"Resource not accessible by integration"

[AstraLuma]

https://github.com/ppb/pursuedpybear/pull/359/checks?check_run_id=211188070

https://github.com/ppb/pursuedpybear/blob/master/.github/workflows/greetings.yml

[JJ]

This happens as soon as the person creating the PR does not have permission to the repository. I've been all day with this, and there does not seem to be a solution. Same problem as here actions/labeler#12.

[AstraLuma]

Eh? Actions run under their own credentials, not as a user??

[JJ]

Actions run as an user, but when they are running in a fork there are potential security problems, so they are degraded to "read-only"

[AstraLuma]

I'm confused. This is an action configured in the main repo for a PR in the main repo?

[AstraLuma]

Oh, PR events are sent to the fork under the source branch, not to to the target repo/branch?

[mangelajo]

Ok, github needs to fix this. I'm facing the same thing while trying to create an action.

[kaxil]

We faced similar issue when trying to use greeting for Airflow project (https://github.com/apache/airflow). So we developed a Github app which is working well for us in case someone faces similar issue:

https://github.com/kaxil/boring-cyborg

[joshgoebel]

Is this the same issue as with labeler? https://github.com/actions/labeler/pull/50

If so, can the same solution also be applied (at least as a stopgap)? Very frustrating that Github seems to push these actions hard in their UI but then they don't work with the most common use case on GitHub for OSS projects.

[gunnsth]

Getting this too: https://github.com/unidoc/unipdf/pull/269/checks?check_run_id=486244746 Would make sense to skip the action if needed resources are not available? Or an option to make it required/optional. Some actions might be required, but a greeting hardly, but this is flagging a valid PR as failing due to this.

[joshgoebel]

Some actions might be required, but a greeting hardly, but this is flagging a valid PR as failing due to this.

Yes, very good point also. Not all actions are created equal (in that they should kill the whole workflow from moving forward).

[Borda]

the same issue also here - https://github.com/PyTorchLightning/pytorch-lightning/pull/1101/checks?check_run_id=496573752

[joshgoebel]

Anyone alive here: Is this the same issue as with labeler? https://github.com/actions/labeler/pull/50

I added this to a project but I guess I'm about to rip it out - the use case seems extremely limited - not at all suited for large OSS projects with many contributors. And those are exactly the projects where this type of thing would be most helpful.

[Ecco]

Unfortunately this is not specific to a given action / repository.

Anyone hit by this, please read this long comment I wrote and feel free to upvote it.

[vorburger]

Seeing the same here, clicking View raw logs takes you here, showing this:

2020-05-16T11:19:09.9683482Z ##[section]Starting: Request a runner to run this job
2020-05-16T11:19:10.1475479Z Can't find any online and idle self-hosted runner in current repository that matches the required labels: 'ubuntu-latest'
2020-05-16T11:19:10.1475518Z Can't find any online and idle self-hosted runner in current repository's account/organization that matches the required labels: 'ubuntu-latest'
2020-05-16T11:19:10.1475545Z Found online and idle hosted runner in current repository's account/organization that matches the required labels: 'ubuntu-latest'
2020-05-16T11:19:10.2831833Z ##[section]Finishing: Request a runner to run this job
2020-05-16T11:19:22.7547411Z Current runner version: '2.262.1'
2020-05-16T11:19:22.7814760Z ##[group]Operating System
2020-05-16T11:19:22.7815595Z Ubuntu
2020-05-16T11:19:22.7815791Z 18.04.4
2020-05-16T11:19:22.7815937Z LTS
2020-05-16T11:19:22.7816043Z ##[endgroup]
2020-05-16T11:19:22.7816216Z ##[group]Virtual Environment
2020-05-16T11:19:22.7816393Z Environment: ubuntu-18.04
2020-05-16T11:19:22.7816542Z Version: 20200430.1
2020-05-16T11:19:22.7816739Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu18/20200430.1/images/linux/Ubuntu1804-README.md
2020-05-16T11:19:22.7816939Z ##[endgroup]
2020-05-16T11:19:22.7817875Z Prepare workflow directory
2020-05-16T11:19:22.7982169Z Prepare all required actions
2020-05-16T11:19:22.7991418Z Download action repository 'actions/first-interaction@v1'
2020-05-16T11:19:25.4211254Z Build container for action use: '/home/runner/work/_actions/actions/first-interaction/v1/Dockerfile'.
2020-05-16T11:19:25.4259294Z ##[command]/usr/bin/docker build -t be76db:f9ec8e15eb204b4c8fce429747955bb4 -f "/home/runner/work/_actions/actions/first-interaction/v1/Dockerfile" "/home/runner/work/_actions/actions/first-interaction/v1"
2020-05-16T11:19:30.7684775Z Sending build context to Docker daemon  180.2kB
2020-05-16T11:19:30.7685241Z 
2020-05-16T11:19:30.7999714Z Step 1/4 : FROM node:slim
2020-05-16T11:19:31.0407250Z slim: Pulling from library/node
2020-05-16T11:19:31.1037852Z e62d08fa1eb1: Pulling fs layer
2020-05-16T11:19:31.1121801Z faf966cc3d43: Pulling fs layer
2020-05-16T11:19:31.1121976Z f8bb4fff4a5e: Pulling fs layer
2020-05-16T11:19:31.1122089Z 3edd92003cc0: Pulling fs layer
2020-05-16T11:19:31.1122198Z c4fbf6de64ba: Pulling fs layer
2020-05-16T11:19:31.1126576Z 3edd92003cc0: Waiting
2020-05-16T11:19:31.1126770Z c4fbf6de64ba: Waiting
2020-05-16T11:19:31.1805255Z faf966cc3d43: Verifying Checksum
2020-05-16T11:19:31.1805546Z faf966cc3d43: Download complete
2020-05-16T11:19:31.3817655Z e62d08fa1eb1: Verifying Checksum
2020-05-16T11:19:31.3819433Z e62d08fa1eb1: Download complete
2020-05-16T11:19:31.4827566Z f8bb4fff4a5e: Verifying Checksum
2020-05-16T11:19:31.4829438Z f8bb4fff4a5e: Download complete
2020-05-16T11:19:31.4878021Z c4fbf6de64ba: Verifying Checksum
2020-05-16T11:19:31.4880210Z c4fbf6de64ba: Download complete
2020-05-16T11:19:31.5415966Z 3edd92003cc0: Verifying Checksum
2020-05-16T11:19:31.5418126Z 3edd92003cc0: Download complete
2020-05-16T11:19:32.5235412Z e62d08fa1eb1: Pull complete
2020-05-16T11:19:32.7380894Z faf966cc3d43: Pull complete
2020-05-16T11:19:34.0368883Z f8bb4fff4a5e: Pull complete
2020-05-16T11:19:34.1939267Z 3edd92003cc0: Pull complete
2020-05-16T11:19:34.3154702Z c4fbf6de64ba: Pull complete
2020-05-16T11:19:34.3344945Z Digest: sha256:bd1af8b62e6f37ca961b0c5e01e83ce633dcbceb7d4261777f02a60ab8b81c93
2020-05-16T11:19:34.3655016Z Status: Downloaded newer image for node:slim
2020-05-16T11:19:34.3672333Z  ---> a30d4e2fedca
2020-05-16T11:19:34.3676649Z Step 2/4 : COPY . .
2020-05-16T11:19:39.5173575Z  ---> 309226db7be8
2020-05-16T11:19:39.5173877Z Step 3/4 : RUN npm install --production
2020-05-16T11:19:39.6417766Z  ---> Running in bdceb6669f69
2020-05-16T11:19:44.8069178Z npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
2020-05-16T11:19:44.8070366Z npm WARN deprecated left-pad@1.3.0: use String.prototype.padStart()
2020-05-16T11:19:44.8070916Z npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
2020-05-16T11:19:45.2974466Z npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
2020-05-16T11:19:45.3009893Z npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
2020-05-16T11:19:51.8055528Z npm notice created a lockfile as package-lock.json. You should commit this file.
2020-05-16T11:19:51.8076993Z npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^1.2.7 (node_modules/jest-haste-map/node_modules/fsevents):
2020-05-16T11:19:51.8090575Z npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
2020-05-16T11:19:51.8091882Z 
2020-05-16T11:19:51.8092461Z added 60 packages from 76 contributors in 10.186s
2020-05-16T11:19:52.0154280Z 
2020-05-16T11:19:52.0168221Z 2 packages are looking for funding
2020-05-16T11:19:52.0168845Z   run `npm fund` for details
2020-05-16T11:19:52.0169125Z 
2020-05-16T11:19:57.3743440Z Removing intermediate container bdceb6669f69
2020-05-16T11:19:57.3743790Z  ---> 1e98ad53c578
2020-05-16T11:19:57.3743864Z Step 4/4 : ENTRYPOINT ["node", "/lib/main.js"]
2020-05-16T11:19:57.5251339Z  ---> Running in 4f3ed799c7f3
2020-05-16T11:19:58.2105847Z Removing intermediate container 4f3ed799c7f3
2020-05-16T11:19:58.2106567Z  ---> edb70ec222b6
2020-05-16T11:19:58.2113458Z Successfully built edb70ec222b6
2020-05-16T11:19:58.2853353Z Successfully tagged be76db:f9ec8e15eb204b4c8fce429747955bb4
2020-05-16T11:19:58.3140166Z ##[group]Run actions/first-interaction@v1
2020-05-16T11:19:58.3140428Z with:
2020-05-16T11:19:58.3141246Z   repo-token: ***
2020-05-16T11:19:58.3141470Z   pr-message: Welcome to Apache Fineract!!
Have you read https://github.com/apache/fineract/#pull-requests?
Already subscribed to our mailing list, by sending an (empty) email to dev-subscribe@fineract.apache.org?
Created your JIRA account on https://issues.apache.org/jira/projects/FINERACT/?
Played with our server at https://www.fineract.dev?
We're very excited to have you onboard contributing.

2020-05-16T11:19:58.3141641Z ##[endgroup]
2020-05-16T11:19:58.3195303Z ##[command]/usr/bin/docker run --name be76dbf9ec8e15eb204b4c8fce429747955bb4_b02700 --label be76db --workdir /github/workspace --rm -e INPUT_REPO-TOKEN -e INPUT_PR-MESSAGE -e INPUT_ISSUE-MESSAGE -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/fineract/fineract":"/github/workspace" be76db:f9ec8e15eb204b4c8fce429747955bb4
2020-05-16T11:19:59.0634356Z [@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
2020-05-16T11:19:59.0770654Z [@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
2020-05-16T11:19:59.0820713Z Checking if its the users first contribution
2020-05-16T11:19:59.0824423Z Checking...
2020-05-16T11:20:01.4985045Z Checking...
2020-05-16T11:20:03.7064930Z Checking...
2020-05-16T11:20:05.7993196Z Checking...
2020-05-16T11:20:08.1520036Z Checking...
2020-05-16T11:20:11.6824121Z Checking...
2020-05-16T11:20:13.8462005Z Checking...
2020-05-16T11:20:15.9628596Z Checking...
2020-05-16T11:20:18.0043279Z Checking...
2020-05-16T11:20:20.4625850Z Checking...
2020-05-16T11:20:21.0453582Z Adding message: Welcome to Apache Fineract!!
2020-05-16T11:20:21.0454513Z Have you read https://github.com/apache/fineract/#pull-requests?
2020-05-16T11:20:21.0455022Z Already subscribed to our mailing list, by sending an (empty) email to dev-subscribe@fineract.apache.org?
2020-05-16T11:20:21.0456356Z Created your JIRA account on https://issues.apache.org/jira/projects/FINERACT/?
2020-05-16T11:20:21.0456768Z Played with our server at https://www.fineract.dev?
2020-05-16T11:20:21.0457161Z We're very excited to have you onboard contributing. to pull request 895
2020-05-16T11:20:21.1576819Z ##[error]Resource not accessible by integration
2020-05-16T11:20:21.4486360Z Cleaning up orphan processes

I've briefly looked a little bit into it; from what little I understand of Actions, that with: and repo-token: ${{ secrets.GITHUB_TOKEN }} sonehow passes a Bot token that should be able to comment? The same seems to work e.g. in https://github.com/actions/stale... no idea why it does not here.

[jackpoz]

I ran today into the same issue in the https://github.com/TrinityCore/TrinityCore project where we host 2 active branches and a GitHub action should have labeled the PRs with a branch label.

Quite sad that the 2nd action I built already has such a blocking issue.

[AstraLuma]

For the record, I'm working around this by running a bot on heroku.

It takes a little bit of setup, but writing additional webhook handlers is about the same complexity as writing a github action.

[jariz]

Well this is incredibly disappointing and invalidates 2/3rd of all action usecases. Guess I won't be using it after all, and likely never again. How a super breaking bug like this can stay open for almost a year is beyond me. Really flawed design.

[Ecco]

Couldn't agree more…

[glenn-jocher]

Still getting this error in August 2020.

[ylemkimon]

tl;dr, change

on:
- pull_request

to

on:
- pull_request_target

---

GitHub has introduced a new event type: pull_request_target, which allows to run workflows from base branch and pass a token with write permission.

In order to solve this, we’ve added a new pull_request_target event, which behaves in an almost identical way to the pull_request event with the same set of filters and payload. However, instead of running against the workflow and code from the merge commit, the event runs against the workflow and code from the base of the pull request. This means the workflow is running from a trusted source and is given access to a read/write token as well as secrets enabling the maintainer to safely comment on or label a pull request. This event can be used in combination with the private repository settings as well.

[abu-hasib]

Is there a fix for this yet?

[ylemkimon]

@abu-hasib see https://github.com/actions/first-interaction/issues/10#issuecomment-670968624.

[cclauss]

[@octokit/rest] const Octokit = require("@octokit/rest") is deprecated. Use const { Octokit } = require("@octokit/rest") instead [@octokit/rest] const Octokit = require("@octokit/rest") is deprecated. Use const { Octokit } = require("@octokit/rest") instead

[NathanielRN]

Hey everyone, I'm confused as to whether this relates to the issue I encountered.

I see this comment on the Check Runs action API documentation

Note: The Checks API only looks for pushes in the repository where the check suite or check run were created. Pushes to a branch in a forked repository are not detected and return an empty pull_requests array.

Does this mean I CANNOT use the API to initiate a check run on a branch which lives on a fork? The API says I should expect an empty pull_requests array, but instead I get this error message:

{
  "message": "Resource not accessible by integration",
  "documentation_url": "https://docs.github.com/rest/reference/checks#create-a-check-run"
}

[JJ]

@NathanielRN that's probably the case, yes.

[NathanielRN]

Thanks @JJ .

So for my case, I found out that I was going about this wrong.

Someone was trying to make a PR to the origin repository A from a branch that existed on their fork repository B (a fork of A which I do not have access to).

I was trying to run tests on their PR by calling this API /repos/{owner}/{repo}/statuses/{sha} like /repos/<THEM>/<FORK_REPO_B>/statuses/<SHA_OF_THEIR_BRANCH>.

I didn't realize that when they create a PR, that SHA exists on my repo A (which I do have access to).

So I could run /repos/ME/<REPO_A>/statuses/<SHA_OF_THEIR_BRANCH> and it worked to run tests on their PR!

[BrainStone]

Why not make a whitelist of actions that get write access?
This would pretty much mitigate most security issues as then every action needs to be enabled manually and that overall means the person being able to do so was at least in theory aware of the consequences.

Regardless this is a serious issue as that makes GitHub actions useless to anyone that already has a CI and just wants to use them to offer automated checks for PRs. I mean even simple things as adding test results/reports to the run are blocked.

Frankly it's a joke that this issue is open for more than a year. And that without any official stance on the whole matter.

[ylemkimon]

@BrainStone Check out https://github.com/actions/first-interaction/issues/10#issuecomment-670968624.

[BrainStone]

@ylemkimon thank you very much!

[JarLob]

Before you realize the pull_request_target doesn't checkout the pull request files by default and fix it to explicitly checkout head.ref I suggest you reading https://securitylab.github.com/research/github-actions-preventing-pwn-requests

[BrainStone]

@JarLob thanks for the article.
What a mess this whole system is....
Thouroughly not thought through. By far the worst CI system I ever worked with.

[mogulano]

I have worked with https://www.appveyor.com/ and it also doesn't allow using secure variables in a pull request builds. There is a setting:

But it only means "allow me at least to use secure variables if the PR is from the same repository" because it is forbidden by default too.

[BrainStone]

The issue isn't necessarily allowing external PRs to access secrets. The issue is that a lot of granularity is missing. Like allowing the token to add new tests but nothing else and other fine tuned things would be incredibly useful.

[garg3133]

I was facing the same issue back sometime so I tried and developed my own action for greeting the new contributors, garg3133/welcome-new-contributors.

I've referred to the source code of this action only while writing my action, ensuring it does not show any deprecation errors while running and have proper README file explaining how to use the action (so that you don't get any error like that mentioned in the title of this issue).

Along with this, I've also added some additional features to it like you can now use your own bot to send the messages instead of using the default github-actions bot and you can also tag the new contributor in the message.

Do check it out: https://github.com/garg3133/welcome-new-contributors and show some love ❤️

[samuelcolvin]

Amazingly no one seems to have mentioned it here, but this blog post provides details of some workarounds. Specifically:

• pull_request_target lets you execute actions triggered by pull requests, but have access to secrets (the file available are from the main branch, not the PR)
• workflow_run lets you run actions after other actions have completed, with access to secrets

I still think github action's support for pull requests from forks is pretty annoying through.

[jackton1]

This is failing on forks for me

[probonopd]

Will there be a solution to this?

[grasmash]

Based on the changes in the referenced pull requests, the solution is to change the pull_request string with pull_request_target.

[snaildos]

+1 still facing this stupid issue.

[appetrosyan]

+1

[Adimac93]

Hey, why it's still happening?

[jeremyjohn]

Adding write permissions to the job solves this for me for me.

    permissions:
      contents: write
      pull-requests: write

[JerryMacedoCastro]

I'm also getting this error. I'm trying to set up a bot to auto merge prs. I made it work on a public repo but it doesn't work on GitHub Entrerprise. I'm using my own instance of mergeable and running locally. Already set the permissions on GitGub Developer Settings.

[poson]

I have met problems like yours.

[201flaviosilva]

Hey there, I’m still getting this error, and my greetings.yml already have written permissions:

    permissions:
      issues: write
      pull-requests: write

I picked the template action and changed the message, should I need to do something else? 😅

[cicirello]

@201flaviosilva try adding contents: write to the permissions. Someone earlier in thread suggested that. In a workflow where I'm commenting on PR, setting both contents and pull-requests to write works for me.

[201flaviosilva]

Ok, thx, I've done the update, now just wait for someone to create their first issue or pr :)

[ian-steffy]

Had this issue too :/

It is very disheartening to go through this Issue and read countless people encountering this issue, all ignored by the Github staff. For a platform that is built around community work, Github seems oblivious to what its community actually wants.

Part of me regrets moving my team from Trello which at least had options for easy plugins to enhance their kanban board that were actually free. With Github, even the examples they add to their documentation on Github Actions are broken.

[probonopd]

This really solved it for me.

Strange: Some repositories need it while others don't. No one knows why!

[dipack95]

Just so that this helps people in the future, I also attempted to grant my job more permissions, like mentioned in comments above, but none of that helped.

I found that using cURL to interact with the Github API directly worked fine with the same Github token, leading me to conclude that something is borked with Github's github.rest helper for Actions, and was thus able to replace the JS scripts using the helper, with curl requests to the API to accomplish what I wanted.