Error: Resource not accessible by integration

[mrousavy]

Hi!

I'm getting the error Error: Resource not accessible by integration when the action runs on a PR created by a GitHub integration (dependabot). This makes the CI fail, I think it'd be better to just skip the workflow if it really can't run for integrations, if it can then this is a bug report :)

> Run Simek/yarn-lock-changes@main
  with:
    token: ***
    collapsibleThreshold: 25
    failOnDowngrade: false
    path: yarn.lock
    updateComment: true
Error: Resource not accessible by integration

This is the PR: https://github.com/cuvent/react-native-vision-camera/pull/158

[Simek]

Hi @mrousavy,

GitHub have reduced the permissions set to the GITHUB_TOKEN passed to the Dependabot pull request due to security reasons:

• https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

As listed in the article, you can change the on value to pull_request_target in the action workflow which should help with the permission issue, but it's is considered as a potential sercurit risk, as described in the security blogpost:

• https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

I'm not sure if I can handle this issue more gracefully on the action side, but I will try to investigate the possible solutions or, at least, how to improve docs and DX in this case.