Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Credo - Code Scanning - Add actions: read to support non public repos #2371

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Credo - Code Scanning - Add actions: read to support non public repos #2371

wants to merge 1 commit into from

Conversation

felickz
Copy link
Contributor

@felickz felickz commented Apr 9, 2024
edited

Fixes error seen when running workflow on a non public repo - need to add actions: read permission for the upload action to invoke GET workflow-runs

Warning: Caught an exception while gathering information for telemetry: HttpError: Resource not accessible by integration. Will skip sending status report.
Error: Resource not accessible by integration
RequestError [HttpError]: Resource not accessible by integration
    at /home/runner/work/_actions/github/codeql-action/v3/node_modules/@octokit/request/dist-node/index.js:86:21
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async requestWithGraphqlErrorHandling (/home/runner/work/_actions/github/codeql-action/v3/node_modules/@octokit/plugin-retry/dist-node/index.js:71:20)
    at async Job.doExecute (/home/runner/work/_actions/github/codeql-action/v3/node_modules/bottleneck/light.js:405:18) {
  status: 403,
  response: {
    url: 'https://api.github.com/repos/GomtiDemoOrg1/MY_ELIXIR_PROJECT/actions/runs/8572656704?exclude_pull_requests=true',
    status: 403,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      'content-encoding': 'gzip',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: 'Fri, 05 Apr 2024 16:[12](https://github.com/GomtiDemoOrg1/MY_ELIXIR_PROJECT/actions/runs/8572656704/job/23495700848#step:8:13):44 GMT',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'GitHub.com',
      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
      'transfer-encoding': 'chunked',
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-accepted-github-permissions': 'actions=read',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-api-version-selected': '2022-11-28',
      'x-github-media-type': 'github.v3; format=json',
      'x-github-request-id': '54D0:3A2218:108D320:1B5734A:661022FC',
      'x-ratelimit-limit': '15000',
      'x-ratelimit-remaining': '[14](https://github.com/GomtiDemoOrg1/MY_ELIXIR_PROJECT/actions/runs/8572656704/job/23495700848#step:8:15)986',
      'x-ratelimit-reset': '1712334260',
      'x-ratelimit-resource': 'core',
      'x-ratelimit-used': '14',
      'x-xss-protection': '0'
    },
    data: {
      message: 'Resource not accessible by integration',
      documentation_url: 'https://docs.github.com/rest/actions/workflow-runs#get-a-workflow-run'
    }
  },
  request: {
    method: 'GET',
    url: 'https://api.github.com/repos/GomtiDemoOrg1/MY_ELIXIR_PROJECT/actions/runs/8572656704?exclude_pull_requests=true',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'CodeQL-Action/3.24.10 octokit-core.js/3.6.0 Node.js/[20](https://github.com/GomtiDemoOrg1/MY_ELIXIR_PROJECT/actions/runs/8572656704/job/23495700848#step:8:21).8.1 (linux; x64)',
      authorization: 'token [REDACTED]'
    },
    request: { agent: [Agent], hook: [Function: bound bound register] }
  }
}

Precedent:

starter-workflows/code-scanning/codeql.yml

Lines 32 to 38 in 607f368

permissions:
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read

@felickz felickz requested review from a team as code owners April 9, 2024 13:04
@github-actions github-actions bot added the code-scanning Related to workflows that show on the Code Scanning setup page label Apr 9, 2024
@jsoref
Copy link
Contributor

jsoref commented Apr 25, 2024

This change makes no sense.

f5cfb3e added actions: read

So as of today, this should just work:

starter-workflows/code-scanning/credo.yml

Lines 33 to 36 in 2435e57

permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status

Beyond that, because the job itself already defines permissions, defining additional permissions at the workflow level will have no impact.

For the curious, I'm also trying to fix github/codeql-action/upload-sarif so that it won't need this permission in the future, but that's not really relevant to this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
code-scanning Related to workflows that show on the Code Scanning setup page
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@felickz @jsoref