search

fpicalausa / remove-stale-branches

Github action to remove stale branches
MIT License
16 stars 9 forks source link

Resource not accessible by integration #25

Open defyjoy opened 1 month ago

defyjoy commented 1 month ago

HI I am using the reusable templates and I am getting this error -

image

on:
  workflow_call:
    inputs:
      exempt-branches-regex:
        description: Exempted branches from the deletion
        required: false
        type: string
        default: '^(main|master)$'
jobs: 
  cron:
    runs-on: ubuntu-latest
    name: Stale branches
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Stale Branches Identification And Removal
        uses: fpicalausa/remove-stale-branches@v2.1.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          dry-run: false # Check out the console output before setting this to false
          # exempt-organization: "acme-inc"
          # exempt-authors-regex: "^dependabot"
          days-before-branch-stale: 60
          days-before-branch-delete: 7
          ignore-unknown-authors: true
          default-recipient: joydeep.roychowdhury@skf.com
          exempt-branches-regex: ${{ inputs.exempt-branches-regex}}
          operations-per-run: 100
          ignore-branches-with-open-prs: true
        env:
          FORCE_JAVASCRIPT_ACTIONS_TO_NODE20: true

And this is how its called now - 

on:
  workflow_dispatch:
  schedule:
    - cron: "0 0 * * *" # Everday at midnight

permissions:
  id-token: write
  contents: write
  packages: write

jobs:
  Cron:
    secrets: inherit
    uses: SKF-Internal/darwin-github-actions-templates/.github/workflows/delete-stale-branches.yaml@main

Any idea what is the issue ?

UPDATE

I have added secrets: inherit parameter in the cron job

fpicalausa commented 4 weeks ago

@defyjoy it looks like the action may not have the right permissions to run the GQL query.

What it needs is access (read and write) to the contents in the repo, including commenting on commits. Can you confirm which scopes are in available for your GITHUB_TOKEN?

defyjoy commented 3 weeks ago

I believe this is what the scopes are I have already mentioned above ? 

permissions:
  id-token: write
  contents: write
  packages: write

Also including full log - 

Run fpicalausa/remove-stale-branches@v2.1.0
Branches updated before 2024-09-03T05:55:37Z will be marked as stale
Branches marked stale before 2024-10-26T05:55:37Z will be removed
/home/runner/work/_actions/fpicalausa/remove-stale-branches/v2.1.0/dist/index.js:2710
      throw new GraphqlResponseError(requestOptions, headers, response.data);
            ^

GraphqlResponseError: Request failed due to following response errors:
 - Resource not accessible by integration
 - Resource not accessible by integration
 - Resource not accessible by integration
 - Resource not accessible by integration
 - Resource not accessible by integration
 - Resource not accessible by integration
 - Resource not accessible by integration
 - Resource not accessible by integration
 - Resource not accessible by integration
 - Resource not accessible by integration
    at /home/runner/work/_actions/fpicalausa/remove-stale-branches/v2.1.0/dist/index.js:2710:13
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
  request: {
    query: 'query ($repo: String!, $owner: String!, $after: String) {\n' +
      '  repository(name: $repo, owner: $owner) {\n' +
      '    id\n' +
      '    refs(\n' +
      '      refPrefix: "refs/heads/",\n' +
      '      first: 10,\n' +
      '      after: $after,\n' +
      '    ) {\n' +
      '      edges {\n' +
      '        node {\n' +
      '          name\n' +
      '          associatedPullRequests(first: 1, states: OPEN) {\n' +
      '            nodes {\n' +
      '              state\n' +
      '            }\n' +
      '          }\n' +
      '          prefix\n' +
      '          ... on Ref {\n' +
      '            refUpdateRule {\n' +
      '              allowsDeletions\n' +
      '            }\n' +
      '          }\n' +
      '          target {\n' +
      '          ... on Commit {\n' +
      '              oid\n' +
      '              authoredDate\n' +
      '              author {\n' +
      '                email\n' +
      '                user {\n' +
      '                  login\n' +
      '                }\n' +
      '              }\n' +
      '            }\n' +
      '          }\n' +
      '        }\n' +
      '      }\n' +
      '      pageInfo {\n' +
      '        hasNextPage\n' +
      '        endCursor\n' +
      '      }\n' +
      '    }\n' +
      '  }\n' +
      '}',
    variables: {
      owner: 'company-Internal',
      repo: 'app-web',
      after: null,
      organization: ''
    },
    headers: {}
  },
  headers: {
    'access-control-allow-origin': '*',
    'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
    'content-encoding': 'gzip',
    'content-security-policy': "default-src 'none'",
    'content-type': 'application/json; charset=utf-8',
    date: 'Sat, 02 Nov 2024 05:55:37 GMT',
    'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
    server: 'github.com',
    'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
    'transfer-encoding': 'chunked',
    vary: 'Accept-Encoding, Accept, X-Requested-With',
    'x-content-type-options': 'nosniff',
    'x-frame-options': 'deny',
    'x-github-media-type': 'github.v3; format=json',
    'x-github-request-id': '986A:2A5DEE:265D4C7:4A114F6:6725BED9',
    'x-ratelimit-limit': '5000',
    'x-ratelimit-remaining': '5000',
    'x-ratelimit-reset': '1730530537',
    'x-ratelimit-resource': 'graphql',
    'x-ratelimit-used': '1',
    'x-xss-protection': '0'
  },
  response: {
    data: {
      repository: {
        id: 'R_kgDOJiKXLg',
        refs: {
          edges: [
            [Object], [Object],
            [Object], [Object],
            [Object], [Object],
            [Object], [Object],
            [Object], [Object]
          ],
          pageInfo: { hasNextPage: true, endCursor: 'MTA' }
        }
      }
    },
    errors: [
      {
        type: 'FORBIDDEN',
        path: [
          'repository',
          'refs',
          'edges',
          0,
          'node',
          'associatedPullRequests'
        ],
        extensions: { saml_failure: false },
        locations: [ { line: 12, column: 11 } ],
        message: 'Resource not accessible by integration'
      },
      {
        type: 'FORBIDDEN',
        path: [
          'repository',
          'refs',
          'edges',
          1,
          'node',
          'associatedPullRequests'
        ],
        extensions: { saml_failure: false },
        locations: [ { line: 12, column: 11 } ],
        message: 'Resource not accessible by integration'
      },
      {
        type: 'FORBIDDEN',
        path: [
          'repository',
          'refs',
          'edges',
          2,
          'node',
          'associatedPullRequests'
        ],
        extensions: { saml_failure: false },
        locations: [ { line: 12, column: 11 } ],
        message: 'Resource not accessible by integration'
      },
      {
        type: 'FORBIDDEN',
        path: [
          'repository',
          'refs',
          'edges',
          3,
          'node',
          'associatedPullRequests'
        ],
        extensions: { saml_failure: false },
        locations: [ { line: 12, column: 11 } ],
        message: 'Resource not accessible by integration'
      },
      {
        type: 'FORBIDDEN',
        path: [
          'repository',
          'refs',
          'edges',
          4,
          'node',
          'associatedPullRequests'
        ],
        extensions: { saml_failure: false },
        locations: [ { line: 12, column: 11 } ],
        message: 'Resource not accessible by integration'
      },
      {
        type: 'FORBIDDEN',
        path: [
          'repository',
          'refs',
          'edges',
          5,
          'node',
          'associatedPullRequests'
        ],
        extensions: { saml_failure: false },
        locations: [ { line: 12, column: 11 } ],
        message: 'Resource not accessible by integration'
      },
      {
        type: 'FORBIDDEN',
        path: [
          'repository',
          'refs',
          'edges',
          6,
          'node',
          'associatedPullRequests'
        ],
        extensions: { saml_failure: false },
        locations: [ { line: 12, column: 11 } ],
        message: 'Resource not accessible by integration'
      },
      {
        type: 'FORBIDDEN',
        path: [
          'repository',
          'refs',
          'edges',
          7,
          'node',
          'associatedPullRequests'
        ],
        extensions: { saml_failure: false },
        locations: [ { line: 12, column: 11 } ],
        message: 'Resource not accessible by integration'
      },
      {
        type: 'FORBIDDEN',
        path: [
          'repository',
          'refs',
          'edges',
          8,
          'node',
          'associatedPullRequests'
        ],
        extensions: { saml_failure: false },
        locations: [ { line: 12, column: 11 } ],
        message: 'Resource not accessible by integration'
      },
      {
        type: 'FORBIDDEN',
        path: [
          'repository',
          'refs',
          'edges',
          9,
          'node',
          'associatedPullRequests'
        ],
        extensions: { saml_failure: false },
        locations: [ { line: 12, column: 11 } ],
        message: 'Resource not accessible by integration'
      }
    ]
  },
  errors: [
    {
      type: 'FORBIDDEN',
      path: [
        'repository',
        'refs',
        'edges',
        0,
        'node',
        'associatedPullRequests'
      ],
      extensions: { saml_failure: false },
      locations: [ { line: 12, column: 11 } ],
      message: 'Resource not accessible by integration'
    },
    {
      type: 'FORBIDDEN',
      path: [
        'repository',
        'refs',
        'edges',
        1,
        'node',
        'associatedPullRequests'
      ],
      extensions: { saml_failure: false },
      locations: [ { line: 12, column: 11 } ],
      message: 'Resource not accessible by integration'
    },
    {
      type: 'FORBIDDEN',
      path: [
        'repository',
        'refs',
        'edges',
        2,
        'node',
        'associatedPullRequests'
      ],
      extensions: { saml_failure: false },
      locations: [ { line: 12, column: 11 } ],
      message: 'Resource not accessible by integration'
    },
    {
      type: 'FORBIDDEN',
      path: [
        'repository',
        'refs',
        'edges',
        3,
        'node',
        'associatedPullRequests'
      ],
      extensions: { saml_failure: false },
      locations: [ { line: 12, column: 11 } ],
      message: 'Resource not accessible by integration'
    },
    {
      type: 'FORBIDDEN',
      path: [
        'repository',
        'refs',
        'edges',
        4,
        'node',
        'associatedPullRequests'
      ],
      extensions: { saml_failure: false },
      locations: [ { line: 12, column: 11 } ],
      message: 'Resource not accessible by integration'
    },
    {
      type: 'FORBIDDEN',
      path: [
        'repository',
        'refs',
        'edges',
        5,
        'node',
        'associatedPullRequests'
      ],
      extensions: { saml_failure: false },
      locations: [ { line: 12, column: 11 } ],
      message: 'Resource not accessible by integration'
    },
    {
      type: 'FORBIDDEN',
      path: [
        'repository',
        'refs',
        'edges',
        6,
        'node',
        'associatedPullRequests'
      ],
      extensions: { saml_failure: false },
      locations: [ { line: 12, column: 11 } ],
      message: 'Resource not accessible by integration'
    },
    {
      type: 'FORBIDDEN',
      path: [
        'repository',
        'refs',
        'edges',
        7,
        'node',
        'associatedPullRequests'
      ],
      extensions: { saml_failure: false },
      locations: [ { line: 12, column: 11 } ],
      message: 'Resource not accessible by integration'
    },
    {
      type: 'FORBIDDEN',
      path: [
        'repository',
        'refs',
        'edges',
        8,
        'node',
        'associatedPullRequests'
      ],
      extensions: { saml_failure: false },
      locations: [ { line: 12, column: 11 } ],
      message: 'Resource not accessible by integration'
    },
    {
      type: 'FORBIDDEN',
      path: [
        'repository',
        'refs',
        'edges',
        9,
        'node',
        'associatedPullRequests'
      ],
      extensions: { saml_failure: false },
      locations: [ { line: 12, column: 11 } ],
      message: 'Resource not accessible by integration'
    }
  ],
  data: {
    repository: {
      id: 'R_kgDOJiKXLg',
      refs: {
        edges: [
          { node: null },
          { node: null },
          { node: null },
          { node: null },
          { node: null },
          { node: null },
          { node: null },
          { node: null },
          { node: null },
          { node: null }
        ],
        pageInfo: { hasNextPage: true, endCursor: 'MTA' }
      }
    }
  }
}
defyjoy commented 3 weeks ago

@fpicalausa is there any way we can find what are the scopes needed ? Since we are using reusable workflow its a little difficult to understand what went wrong here and this action is now used across 50+ repos . Can you help me in understanding what the actual issue and how we may resolve ?