search

corymhall / cdk-diff-action

GitHub action to post CDK diff to PR comments
Apache License 2.0
46 stars 8 forks source link

GitHub 403 Response - Resource not accessible by integration #87

Closed chessbyte closed 1 month ago

chessbyte commented 1 month ago

I am running an adapted versions of your first example from here in a private repo in a private GitHub org.

Continuously getting the following error:

My OIDC Auth looks like (and works for deployments via GHA)

      - name: Authenticate Via OIDC Role
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::1234567891012:role/GitHubOidcRole
          aws-region: us-east-1

Tried with

  permissions:
    contents: read
    id-token: write
    packages: read
    pull-requests: write

Tried with

  permissions:
    contents: read
    id-token: write
    packages: read
    issues: write

Tried with

  permissions: write-all
chessbyte commented 1 month ago

For both diagnostics and flexibility, it would be nice to allow disabling of commenting in the PR to see the results in the GHA workflow.

chessbyte commented 1 month ago

I believe the issue is our use of forked PRs, which requires the use of pull_request_target event. But, for security reasons, this event runs in the context of the base of the pull request, rather than in the context of the merge commit, as the pull_request event does. Github says: Avoid using this event if you need to build or run code from the pull request.

Running a basic cdk diff on a pull_request event runs fine, but would force us to look for issues in the workflow log.