Open archermask opened 1 year ago
You need to add
permissions:
security-events: write
To allow your workflow to upload the sarif.
i have add lines on unit_test job:
permissions:
contents: read
security-events: write
still produce same error
Would it be possible to rerun the job and check "Enable debug logging" and show the full logs for the upload-sarif
step?
Logs is:
##[debug]Evaluating condition for step: 'Upload SAST Test Result'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Upload SAST Test Result
##[debug]Loading inputs
##[debug]Evaluating: github.workspace
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'workspace'
##[debug]=> '/home/runner/work/golang-pipeline/golang-pipeline'
##[debug]Result: '/home/runner/work/golang-pipeline/golang-pipeline'
##[debug]Evaluating: github.token
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'token'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Evaluating: toJson(matrix)
##[debug]Evaluating toJson:
##[debug]..Evaluating matrix:
##[debug]..=> null
##[debug]=> 'null'
##[debug]Result: 'null'
##[debug]Loading env
Run github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
checkout_path: /home/runner/work/golang-pipeline/golang-pipeline
token: ***
matrix: null
wait-for-processing: true
env:
REGISTRY: ghcr.io
USERNAME: archermask
Error: codeql/upload-sarif action failed: Resource not accessible by integration
##[debug]Node Action run completed with exit code 1
##[debug]CODEQL_ACTION_FEATURE_MULTI_LANGUAGE='false'
##[debug]CODEQL_ACTION_FEATURE_SANDWICH='false'
##[debug]CODEQL_ACTION_FEATURE_SARIF_COMBINE='true'
##[debug]CODEQL_ACTION_FEATURE_WILL_UPLOAD='true'
##[debug]CODEQL_ACTION_VERSION='2.21.1'
##[debug]Finishing: Upload SAST Test Result
btw, env is for package and release docker image later I put env on global scope, not on job scope. So, the unit_test job can read those env too.
I'm observing the same issue. Permissions for security-events
are set on job level.
@SPodjasek, can you please open a new issue for this and include the relevant debug logs and your workflow file? (Feel free to redact anything non-public.)
You're almost certainly facing #2125.
The extra point of https://github.com/github/codeql-action/issues/2125#issuecomment-1934888782 is beyond the scope of this repository, but if I were you and had the energy, I'd talk to support about the misleading output. (Note: I file lots of tickets including to support -- this is still beyond my energy -- and I already paid the cost to work around the problem.)
The error is
Error: codeql/upload-sarif action failed: Resource not accessible by integration
My case is try to integrate snyk for sast on my golang code, and then upload sarif file to github to look any vulnerabilities summary.My workflow actions yaml files: