search

github / codeql-action

Actions for running CodeQL analysis
MIT License
1.09k stars 306 forks source link

codeql/upload-sarif@v3 action failed: Resource not accessible by integration - missing `actions: read` #2117

Open SPodjasek opened 5 months ago

SPodjasek commented 5 months ago

TL;DR

When you'r facing this issue in private repository please add

permissions:
  actions: read

to your workflow, or wait until this PR gets merged:

### Fixed in
- [ ] #2126

I'm opening this issue as requested in #1806

When trying to upload sarif file produced by Docker Scout we get: Resource not accessible by integration - despite that security-events permission is set to write.

Detailed workflow run logs are below. I've stripped output from scout as I believe it's irrelevant.

Logs

``` 2024-02-02T22:03:48.1355639Z Requested labels: ubuntu-latest 2024-02-02T22:03:48.1355934Z Job defined at: .... 2024-02-02T22:03:48.1356154Z Reusable workflow chain: 2024-02-02T22:03:48.1356234Z .... (6e62641865d79cd11cea291c21405d81fb03275d) 2024-02-02T22:03:48.1356335Z -> .... (3e071b83a90458e94e89a01903cda60650f86a6c) 2024-02-02T22:03:48.1356436Z Waiting for a runner to pick up this job... 2024-02-02T22:03:48.5338786Z Job is waiting for a hosted runner to come online. 2024-02-02T22:03:50.8524838Z Job is about to start running on the hosted runner: GitHub Actions 207 (hosted) 2024-02-02T22:03:54.0039541Z ##[debug]Starting: Build, publish and notify / Docker Scout 2024-02-02T22:03:54.0069923Z ##[debug]Cleaning runner temp folder: /home/runner/work/_temp 2024-02-02T22:03:54.0383199Z ##[debug]Starting: Set up job 2024-02-02T22:03:54.0383989Z Current runner version: '2.312.0' 2024-02-02T22:03:54.0411603Z ##[group]Operating System 2024-02-02T22:03:54.0412393Z Ubuntu 2024-02-02T22:03:54.0413252Z 22.04.3 2024-02-02T22:03:54.0413748Z LTS 2024-02-02T22:03:54.0414183Z ##[endgroup] 2024-02-02T22:03:54.0414786Z ##[group]Runner Image 2024-02-02T22:03:54.0415453Z Image: ubuntu-22.04 2024-02-02T22:03:54.0416046Z Version: 20240126.1.0 2024-02-02T22:03:54.0417552Z Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240126.1/images/ubuntu/Ubuntu2204-Readme.md 2024-02-02T22:03:54.0419608Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240126.1 2024-02-02T22:03:54.0420834Z ##[endgroup] 2024-02-02T22:03:54.0421496Z ##[group]Runner Image Provisioner 2024-02-02T22:03:54.0422394Z 2.0.341.1 2024-02-02T22:03:54.0422940Z ##[endgroup] 2024-02-02T22:03:54.0424717Z ##[group]GITHUB_TOKEN Permissions 2024-02-02T22:03:54.0427159Z Contents: read 2024-02-02T22:03:54.0427760Z Metadata: read 2024-02-02T22:03:54.0428376Z Packages: read 2024-02-02T22:03:54.0428936Z PullRequests: write 2024-02-02T22:03:54.0429547Z SecurityEvents: write 2024-02-02T22:03:54.0430219Z ##[endgroup] 2024-02-02T22:03:54.0434081Z Secret source: Actions 2024-02-02T22:03:54.0435024Z ##[debug]Primary repository: .... 2024-02-02T22:03:54.0436104Z Prepare workflow directory 2024-02-02T22:03:54.0517838Z ##[debug]Creating pipeline directory: '/home/runner/work/workflows-sandbox' 2024-02-02T22:03:54.0522435Z ##[debug]Creating workspace directory: '/home/runner/work/workflows-sandbox/workflows-sandbox' 2024-02-02T22:03:54.0524530Z ##[debug]Update context data 2024-02-02T22:03:54.0529519Z ##[debug]Evaluating job-level environment variables 2024-02-02T22:03:54.1112572Z ##[debug]Evaluating job container 2024-02-02T22:03:54.1117204Z ##[debug]Evaluating job service containers 2024-02-02T22:03:54.1120196Z ##[debug]Evaluating job defaults 2024-02-02T22:03:54.1205046Z Prepare all required actions 2024-02-02T22:03:54.1396165Z Getting action download info 2024-02-02T22:03:54.4152542Z Download action repository 'actions/download-artifact@v4' (SHA:6b208ae046db98c579e8a3aa621ab581ff575935) 2024-02-02T22:03:54.6074624Z ##[debug]Download 'https://api.github.com/repos/actions/download-artifact/tarball/....' to '/home/runner/work/_actions/_temp_0a04d7a6-c68b-4dab-a0d1-f8ff4d7901e1/6b1caa8a-ba46-497f-b8e3-6e910f9c4a29.tar.gz' 2024-02-02T22:03:54.7566291Z ##[debug]Unwrap 'actions-download-artifact-6b208ae' to '/home/runner/work/_actions/actions/download-artifact/v4' 2024-02-02T22:03:54.7816933Z ##[debug]Archive '/home/runner/work/_actions/_temp_0a04d7a6-c68b-4dab-a0d1-f8ff4d7901e1/6b1caa8a-ba46-497f-b8e3-6e910f9c4a29.tar.gz' has been unzipped into '/home/runner/work/_actions/actions/download-artifact/v4'. 2024-02-02T22:03:54.7969182Z Download action repository '....' (SHA:d8038367fe1ee83c2c7b2403f8ecbb3cb3ea54ab) 2024-02-02T22:04:12.3537742Z ##[debug]Download 'https://api.github.com/repos/....' to '/home/runner/work/_actions/_temp_0a0fb82e-c55f-4675-8e1d-942f49d9bb50/67644ab3-3c13-4773-9f13-baf5c71df6da.tar.gz' 2024-02-02T22:04:15.1612066Z ##[debug]Unwrap '....-d803836' to '/home/runner/work/_actions/....' 2024-02-02T22:04:16.0200464Z ##[debug]Archive '/home/runner/work/_actions/_temp_0a0fb82e-c55f-4675-8e1d-942f49d9bb50/67644ab3-3c13-4773-9f13-baf5c71df6da.tar.gz' has been unzipped into '/home/runner/work/_actions/....'. 2024-02-02T22:04:16.0611003Z Download action repository 'github/codeql-action@v3' (SHA:e8893c57a1f3a2b659b6b55564fdfdbbd2982911) 2024-02-02T22:04:16.3905336Z ##[debug]Download 'https://api.github.com/repos/github/codeql-action/tarball/e8893c57a1f3a2b659b6b55564fdfdbbd2982911' to '/home/runner/work/_actions/_temp_c285f8d6-2c35-4815-9960-4ebce6bbfc15/1b745a43-13d8-44e3-8a6e-8f6ca6cd8ef5.tar.gz' 2024-02-02T22:04:17.3612008Z ##[debug]Unwrap 'github-codeql-action-e8893c5' to '/home/runner/work/_actions/github/codeql-action/v3' 2024-02-02T22:04:19.7407731Z ##[debug]Archive '/home/runner/work/_actions/_temp_c285f8d6-2c35-4815-9960-4ebce6bbfc15/1b745a43-13d8-44e3-8a6e-8f6ca6cd8ef5.tar.gz' has been unzipped into '/home/runner/work/_actions/github/codeql-action/v3'. 2024-02-02T22:04:19.9547297Z ##[debug]action.yml for action: '/home/runner/work/_actions/actions/download-artifact/v4/action.yml'. 2024-02-02T22:04:20.0411876Z ##[debug]action.yml for action: '/home/runner/work/_actions/..../action.yml'. 2024-02-02T22:04:20.0571724Z ##[debug]action.yml for action: '/home/runner/work/_actions/github/codeql-action/v3/upload-sarif/action.yml'. 2024-02-02T22:04:20.0784136Z ##[debug]Set step '__actions_download-artifact' display name to: 'Download artifact' 2024-02-02T22:04:20.0786779Z ##[debug]Set step '__run' display name to: 'Load image' 2024-02-02T22:04:20.0788365Z ##[debug]Set step 'docker-scout' display name to: 'Docker Scout' 2024-02-02T22:04:20.0789915Z ##[debug]Set step 'upload-sarif' display name to: 'Upload SARIF result' 2024-02-02T22:04:20.0793111Z Uses: .... (3e071b83a90458e94e89a01903cda60650f86a6c) 2024-02-02T22:04:20.0795823Z ##[group] Inputs 2024-02-02T22:04:20.0796562Z use-cosign: true 2024-02-02T22:04:20.0796946Z working-directory: . 2024-02-02T22:04:20.0797345Z ##[endgroup] 2024-02-02T22:04:20.0798034Z Complete job name: Build, publish and notify / Docker Scout 2024-02-02T22:04:20.0816783Z ##[debug]Collect running processes for tracking orphan processes. 2024-02-02T22:04:20.1030501Z ##[debug]Finishing: Set up job 2024-02-02T22:04:20.1260826Z ##[debug]Evaluating condition for step: 'Download artifact' 2024-02-02T22:04:20.1323485Z ##[debug]Evaluating: (success() && (needs.build-and-publish.outputs.output_type == 'file')) 2024-02-02T22:04:20.1330442Z ##[debug]Evaluating And: 2024-02-02T22:04:20.1336017Z ##[debug]..Evaluating success: 2024-02-02T22:04:20.1361789Z ##[debug]..=> true 2024-02-02T22:04:20.1366884Z ##[debug]..Evaluating Equal: 2024-02-02T22:04:20.1368385Z ##[debug]....Evaluating Index: 2024-02-02T22:04:20.1370603Z ##[debug]......Evaluating Index: 2024-02-02T22:04:20.1371227Z ##[debug]........Evaluating Index: 2024-02-02T22:04:20.1371860Z ##[debug]..........Evaluating needs: 2024-02-02T22:04:20.1373446Z ##[debug]..........=> Object 2024-02-02T22:04:20.1388259Z ##[debug]..........Evaluating String: 2024-02-02T22:04:20.1389380Z ##[debug]..........=> 'build-and-publish' 2024-02-02T22:04:20.1393892Z ##[debug]........=> Object 2024-02-02T22:04:20.1394693Z ##[debug]........Evaluating String: 2024-02-02T22:04:20.1395416Z ##[debug]........=> 'outputs' 2024-02-02T22:04:20.1396045Z ##[debug]......=> Object 2024-02-02T22:04:20.1396614Z ##[debug]......Evaluating String: 2024-02-02T22:04:20.1397238Z ##[debug]......=> 'output_type' 2024-02-02T22:04:20.1398111Z ##[debug]....=> 'registry' 2024-02-02T22:04:20.1398689Z ##[debug]....Evaluating String: 2024-02-02T22:04:20.1399267Z ##[debug]....=> 'file' 2024-02-02T22:04:20.1403161Z ##[debug]..=> false 2024-02-02T22:04:20.1403860Z ##[debug]=> false 2024-02-02T22:04:20.1411996Z ##[debug]Expanded: (true && ('registry' == 'file')) 2024-02-02T22:04:20.1412989Z ##[debug]Result: false 2024-02-02T22:04:20.1448665Z ##[debug]Evaluating condition for step: 'Load image' 2024-02-02T22:04:20.1452005Z ##[debug]Evaluating: (success() && (needs.build-and-publish.outputs.output_type == 'file')) 2024-02-02T22:04:20.1453249Z ##[debug]Evaluating And: 2024-02-02T22:04:20.1453824Z ##[debug]..Evaluating success: 2024-02-02T22:04:20.1454511Z ##[debug]..=> true 2024-02-02T22:04:20.1455025Z ##[debug]..Evaluating Equal: 2024-02-02T22:04:20.1455600Z ##[debug]....Evaluating Index: 2024-02-02T22:04:20.1456195Z ##[debug]......Evaluating Index: 2024-02-02T22:04:20.1456998Z ##[debug]........Evaluating Index: 2024-02-02T22:04:20.1457604Z ##[debug]..........Evaluating needs: 2024-02-02T22:04:20.1458218Z ##[debug]..........=> Object 2024-02-02T22:04:20.1458795Z ##[debug]..........Evaluating String: 2024-02-02T22:04:20.1459459Z ##[debug]..........=> 'build-and-publish' 2024-02-02T22:04:20.1460108Z ##[debug]........=> Object 2024-02-02T22:04:20.1460657Z ##[debug]........Evaluating String: 2024-02-02T22:04:20.1461320Z ##[debug]........=> 'outputs' 2024-02-02T22:04:20.1461892Z ##[debug]......=> Object 2024-02-02T22:04:20.1462436Z ##[debug]......Evaluating String: 2024-02-02T22:04:20.1463037Z ##[debug]......=> 'output_type' 2024-02-02T22:04:20.1463666Z ##[debug]....=> 'registry' 2024-02-02T22:04:20.1464216Z ##[debug]....Evaluating String: 2024-02-02T22:04:20.1464782Z ##[debug]....=> 'file' 2024-02-02T22:04:20.1465276Z ##[debug]..=> false 2024-02-02T22:04:20.1465736Z ##[debug]=> false 2024-02-02T22:04:20.1466534Z ##[debug]Expanded: (true && ('registry' == 'file')) 2024-02-02T22:04:20.1467285Z ##[debug]Result: false 2024-02-02T22:04:20.1474849Z ##[debug]Evaluating condition for step: 'Docker Scout' 2024-02-02T22:04:20.1476315Z ##[debug]Evaluating: success() 2024-02-02T22:04:20.1476911Z ##[debug]Evaluating success: 2024-02-02T22:04:20.1477507Z ##[debug]=> true 2024-02-02T22:04:20.1478054Z ##[debug]Result: true 2024-02-02T22:04:20.1491354Z ##[debug]Starting: Docker Scout .... 2024-02-02T22:04:39.0484383Z ##[debug]Finishing: Docker Scout 2024-02-02T22:04:39.0501466Z ##[debug]Evaluating condition for step: 'Upload SARIF result' 2024-02-02T22:04:39.0506419Z ##[debug]Evaluating: (success() && (hashFiles('sarif.output.json') != '') && (github.event_name != 'pull_request_target')) 2024-02-02T22:04:39.0506790Z ##[debug]Evaluating And: 2024-02-02T22:04:39.0507083Z ##[debug]..Evaluating success: 2024-02-02T22:04:39.0507453Z ##[debug]..=> true 2024-02-02T22:04:39.0514246Z ##[debug]..Evaluating NotEqual: 2024-02-02T22:04:39.0515725Z ##[debug]....Evaluating hashFiles: 2024-02-02T22:04:39.0549232Z ##[debug]......Evaluating String: 2024-02-02T22:04:39.0549610Z ##[debug]......=> 'sarif.output.json' 2024-02-02T22:04:39.0551000Z ##[debug]Search root directory: '/home/runner/work/workflows-sandbox/workflows-sandbox' 2024-02-02T22:04:39.0551731Z ##[debug]Search pattern: 'sarif.output.json' 2024-02-02T22:04:39.0554066Z ##[debug]Starting process: 2024-02-02T22:04:39.0554913Z ##[debug] File name: '/home/runner/runners/2.312.0/externals/node16/bin/node' 2024-02-02T22:04:39.0555606Z ##[debug] Arguments: '"/home/runner/runners/2.312.0/bin/hashFiles"' 2024-02-02T22:04:39.0556516Z ##[debug] Working directory: '/home/runner/work/workflows-sandbox/workflows-sandbox' 2024-02-02T22:04:39.0556953Z ##[debug] Require exit code zero: 'False' 2024-02-02T22:04:39.0557401Z ##[debug] Encoding web name: ; code page: '' 2024-02-02T22:04:39.0557921Z ##[debug] Force kill process on cancellation: 'False' 2024-02-02T22:04:39.0558279Z ##[debug] Redirected STDIN: 'False' 2024-02-02T22:04:39.0558710Z ##[debug] Persist current code page: 'False' 2024-02-02T22:04:39.0559143Z ##[debug] Keep redirected STDIN open: 'False' 2024-02-02T22:04:39.0559552Z ##[debug] High priority process: 'False' 2024-02-02T22:04:39.0579861Z ##[debug]Updated oom_score_adj to 500 for PID: 1608. 2024-02-02T22:04:39.0580888Z ##[debug]Process started with process id 1608, waiting for process exit. 2024-02-02T22:04:39.2280067Z ##[debug]Match Pattern: sarif.output.json 2024-02-02T22:04:39.2310596Z ##[debug]::debug::followSymbolicLinks 'false' 2024-02-02T22:04:39.2341403Z ##[debug]::debug::followSymbolicLinks 'false' 2024-02-02T22:04:39.2342294Z ##[debug]::debug::implicitDescendants 'true' 2024-02-02T22:04:39.2343098Z ##[debug]::debug::matchDirectories 'true' 2024-02-02T22:04:39.2343941Z ##[debug]::debug::omitBrokenSymbolicLinks 'true' 2024-02-02T22:04:39.2349067Z ##[debug]::debug::Search path '/home/runner/work/workflows-sandbox/workflows-sandbox/sarif.output.json' 2024-02-02T22:04:39.2370841Z ##[debug]/home/runner/work/workflows-sandbox/workflows-sandbox/sarif.output.json 2024-02-02T22:04:39.2428600Z ##[debug]Found 1 files to hash. 2024-02-02T22:04:39.2433131Z ##[debug]Hash result: 'f3050e4422098264040ff4733df775a08092d3580ab3b144bc251cd4c5284ce2' 2024-02-02T22:04:39.2435440Z ##[debug]undefined 2024-02-02T22:04:39.2470000Z ##[debug]STDOUT/STDERR stream read finished. 2024-02-02T22:04:39.2470988Z ##[debug]STDOUT/STDERR stream read finished. 2024-02-02T22:04:39.2473443Z ##[debug]Finished process 1608 with exit code 0, and elapsed time 00:00:00.1912209. 2024-02-02T22:04:39.2475429Z ##[debug]....=> 'f3050e4422098264040ff4733df775a08092d3580ab3b144bc251cd4c5284ce2' 2024-02-02T22:04:39.2476512Z ##[debug]....Evaluating String: 2024-02-02T22:04:39.2477087Z ##[debug]....=> '' 2024-02-02T22:04:39.2478472Z ##[debug]..=> true 2024-02-02T22:04:39.2479314Z ##[debug]..Evaluating NotEqual: 2024-02-02T22:04:39.2479944Z ##[debug]....Evaluating Index: 2024-02-02T22:04:39.2480527Z ##[debug]......Evaluating github: 2024-02-02T22:04:39.2481285Z ##[debug]......=> Object 2024-02-02T22:04:39.2481867Z ##[debug]......Evaluating String: 2024-02-02T22:04:39.2482794Z ##[debug]......=> 'event_name' 2024-02-02T22:04:39.2483410Z ##[debug]....=> 'push' 2024-02-02T22:04:39.2483978Z ##[debug]....Evaluating String: 2024-02-02T22:04:39.2484588Z ##[debug]....=> 'pull_request_target' 2024-02-02T22:04:39.2485170Z ##[debug]..=> true 2024-02-02T22:04:39.2485639Z ##[debug]=> true 2024-02-02T22:04:39.2489500Z ##[debug]Expanded: (true && ('f3050e4422098264040ff4733df775a08092d3580ab3b144bc251cd4c5284ce2' != '') && ('push' != 'pull_request_target')) 2024-02-02T22:04:39.2490792Z ##[debug]Result: true 2024-02-02T22:04:39.2491819Z ##[debug]Starting: Upload SARIF result 2024-02-02T22:04:39.2525858Z ##[debug]Loading inputs 2024-02-02T22:04:39.2527553Z ##[debug]Evaluating: github.workspace 2024-02-02T22:04:39.2528277Z ##[debug]Evaluating Index: 2024-02-02T22:04:39.2528724Z ##[debug]..Evaluating github: 2024-02-02T22:04:39.2529182Z ##[debug]..=> Object 2024-02-02T22:04:39.2529585Z ##[debug]..Evaluating String: 2024-02-02T22:04:39.2530025Z ##[debug]..=> 'workspace' 2024-02-02T22:04:39.2530674Z ##[debug]=> '/home/runner/work/workflows-sandbox/workflows-sandbox' 2024-02-02T22:04:39.2531597Z ##[debug]Result: '/home/runner/work/workflows-sandbox/workflows-sandbox' 2024-02-02T22:04:39.2534848Z ##[debug]Evaluating: github.token 2024-02-02T22:04:39.2535351Z ##[debug]Evaluating Index: 2024-02-02T22:04:39.2535807Z ##[debug]..Evaluating github: 2024-02-02T22:04:39.2536260Z ##[debug]..=> Object 2024-02-02T22:04:39.2536660Z ##[debug]..Evaluating String: 2024-02-02T22:04:39.2537092Z ##[debug]..=> 'token' 2024-02-02T22:04:39.2537993Z ##[debug]=> '***' 2024-02-02T22:04:39.2538585Z ##[debug]Result: '***' 2024-02-02T22:04:39.2540388Z ##[debug]Evaluating: toJson(matrix) 2024-02-02T22:04:39.2540886Z ##[debug]Evaluating toJson: 2024-02-02T22:04:39.2567636Z ##[debug]..Evaluating matrix: 2024-02-02T22:04:39.2568145Z ##[debug]..=> null 2024-02-02T22:04:39.2571905Z ##[debug]=> 'null' 2024-02-02T22:04:39.2572315Z ##[debug]Result: 'null' 2024-02-02T22:04:39.2575884Z ##[debug]Loading env 2024-02-02T22:04:39.2583153Z ##[group]Run github/codeql-action/upload-sarif@v3 2024-02-02T22:04:39.2583705Z with: 2024-02-02T22:04:39.2584036Z sarif_file: sarif.output.json 2024-02-02T22:04:39.2584724Z checkout_path: /home/runner/work/workflows-sandbox/workflows-sandbox 2024-02-02T22:04:39.2585637Z token: *** 2024-02-02T22:04:39.2585953Z matrix: null 2024-02-02T22:04:39.2586319Z wait-for-processing: true 2024-02-02T22:04:39.2586744Z ##[endgroup] 2024-02-02T22:04:39.6661709Z ##[error]codeql/upload-sarif action failed: Resource not accessible by integration 2024-02-02T22:04:39.6808911Z ##[debug]Node Action run completed with exit code 1 2024-02-02T22:04:39.6824437Z ##[debug]CODEQL_ACTION_FEATURE_MULTI_LANGUAGE='false' 2024-02-02T22:04:39.6825285Z ##[debug]CODEQL_ACTION_FEATURE_SANDWICH='false' 2024-02-02T22:04:39.6825939Z ##[debug]CODEQL_ACTION_FEATURE_SARIF_COMBINE='true' 2024-02-02T22:04:39.6826630Z ##[debug]CODEQL_ACTION_FEATURE_WILL_UPLOAD='true' 2024-02-02T22:04:39.6827233Z ##[debug]CODEQL_ACTION_VERSION='3.24.0' 2024-02-02T22:04:39.6834655Z ##[debug]Finishing: Upload SARIF result 2024-02-02T22:04:39.7010947Z ##[debug]Starting: Complete job 2024-02-02T22:04:39.7013277Z Uploading runner diagnostic logs 2024-02-02T22:04:39.7068845Z ##[debug]Starting diagnostic file upload. 2024-02-02T22:04:39.7069455Z ##[debug]Setting up diagnostic log folders. 2024-02-02T22:04:39.7072335Z ##[debug]Creating diagnostic log files folder. 2024-02-02T22:04:39.7093443Z ##[debug]Copying 1 worker diagnostic logs. 2024-02-02T22:04:39.7112188Z ##[debug]Copying 1 runner diagnostic logs. 2024-02-02T22:04:39.7113578Z ##[debug]Zipping diagnostic files. 2024-02-02T22:04:39.7169938Z ##[debug]Uploading diagnostic metadata file. 2024-02-02T22:04:39.7190147Z ##[debug]Diagnostic file upload complete. 2024-02-02T22:04:39.7191009Z Completed runner diagnostic log upload 2024-02-02T22:04:39.7191545Z Cleaning up orphan processes 2024-02-02T22:04:39.7603521Z ##[debug]Finishing: Complete job 2024-02-02T22:04:39.7743940Z ##[debug]Finishing: Build, publish and notify / Docker Scout ```

aeisenberg commented 5 months ago

Thanks for posting. We're taking a look at this. Can you let us know the org/name of the repository where this is happening so we can look for this in our telemetry?

SPodjasek commented 5 months ago

@aeisenberg You can see at inway/workflows-sandbox which I've just run manually. Logged error timestamp is: Mon, 05 Feb 2024 21:26:01 GMT

aeisenberg commented 5 months ago

It looks like your workflow is failing at the point it is trying to send telemetry back to github.com, which is why we are not able to find any error reports in our logs about this.

On Friday, we merged https://github.com/github/codeql-action/pull/2112 (and has already been released), which may fix an instance of this problem, but I'm not sure if this is exactly what you are seeing. Would you try again to see if this addresses your problem?

If not, there is another PR that is more likely to address your issue: https://github.com/github/codeql-action/pull/2110. We are in the process of reviewing it. Once this PR is merged to main, I would recommend that you try this fix out as well. (Just change the github/codeql-action/upload-sarif@v3 to ...@main.)

SPodjasek commented 5 months ago

@aeisenberg I've just tried with @main to see whether #2112 helps - but it does not.

I'll wait and try when #2110 gets merged.

SPodjasek commented 5 months ago

It looks like your workflow is failing at the point it is trying to send telemetry back to github.com, which is why we are not able to find any error reports in our logs about this.

This is a private repository (which I haven't mentioned) - so maybe that is the reason telemetry is not there?

aeisenberg commented 5 months ago

@aeisenberg I've just tried with @main to see whether #2112 helps - but it does not.

Thanks for trying.

This is a private repository (which I haven't mentioned) - so maybe that is the reason telemetry is not there?

We collect metadata (repository name, runtime, run status, etc) and error messages about all code scanning runs even in private repositories. This is to help us measure our internal SLOs and quickly see if there is a problem or any worrying trend. The data is purged after 6 months.

SPodjasek commented 5 months ago

@aeisenberg just checked after merging of #2110 with @main pointing to github/codeql-action@932a7d5a595d255669d7456fb4f1da2295a61d77 and result is the same

Error: codeql/upload-sarif action failed: Resource not accessible by integration
ffried commented 5 months ago

@SPodjasek The remaining changes in #2110 were just documentation. The functional change seems to be #2121 now.

SPodjasek commented 5 months ago

Ok, I'll monitor #2121 now...

jsoref commented 5 months ago
Oh. I bet I know what the problem is [check-spelling](https://github.com/check-spelling/check-spelling) has code for it: ![image](https://github.com/github/codeql-action/assets/2119212/5ea9c4cd-f3df-4796-a266-0c9120881006) [Check Spelling: .github/workflows/spelling.yml#L106](https://github.com/check-spelling-sandbox/private-sarif-0/commit/40db5c24a55cd78ca0a056289cabde78197390f7#annotation_17866294169) Unsupported configuration: use_sarif needs GitHub Advanced Security to be enabled - see . (unsupported-configuration) --- Odds are that your repository is not a GHES or similar or that if you're a GHES or similar you aren't _also_ paying for GitHub Advanced Security. --- check-spelling has to bend over backwards to handle this stuff (which is part of why I'm working on these repositories to make my experience slightly less tortured).

retroactive edit: My bet was wrong, although in a way it was along the right track -- as it turns out it was a permissions issue, just not security-events, but actions: read. -- There's code in check-spelling for this too... https://github.com/check-spelling/check-spelling/blob/26b46adbdebd5dd0b34c7155113d50c40f43fb22/unknown-words.sh#L878-L884

SPodjasek commented 5 months ago

@jsoref Well, we do have GitHub Advanced Security license and it's enabled on the repository that throws errors.

SPodjasek commented 5 months ago

I've done some additional tests and whether Advanced Security is enabled or disabled on repository level we have the same error message:

image

There's also CodeQL workflow in that repository that runs code scanning on every push and it uploads results without any problem:

image

jsoref commented 5 months ago

Interesting...

I don't suppose you could set up an empty repository (private, with advanced security) with https://github.com/check-spelling/spell-check-this/blob/main/.github/workflows/spelling.yml and see what it says?

SPodjasek commented 5 months ago

In general workflow fails ([Check Spelling] Process completed with exit code 1.) - but it seems that upload succeeds

image

SPodjasek commented 5 months ago

I've tried to downgrade github/codeql-action/upload-sarif in my workflow to v2 (as in check spelling), but still with no luck.

Is it possible that the file itself is broken in some way and upload fails because of that? I'll try to store it in artifacts....

SPodjasek commented 5 months ago

Here's the contents of SARIF file produced by Docker Scout:

{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "fullName": "Docker Scout",
          "informationUri": "https://docker.com/products/docker-scout",
          "name": "docker scout",
          "rules": [],
          "version": "1.4.1-SNAPSHOT-8f8fca4"
        }
      },
      "results": []
    }
  ]
}
jsoref commented 5 months ago

The main difference between v2 and v3 is just the runtime (runs.using: node16 vs runs.using: node20) -- it isn't an API break in the normal sense.

I was wrong, the changes I'm working on should fix this...

I've generated a number of bad json files, and generally that doesn't result in the error you're seeing.

There should be a way to get all the headers (both sent and received) from the codeql action when it fails to post to the endpoint (I can't remember if there actually is, and in fact, I think it's missing, in which case we should add it).

With those headers ... things become quite clear...

jsoref commented 5 months ago

So, some of the code paths are nice and will spit out a thing like: https://github.com/check-spelling-sandbox/codeql/actions/runs/7820458921/job/21335230410#step:19:29

  'x-github-request-id': 'ED03:704C:2C73BEB:598E6DD:65C3E18D',

The request id is (in theory) really helpful for doing things.

I think the failure in my example above is more or less tied to this code path: https://github.com/github/codeql-action/blob/1515e2bb2096a8d1db5a171cddbb13bfc8eea43b/src/init-action-post.ts#L89

which I think eventually led to this really valuable line: https://github.com/github/codeql-action/blob/1515e2bb2096a8d1db5a171cddbb13bfc8eea43b/src/status-report.ts#L332

Now we just need to figure out which path you went down...

jsoref commented 5 months ago

For comparison, https://github.com/check-spelling-sandbox/decidim/actions/runs/7837152919/artifacts/1231830536 (currently) has an artifact tied to https://github.com/check-spelling-sandbox/decidim/actions/runs/7837152919#summary-21386271295 (which generated 238 sarif items). -- You're free to download the artifact and compare.

Offhand, the lack of rules is vaguely amusing. But it is legal to have 0 rules: https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/sarif-v2.1.0-errata01-os-complete.html#_Toc141790806

check-spelling's tool.driver doesn't have fullName, but otherwise there's nothing exciting in the json.

SPodjasek commented 5 months ago

Found the cause of this problem, missing permission:

permissions:
  actions: read

which caused action to fail probably here (before any real upload occurs): https://github.com/github/codeql-action/blob/1515e2bb2096a8d1db5a171cddbb13bfc8eea43b/src/upload-sarif-action.ts#L53-L64

jsoref commented 5 months ago

Oh!

Then, um, maybe the fix I'm working on would fix it. Definitely try @ d3f9862a1a537de8d94da34ddacc070846b781c0

SPodjasek commented 5 months ago

I've forked this action repository to add some logging to see what's really going on, but I've noticed that it never reached real upload code. After disabling code mentioned above I got 403 errors from API with following header: x-accepted-github-permissions: actions=read

After adding this permission on job level it started to work.

We do use reusable workflow which has

permissions:
  actions: write

permission declared in calling workflow, but job level declaration in called workflow was missing.

jsoref commented 5 months ago

Ok, we definitely want to add some code to ensure that that header is reported when things fail.

I've filed:

Which should improve life for the next person (once lots of things upgrade).

Conveniently, triage for that project is on Fridays, so hopefully they'll look at it tomorrow.

jsoref commented 5 months ago

Fwiw, I won't be able to fully debug this edge case -- it requires having a GHES w/ GHAS and setting up a private repository.

w/ public repositories, actions: read and contents: read amongst others are always available, and for those of us w/o GHAS, security-events: write doesn't do anything useful for private repositories.

I did look through the code, but I can't precisely figure out where it's going off to try to talk to an actions endpoint (if I saw the url or had a stack trace of sorts, I might be able to figure things out).

Could you update the description here to add "missing actions: read"?

jsoref commented 5 months ago

Ok, with a bit of debugging, I can reproduce and it makes sense (check-spelling indeed does similar acrobatics) https://github.com/check-spelling-sandbox/security-events-no-actions-0/actions/runs/7838010935/job/21389490582

before getWorkflowRelativePath
Error: codeql/upload-sarif action failed: Resource not accessible by integration

Here's the culprit: https://github.com/github/codeql-action/blob/1515e2bb2096a8d1db5a171cddbb13bfc8eea43b/src/api-client.ts#L128-L135

jsoref commented 5 months ago

In fact, check-spelling has fallback code where it rummages through the active repository trying to guess the answer in the case where it can't get the answer via the API: https://github.com/check-spelling/check-spelling/blob/26b46adbdebd5dd0b34c7155113d50c40f43fb22/unknown-words.sh#L374-L412

https://github.com/check-spelling/check-spelling/commit/72af927ef4bd116744619b43ebca2edbf79473ff

Pretty much every action author ends up reinventing some poor version of one of these various code things.

It looks like this problem was fixed as of GHES 3.9 with the introduction of GITHUB_WORKFLOW_REF https://docs.github.com/en/enterprise-server@3.9/actions/learn-github-actions/variables

(Sadly there's still a 3.8 out there, but at least for most folks that's less of a problem.)

jsoref commented 5 months ago

With the fix to the above issue, the output I get for this case (private repository, no actions: read) is:

RequestError [HttpError]: Resource not accessible by integration - https://docs.github.com/rest/actions/workflow-runs#get-a-workflow-run

Which is a huge improvement. (In order to get that, octokit would need to accept the PR, make a release, and then this repository would need to upgrade.)

jsoref commented 5 months ago

@SPodjasek: thanks for the help ... I think I now have two PRs to this repository that should be able to address the problem you've identified (plus the longer term debugging improvement to octokit).

If you can comment on the open PRs indicating that they help this, that'd be helpful -- my testing involves creating a private repository and running a workflow w/ this action w/o actions:read -- but I can't actually test the full path since my repository doesn't have GHAS even though the permissions claim security-events: ....

SPodjasek commented 5 months ago

@jsoref Just tested with your fork and after removing actions: read permission and it works.

Should I keep this issue open until all PRs get merged for reference?

jsoref commented 5 months ago

Yes. I'd rather it be open to catch anyone else looking for it until it's fixed.

charliew33 commented 2 months ago

Still catching up, but seems like actions: read is still required to get this working on a private repo (with GHAS). Using v3.25.2 which I thought contained the fix.

sudhakarinka commented 2 months ago

if actions:read dropped integration error is coming. if we give that as actions: write that is giving below error. providing ref and she didn't worked

we are working with tar ball mode

Could not determine current commit SHA using git. Continuing with data from user input or environment. fatal: ambiguous argument 'refs/remotes/pull/85/merge': unknown revision or path not in the working tree.

We are using remote workflows from using invoke method.

      - name: Run Trivy vulnerability scanner in tarball mode
        uses: aquasecurity/trivy-action@master
        with:
          input: ${{ inputs.appName }}.tar
          severity: 'CRITICAL,HIGH'
          template: '@/contrib/sarif.tpl'
          format: 'sarif'
          output: 'trivy-results.sarif'
        continue-on-error: true
      - name: Print SHA and ref
        run: |
          echo "SHA: ${{ github.sha }}"
          echo "Ref: ${{ github.ref }}"

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'
        continue-on-error: true

issue during uploading of the results to github ; due to missing permissions and wrong branch name below is what worked for us invoked on affected PR

name: 'Workflow - 🐸 JFrog: Build and Deploy Docker'
run-name: docker-build:${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }}

permissions:
  security-events: write
  pull-requests: read
  contents: write
  id-token: write
  statuses: write
  actions: read
  pages: write

on:
  workflow_call:
permissions:
  security-events: write
  pull-requests: read
  contents: write
  statuses: write
  actions: read
  pages: write
- name: Run Trivy vulnerability scanner in tarball mode
        uses: aquasecurity/trivy-action@master
        with:
          input: ${{ inputs.appName }}.tar
          severity: 'CRITICAL,HIGH'
          template: '@/contrib/sarif.tpl'
          format: 'sarif'
          output: 'trivy-results.sarif'
        continue-on-error: true
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'
          category: 'Container Scanning - Trivy'
          sha: ${{ github.sha }}
          ref: refs/heads/${{ github.head_ref || github.ref_name || 'main' }}
        continue-on-error: true
- name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'
          category: 'Container Scanning - Trivy'
          sha: ${{ github.sha }}
          ref: refs/heads/${{ github.head_ref || github.ref_name || 'main' }}
        continue-on-error: true
aeisenberg commented 2 months ago

@sudhakarinka, this appears to be a different problem. Can you please open a new issue and include your full workflow and the value of github.ref? I suspect that it has something to do with the way you are invoking your workflow and github.ref isn't being populated in the way the action expects. It needs to be the name of the branch that the PR is based on, not the ref of the pull namespace.