Error: Resource not accessible by integration on PRs raised by dependabot

[mnbf9rca]

When a PR is raised by Dependabot (or anyone without write access to a repo), although all the tests pass, the action is unable to annotate the PR, instead throwing an error e.g. and the workflow fails:

0s
Run IgnusG/jest-report-action@v2.3.3
  with:
    access-token: ***
    junit-file: junit.xml
    run-name: build
    check-name: Jest
    working-directory: .
Error: Something went wrong: Error: Request to create annotations failed - request: {"owner":"mnbf9rca","repo":"IsTheTubeRunning","head_sha":"8e7ba3d9835e3a4070fba[1](https://github.com/mnbf9rca/IsTheTubeRunning/actions/runs/3926652650/jobs/6716566541#step:6:1)994b40b5[2](https://github.com/mnbf9rca/IsTheTubeRunning/actions/runs/3926652650/jobs/6716566541#step:6:2)14[3](https://github.com/mnbf9rca/IsTheTubeRunning/actions/runs/3926652650/jobs/6716566541#step:6:3)69da6c","name":"Jest","conclusion":"success","output":{"title":"Jest Test Results","summary":"#### These are all the test results I was able to find from your jest-junit reporter\n**60** tests were completed in **[5](https://github.com/mnbf9rca/IsTheTubeRunning/actions/runs/3926652650/jobs/6716566541#step:6:5).557s** with **[6](https://github.com/mnbf9rca/IsTheTubeRunning/actions/runs/3926652650/jobs/6716566541#step:6:6)0** passed ✔ and **0** failed ✖ tests.","annotations":[]}} - error: Resource not accessible by integration

I believe this will happen whenever someone raises a PR against a repo that they don't have write access to.

Another action which i use for Python coverage reporting (python-coverage-comment) solves this by publishing the coverage report as an artefact when the tests are executed, and then fetching it in a separate workflow to report. Is that possible with this action?

here's the broken JS workflow:

name: Tests CI

on: [push, pull_request]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: check out source code
        uses: actions/checkout@v3
      - name: set up Node.js
        uses: actions/setup-node@v3
        with:
          node-version: '18'
      - run: npm install
        name: run npm install
        env:
          DOTENV_KEY: ${{ secrets.DOTENV_KEY }}        
      - run: npm run test:ci
        name: execute tests
        env:
          DOTENV_KEY: ${{ secrets.DOTENV_KEY }}
      - name: report junit results
        uses: IgnusG/jest-report-action@v2.3.3
        if: always() # Or use "continue-on-error: true" in previous test step
        with:
         access-token: ${{ secrets.GITHUB_TOKEN }}

[IgnusG]

Hey @mnbf9rca! Unfortunately this is actually a security feature of dependabot's integration in GitHub. PRs that are triggered by dependabot (either push or pull_request) are assumed to run in a non-secure environment and therefore do not have access to secrets. So jest-report-action actually receives and empty string in access-token: ${{ secrets.GITHUB_TOKEN }} and therefore the request to create the PR annotations fails.

Here's the link to the official information regarding this change: https://github.com/dependabot/dependabot-core/issues/3253#issuecomment-797125425

As to a solution, yes python-coverage-comment is using is the correct workaround for this issue. Since jest-report-action only expects the report file you can use another action to upload the junit.xml to an artifact and then have the next workflow pick it up/downloading it and running jest-report-action with that junit.xml file as input.

You can use https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts#sharing-data-between-workflow-runs as inspiration for how to make the artifact upload/download work.

Take a look at the dependabot link for tips on how to trigger the second workflow run so that it has access to the secrets.