search

joonvena / robotframework-reporter-action

This action can be used to send parsed test report as comment to that commit that triggered test run
26 stars 14 forks source link

Action lacks permissions to leave comment in PR #16

Closed lugi0 closed 2 years ago

lugi0 commented 2 years ago

Hello!

I'm trying to implement a workflow that uses this action, and it works wonderfully when I open a PR from a branch created directly on my main repo.

However, when a PR is coming from a fork, the action lacks the required permissions to leave the comment. I try to specifically grant the token in my .yaml write-all permissions, and all settings I could find in the main repo should allow actions to have write permissions as well.

Has anyone faced a similar issue? Am I doing something wrong? This is the yaml for reference:

name: dryrun

on: [push, pull_request]

permissions: write-all

jobs:
  dryrun:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Execute dryrun
        run: |
          <dryrun commands>
      - name: Parse output
        uses: joonvena/robotframework-reporter-action@v2.1
        with:
          report_path: test-output
          gh_access_token: ${{ secrets.GITHUB_TOKEN }}
          show_passed_tests: false

And this is the error I get:

Run joonvena/robotframework-reporter-action@v2.1
Run export OWNER="$(echo "red-hat-data-services/ods-ci" | awk -F / '{print $1}' | sed -e "s/:refs//")"
Run /home/runner/work/_actions/joonvena/robotframework-reporter-action/v2.1/report.sh
Unable to find image 'joonvena/robot-reporter:v2.1' locally
v2.1: Pulling from joonvena/robot-reporter
df9b9388f04a: Already exists
f265c46fcbe2: Pulling fs layer
8aee577374: Pulling fs layer
6fad9521d008: Pulling fs layer
8aee57710374: Verifying Checksum
8aee57710374: Download complete
6fad9521d008: Verifying Checksum
6fad9521d008: Download complete
f265c46fcbe2: Verifying Checksum
f265c46fcbe2: Download complete
f265c46fcbe2: Pull complete
8aee57710374: Pull complete
6fad9521d008: Pull complete
Digest: sha256:9910a6014905fb7053ef8486fac7346db0009e96511f14c7606184ffb9f5f60c
Status: Downloaded newer image for joonvena/robot-reporter:v2.1
2022/10/26 16:00:16 POST https://api.github.com/repos/red-hat-data-services/ods-ci/issues/604/comments: 403 Resource not accessible by integration []
Error: Process completed with exit code 1.
joonvena commented 2 years ago

Hi, I think the problem is generally the GITHUB_TOKEN. It only gives read permission for the token when it's used from fork. You can see the permissions from here: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token.

lugi0 commented 2 years ago

I think you're right! I hadn't seen this page, but I read Maximum access by forked repos, and I guess that means there's no way to force the token to have write permissions as well :/ I'll try to set up a personal access token, thanks!

joonvena commented 2 years ago

Yeah, unfortunately you can't give the token from fork other than read permissions.

lugi0 commented 2 years ago

Finally got it to work, had to use this as a base for my solution: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/