search

Madrapps / jacoco-report

Github action that publishes the JaCoCo report as a comment in the Pull Request
https://github.com/marketplace/actions/jacoco-report
MIT License
153 stars 63 forks source link

Action fails with "HttpError: Resource not accessible by integration" (v1.3) #24

Closed suniastar closed 1 year ago

suniastar commented 2 years ago

When using the github action with this workflow

name: Pull Requests Checks

on:
  pull_request:
    branches: [ "dev" ]
  workflow_dispatch:

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3.0.2
      - name: Set up Java JDK
        uses: actions/setup-java@v3.5.0
        with:
          java-version: '17'
          distribution: 'zulu'
      - name: Build with Maven
        run: mvn --batch-mode --update-snapshots test
      - name: JaCoCo Report
        uses: Madrapps/jacoco-report@v1.3
        with:
          paths: ${{ github.workspace }}/target/site/jacoco/jacoco.xml
          token: ${{ secrets.GITHUB_TOKEN }}
          min-coverage-overall: 80

the workflow fails with:

2022-09-26T05:36:16.4439290Z ##[group]Run Madrapps/jacoco-report@v1.3
2022-09-26T05:36:16.4439589Z with:
2022-09-26T05:36:16.4439928Z   paths: /home/runner/work/ms-address/ms-address/target/site/jacoco/jacoco.xml
2022-09-26T05:36:16.4440634Z   token: ***
2022-09-26T05:36:16.4440901Z   min-coverage-overall: 80
2022-09-26T05:36:16.4441209Z   min-coverage-changed-files: 80
2022-09-26T05:36:16.4441510Z   update-comment: false
2022-09-26T05:36:16.4441774Z   debug-mode: false
2022-09-26T05:36:16.4442007Z env:
2022-09-26T05:36:16.4442307Z   JAVA_HOME: /opt/hostedtoolcache/Java_Zulu_jdk/17.0.4-8/x64
2022-09-26T05:36:16.4442690Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Zulu_jdk/17.0.4-8/x64
2022-09-26T05:36:16.4442984Z ##[endgroup]
2022-09-26T05:36:16.5308197Z Event is pull_request
2022-09-26T05:36:16.5312473Z base sha: 585b6c90a6ee99cf93b39df7651fb8f8441a3699
2022-09-26T05:36:16.5312840Z head sha: 9e4e921341b6f13e4b021cbbb831fc55dab9ff8c
2022-09-26T05:36:17.1332963Z ##[error]HttpError: Resource not accessible by integration

however when using the main (Madrapps/jacoco-report@main) branch the worklfow completes successfully without a problem.

This does not make sense to me as the commits since the latest version (v1.3) only consists of README updates. Does anyone has an idea what could cause this problem?

suniastar commented 2 years ago

This problem is related to dependabot instead of the action's version. When this github workflow is run by dependabot (e.g. when creating a pull request on a dependency update) the API call to comment the pull request throws "Resource not accessible by integration" because of a lack of permissions. Dependabot's github token is limited to read-only by default.

suniastar commented 2 years ago

It is possible to change the action's token read/write permissions to the needed permission but I dont know which permission is required. Details here:

cengdall commented 2 years ago

Ran into this because my workflow had custom permission defined (and per docs, any unspecified permissions default to none). I believe pull-requests: write is the required permission, as the action wants to add results as a comment to the PR.

butyear commented 2 years ago

@suniastar I faced same problem and I figured out what is problem. I guess you made PR from forked repository. For that, the origin repository have to allow some option about "Fork pull reqquest". Here is the option: Settings -> Actions -> General -> Fork pull request workflows -> Enable "Send write tokens to workflows from fork pull requests." After that, jacoco report is shown in PR comment. This is about security github action trigger from forked repository : https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token

suniastar commented 2 years ago

I know about that but I dont have that option in my settings. Maybe it is only for enterprise/paid customers?

The "complete" list of default permissions for the token is listed here: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

But this list does not include the default permissions for dependebot.

I have tested all important access rights on one of my repositories. I have made PR by myself, from another user via a forked repository, from another user which was also a collaborator and by dependbot on the primary repository.

PR from GITHUB_TOKEN defaults to
myself read/write
user (collaborator) read/write
dependabot read
user (forked repo) none

When any github workflow is initiated by dependebot (e.g when it creates a PR because of a new version) the token's permssion will be set to read if not specified explicitly.

In my option simply adding:

permissions:
  pull-requests: write

to the workflow file should be enough (as @cengdall said) but I did not test if pull-requests is the correct scope.

khoutz182 commented 2 years ago

At least in my repository, i needed the contents-read permission as well:

permissions:
  contents: read
  pull-requests: write

Otherwise I got a "Repository not found" error during the checkout action:

  remote: Repository not found.
  Error: fatal: repository 'https://github.com/<ORG>/<REPO>/' not found
thsaravana commented 1 year ago

Thanks @suniastar for investigating this. I already have a PR #26 to add this permission to README.md doc. In addition, I will also call this out in a separate Troubleshooting section, linking to this issue for more details.