT_ANNOTATE_MISSING_LINES" -e "INPUT_ANNOTATION_TYPE" -e "INPUT_USE_GH_PAGES_HTML_URL" -e "INPUT_VERBOSE" -e "GITHUB_BASE_URL" -e "GITHUB_TOKEN" -e "GITHUB_PR_RUN_ID" -e "COMMENT_TEMPLATE" -e "COVERAGE_DATA_BRANCH" -e "COVERAGE_PATH" -e "COMMENT_ARTIFACT_NAME" -e "COMMENT_FILENAME" -e "SUBPROJECT_ID" -e "MINIMUM_GREEN" -e "MINIMUM_ORANGE" -e "MERGE_COVERAGE_FILES" -e "ANNOTATE_MISSING_LINES" -e "ANNOTATION_TYPE" -e "VERBOSE" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/hubflow-api/hubflow-api":"/github/workspace" 4e9b99:89b1b58f92314aa2b10871d5f9f8aad6
Notice: Starting action
Notice: HTTP Request: GET https://api.github.com/repos/hubflowai/hubflow-api "HTTP/1.1 200 OK"
Notice: Computing coverage files & badge
Notice: HTTP Request: GET https://img.shields.io/static/v1?label=Coverage&message=78%25&color=orange "HTTP/1.1 200 OK"
Notice: Saving coverage files
Error: Critical error. This error possibly occurred because the permissions of the workflow are set incorrectly. You can see the correct setting of permissions here: https://github.com/py-cov-action/python-coverage-comment-action#basic-usage
Otherwise please look for open issues or open one in https://github.com/py-cov-action/python-coverage-comment-action/
Traceback (most recent call last):
  File "/workdir/coverage_comment/subprocess.py", line 22, in run
    return subprocess.run(
           ^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '('git', 'push', 'origin', 'python-coverage-comment-action-data')' returned non-zero exit status 128.

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/workdir/coverage_comment/subprocess.py", line 65, in _git
    return run(
           ^^^^
  File "/workdir/coverage_comment/subprocess.py", line 36, in run
    raise SubProcessError("\n".join([exc.stderr, exc.stdout])) from exc
coverage_comment.subprocess.SubProcessError: remote: Write access to repository not granted.
fatal: unable to access 'https://github.com/hubflowai/hubflow-api/': The requested URL returned error: 403

Config:

  test:
    runs-on: ubuntu-latest
    permissions:
      # Gives the action the necessary permissions for publishing new
      # comments in pull requests.
      pull-requests: write
      # Gives the action the necessary permissions for pushing data to the
      # python-coverage-comment-action branch, and for editing existing
      # comments (to avoid publishing multiple comments in the same PR)
      contents: write
    steps:
      - name: Checkout code
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          token: ${{ secrets.PULL_TOKEN }}
          submodules: true

      [...]

      - name: Run pytest
        run: pytest -n 2 -v --exitfirst

      - name: Coverage comment
        uses: py-cov-action/python-coverage-comment-action@91aaf3b39c7e2331c6bc77767ce017f5160c5f11 # v3
        with:
          GITHUB_TOKEN: ${{ github.token }}

[ewjoachim]

Could it be that your repo would have restrictive settings in Actions settings in the repo settings ?

A screenshot for reference

[scottgigante-hubflow]

It was on read-only, though by my eye this only reflects the default permissions which could be changed by the permissions section.

I updated this to read-write and still getting the same error

[scottgigante-hubflow]

Update: I gave contents: write permissions to secrets.PULL_TOKEN and now it works. It looks like the action is using the token the repo was cloned with, rather than the token provided to it in with: GITHUB_TOKEN:

[ewjoachim]

Oh! Thanks for the investigation! Would you be interested in providing a fix ?

[tim-schilling]

I have ran into this same error, but it was due to having persist-credentials: false on the action. This tends to be a recommendation from Zizmor and I may have gotten a bit overzealous with it. @ewjoachim what do you think about changing the examples to explicitly set persist-credentials: true? It should be unnecessary because that's the default, but it seems like "proper" security would be for GitHub to default that to false.

[ewjoachim]

Great idea :) Want to contribute ? Alternatively, it could make sense to document (or fix) how to make this work with persist-credentials: false. I believe that if we're explicitly given a token, we should be able to make use of it.

[tim-schilling]

I will draft up a docs PR. I tried doing a bit of looking. If you can figure out how to set the PAT for all the Git.[method] calls, it should work. I'm not quite sure how that will be managed. I'm guessing maybe something in the set up flow to make sure the local git instance is setup with a token?