search

EndBug / pages-preview

:octocat: A GitHub Action that creates a GitHub Pages preview for PRs and branches
MIT License
15 stars 1 forks source link

Error: unexpected error encountered: HttpError: Resource not accessible by integration - see logs for more information #20

Open vorburger opened 10 months ago

vorburger commented 10 months ago

I ran into this:

Run EndBug/pages-preview@196e85fb8eb6e55cb82c565e2bffa8911d6ee2d6
Run /home/runner/work/_actions/EndBug/pages-preview/196e85fb8eb6e55cb82c565e2bffa8911d6ee2d6/lib/parse_action.sh
Event name: pull_request_target; OK
Event type: synchronize
PR number: [29](https://github.com/www-learn-study/saraswati.learn.study/actions/runs/6726455878/job/18282744533?pr=29#step:6:31)
Resulting outputs:
action: deploy
path: www-learn-study/saraswati.learn.study/pr/29
Run EndBug/deployments@140-task
targeting www-learn-study/saraswati.learn.study
initializing new deployment for preview @ 070dfe0fcfc10a5721235c260e50a22d736c95[30](https://github.com/www-learn-study/saraswati.learn.study/actions/runs/6726455878/job/18282744533?pr=29#step:6:32)
unexpected error encountered: HttpError: Resource not accessible by integration
Error: unexpected error encountered: HttpError: Resource not accessible by integration - see logs for more information
Run EndBug/deployments@140-task

/home/runner/work/_actions/EndBug/deployments/140-task/webpack:/@bobheadxi/deployments/node_modules/@actions/core/lib/core.js:106
        throw new Error(`Input required and not supplied: ${name}`);
^
Error: Input required and not supplied: env
    at getInput (/home/runner/work/_actions/EndBug/deployments/140-task/webpack:/@bobheadxi/deployments/node_modules/@actions/core/lib/core.js:106:1)
    at getRequiredInput (/home/runner/work/_actions/EndBug/deployments/140-task/webpack:/@bobheadxi/deployments/src/lib/input.ts:18:1)
    at collectDeploymentContext (/home/runner/work/_actions/EndBug/deployments/140-task/webpack:/@bobheadxi/deployments/src/lib/context.ts:30:1)
    at context (/home/runner/work/_actions/EndBug/deployments/140-task/webpack:/@bobheadxi/deployments/src/main.ts:7:1)
    at context (/home/runner/work/_actions/EndBug/deployments/140-task/webpack:/@bobheadxi/deployments/src/main.ts:14:1)
    at Object.<anonymous> (/home/runner/work/_actions/EndBug/deployments/140-task/webpack:/@bobheadxi/deployments/src/main.ts:14:1)
    at Module._compile (node:internal/modules/cjs/loader:1198:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1252:10)
    at Module.load (node:internal/modules/cjs/loader:1076:[32](https://github.com/www-learn-study/saraswati.learn.study/actions/runs/6726455878/job/18282744533?pr=29#step:6:34))
    at Function.Module._load (node:internal/modules/cjs/loader:911:12)

on https://github.com/www-learn-study/saraswati.learn.study/actions/runs/6726455878/job/18282744533?pr=29 for a 1st PR to test https://github.com/www-learn-study/saraswati.learn.study/pull/27.

I'll try to see if I can figure out what this means and how to fix it and document my findings, and solution if any, here.

vorburger commented 10 months ago

I don't know why it says Error: Input required and not supplied: env above - @EndBug do you understand that better?

The more interesting part is perhaps the Error: unexpected error encountered: HttpError: Resource not accessible by integration - see logs for more information line? That may be related is probably because in my GitHub Action configuration I have:

permissions:
  contents: read

because some Security Review tool I'm using in that repo doesn't let me have actions without any permissions:.

Based on https://github.com/EndBug/pages-preview#fine-grained-pat I suspect that, just like the PAT, the Action also needs (the equivalent of) "Actions" and "Content" to "Read and write" permissions...

vorburger commented 10 months ago 
permissions:
  actions: write
  contents: write

clear does not suffice / work (I just tried, in first version of https://github.com/www-learn-study/saraswati.learn.study/pull/32/files).

PS: Even if it were to work, I'm trying to understand the security implications of this... this is not really safe, is it?!

vorburger commented 10 months ago

Even this is also not sufficient:

permissions:
  actions: write
  contents: write
  pull-requests: write
  repository-projects: write

I then tried completely removing permissions:, as https://github.com/EndBug/pages-preview/blob/main/dependents/source_repo.yml doesn't have it, which grants "full permissions" (AFAIK), ignoring this (unrelated) complaint, for now:

 Linted [REPOSITORY] files with [checkov]: Found 1 error(s) - (15.22s) (expand for details)
  - Using [checkov v3.0.12] https://megalinter.io/7.5.0/descriptors/repository_checkov
  - MegaLinter key: [REPOSITORY_CHECKOV]
  - Rules config: [.checkov.yml]
  --Error detail:
  github_actions scan results:

  Passed checks: 153, Failed checks: 1, Skipped checks: 0

  Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
    FAILED for resource: on(Preview)
    File: /.github/workflows/preview.yaml:0-1

but even that doesn't work either, and still causes the error shown initially.

So perhaps this is just broken? Maybe related to a change GitHub made?

vorburger commented 10 months ago

Actually, coming to think of it, I'm stupid, given the PAT, for the Preview repo, the workflow really shouldn't require ANY permissions on the Source repo ... that's the whole point of the (nice!) separation approach that this project intends (contrary to e.g. https://github.com/rossjrw/pr-preview-action from @rossjrw, which uses a different approach).

So perhaps this is just broken? Maybe related to a change GitHub made?

I've had a slightly closer look, and now start to understand that it's failing here. That uses: EndBug/deployments@140-task which is https://github.com/EndBug/deployments which is a fork of https://github.com/bobheadxi/deployments by @bobheadxi - do you perhaps happen to know what this error means?

I don't suppose it's worthwhile for this project to switch back from @EndBug fork of deployments back to its upstream? I've no idea if any of https://github.com/EndBug/deployments/compare/main...bobheadxi:deployments:main could fix this problem.

vorburger commented 10 months ago

In https://github.com/www-learn-study/saraswati.learn.study/pull/34/files I have tried to use deployments: false but the same problem still happens. This is very puzzling (to me), given the check here... or is this some YAML boolean funkyness, e.g. does it have to be deployments: False? It looks like it's a String comparison...

vorburger commented 10 months ago

Oh! This is because, as I had noted here, the change isn't "visible" yet while the PR builds, only after merge; note:

Run EndBug/deployments@140-task
  with:
    step: start
    env: preview
    ref: bf129f4fdf2b[38](https://github.com/www-learn-study/saraswati.learn.study/actions/runs/6727025592/job/18284233555?pr=34#step:6:40)713aa5a01[39](https://github.com/www-learn-study/saraswati.learn.study/actions/runs/6727025592/job/18284233555?pr=34#step:6:41)5160[40](https://github.com/www-learn-study/saraswati.learn.study/actions/runs/6727025592/job/18284233555?pr=34#step:6:42)298c3c031
    task: deploy:www-learn-study/saraswati.learn.study/pr/34
    token: ***
    debug: false
    auto_inactive: false

is still missing the deployments: false! I'll merge it, and then see... (which is a PITA, because I blocked Merge on red PR).

vorburger commented 10 months ago

OK so deployments: false does (obviously) "work around" this, and https://github.com/www-learn-study/previews/tree/gh-pages/www-learn-study/saraswati.learn.study/pr/35 has the site. Except I don't see a preview URL commented on https://github.com/www-learn-study/saraswati.learn.study/pull/35... on https://github.com/www-learn-study/saraswati.learn.study/actions/runs/6727077747/job/18284360060?pr=35 it doesn't even seem to have run pr_comment?!

vorburger commented 10 months ago

I don't suppose it's worthwhile for this project to switch back from @EndBug fork of deployments back to its upstream? I've no idea if any of https://github.com/EndBug/deployments/compare/main...bobheadxi:deployments:main could fix this problem.

FTR: It does not so, see https://github.com/EndBug/pages-preview/pull/21#issuecomment-1789937473.

vorburger commented 10 months ago

FTR: I've switched from (this) https://github.com/EndBug/pages-preview to https://github.com/rossjrw/pr-preview-action in https://github.com/www-learn-study/saraswati.learn.study/pull/40 and originally still ran into the same problem with that other action, see https://github.com/rossjrw/pr-preview-action/issues/60.

https://github.com/www-learn-study/saraswati.learn.study/pull/43 with the correct permissions: DID fix it.

What hapened here (above) is that (a) I tried the wrong permissions: (my bad), and (b) as I had noted here, the change isn't "visible" yet while the PR builds, only after merge - you need to add the permissions: and merge, and not stumble over the fact that the Preview Action still fails on the PR.

I'll post a PR with a proposed docs clarification.

vorburger commented 10 months ago

I thought I fixed this, but am seeing this again, see https://github.com/www-learn-study/saraswati.learn.study/issues/50#issuecomment-1790218847.

EndBug commented 10 months ago

Heyyy, there's a lot of stuff in this issue, and in the related PR 😅 Have you found the cause of the issue?