search

alexwilson / enable-github-automerge-action

Speed up your workflows by automatically enabling Auto-Merge in your Github pull-requests, so you can release when ready.
https://github.com/marketplace/actions/enable-github-automerge
ISC License
22 stars 5 forks source link

Error: Resource not accessible by integration #276

Open ssbarnea opened 1 year ago

ssbarnea commented 1 year ago

I am getting Error: Resource not accessible by integration while using this action and I have no idea what is causing it.

Example: https://github.com/ansible-community/molecule/actions/runs/3842360113/jobs/6543589185

The body of of the action can be seen at https://github.com/ansible/devtools/blob/main/.github/workflows/ack.yml#L57-L61

The reason why this is in a different repository is because I use a reusable github action.

Before saying that this might not have the required access to editing the PR, take a look at previous action which is auto-approve-review, which runs successfully. So basically only this one is affected.

Any ideas about what can cause that?

alexwilson commented 1 year ago

Hey, I think this is caused by: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/ - and so the answer should be in https://github.com/alexwilson/enable-github-automerge-action/issues/18. Can you confirm if you're using the default token, or injecting one into the workflow @ssbarnea?

lcarva commented 1 year ago

I'm still hitting this with the following:

---
name: Enable auto-merge
"on":
  pull_request_target:
    types:
      - opened
      - reopened
    branches:
      - main
jobs:
  enable-auto-merge:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'my-super-duper-bot'
    steps:
      - uses: alexwilson/enable-github-automerge-action@main
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

Presumably, this is because the workflow is getting triggered on opened and reopened which are not a "trusted event" like labeled?

If so, what's the workaround in this case? Maybe a personal access token is the only way forward.

lcarva commented 1 year ago

Actually, this seems to have worked after changing Settings > Actions > General > Workflow permissions from "read" to "read+write".

alexwilson commented 1 year ago

I think you've hit the nail on the head and that this is another change with Github's permissions, but can't substantiate that because there's no changelog: I'll update the documentation in the coming days (unless you would prefer to contribute something!)

lcarva commented 1 year ago

I'm hitting this again today and I think it's because I've updated my workflow and job to be explicit about which permissions it needs:

---
name: Enable auto-merge
"on":
  pull_request_target:
    types:
      - opened
      - reopened
    branches:
      - main

# This is new
permissions:
  pull-requests: read

jobs:
  enable-auto-merge:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'rh-tap-build-team[bot]'
    # This is also new
    permissions:
      pull-requests: write
    steps:
      - uses: alexwilson/enable-github-automerge-action@253948b2e2433d985bbbebe7887ca347e1e1b1ec # main
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

Any idea what the full set of permissions are?

lcarva commented 1 year ago

After some trial and error, it looks like the action requires contents: write instead of pull-requests: write. I guess enabling automerge falls into this category.