Resource not accessible by integration #8843

serathius · 2022-04-24T12:23:27Z

Description of the issue

Etcd CodeQL analysis is broken returning 403. etcd-io/etcd#13978

RequestError [HttpError]: Resource not accessible by integration
    at /home/runner/work/_actions/github/codeql-action/v1/node_modules/@octokit/request/dist-node/index.js:66:[2](https://github.com/etcd-io/etcd/runs/6141920349?check_suite_focus=true#step:3:2)[3](https://github.com/etcd-io/etcd/runs/6141920349?check_suite_focus=true#step:3:3)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async Job.doExecute (/home/runner/work/_actions/github/codeql-action/v1/node_modules/bottleneck/light.js:[4](https://github.com/etcd-io/etcd/runs/6141920349?check_suite_focus=true#step:3:4)0[5](https://github.com/etcd-io/etcd/runs/6141920349?check_suite_focus=true#step:3:5):18) {
  status: 403,

The text was updated successfully, but these errors were encountered:

serathius · 2022-04-25T11:05:08Z

Heh, this is not a question, but a bug report.
cc @adityasharad

MathiasVP · 2022-04-25T11:46:06Z

Hi @serathius,

In general, that error usually indicates something wrong with GitHub Actions token permissions.

It looks like you've changed your default token permissions to be restrictive by default without updating the workflow to include the permissions needed for Code Scanning.

Updating the permissions to:

permissions:
  actions: read
  contents: read
  security-events: write

should fix your issue.

serathius · 2022-04-25T12:00:37Z

Thanks for info, however please stop introducing breaking changes in v1 version.

MathiasVP · 2022-04-25T12:40:43Z

I don't think we introduced any breaking changes in this case. These permissions have been the suggested defaults for a long time. You can check out the readme on https://github.com/github/codeql-action for the details.

L3m0nb4tt3ry · 2022-09-19T11:33:10Z

@MathiasVP Not necessarily the same issue, but I am receiving same error while fetching dependabot issues via a graphql query, I tried with permissions: write-all as well but no luck. I can execute same query with my PAT with
repo permissions(i.e Full control of private repositories) but unable to fetch with default token, not sure what exactly is the reason or issue here.

MathiasVP · 2022-09-26T09:57:11Z

Hi @L3m0nb4tt3ry,

Thanks for posting! We'll be happy to take a look at your situation. Would you mind opening a fresh issue with this?

Looking into the [`Resource not accessible by integration` error](https://github.com/pypa/twine/actions/runs/3616376262/jobs/6094277326), I found [an issue](github/codeql#8843) that recommended setting the `permissions`. Looks like this has been added to the [current CodeQL template](https://github.com/pypa/twine/new/main?filename=.github%2Fworkflows%2Fcodeql.yml&workflow_template=code-scanning%2Fcodeql), so I copy & pasted that here.

serathius added the question Further information is requested label Apr 24, 2022

serathius mentioned this issue May 5, 2022

github: Add necessery permissions for CodeQL etcd-io/etcd#14010

Merged

hmakholm closed this as completed Jun 15, 2022

bhrutledge mentioned this issue Dec 5, 2022

Update CodeQL workflow. pypa/twine#952

Merged

Resource not accessible by integration #8843

Resource not accessible by integration #8843

serathius commented Apr 24, 2022

serathius commented Apr 25, 2022 •

edited

MathiasVP commented Apr 25, 2022

serathius commented Apr 25, 2022

MathiasVP commented Apr 25, 2022

L3m0nb4tt3ry commented Sep 19, 2022 •

edited

MathiasVP commented Sep 26, 2022

Resource not accessible by integration #8843

Resource not accessible by integration #8843

Comments

serathius commented Apr 24, 2022

serathius commented Apr 25, 2022 • edited

MathiasVP commented Apr 25, 2022

serathius commented Apr 25, 2022

MathiasVP commented Apr 25, 2022

L3m0nb4tt3ry commented Sep 19, 2022 • edited

MathiasVP commented Sep 26, 2022

serathius commented Apr 25, 2022 •

edited

L3m0nb4tt3ry commented Sep 19, 2022 •

edited