Permissions Issue

[ardalis]

See this PR: https://github.com/ardalis/GuardClauses/pull/264

I'm getting this result:

Error: Resource not accessible by integration

Per the README in this repo, the fix for this is to not explicitly use secrets.GITHUB_TOKEN but that's not in my build.yml file anywhere.

What else is suggested?

Here's my build script which has write permissions set:

name: .NET Core

on:
  workflow_dispatch:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

permissions:
    pull-requests: write 

jobs:
  build:

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v3
    - name: Setup .NET Core
      uses: actions/setup-dotnet@v3
      with:
          dotnet-version: '7.x'
    - name: Install dependencies
      run: dotnet restore
    - name: Build
      run: dotnet build --configuration Release --no-restore

      # See https://josh-ops.com/posts/github-code-coverage/
      # Add coverlet.collector nuget package to test project - 'dotnet add <TestProject.cspoj> package coverlet
    - name: Test
      run: dotnet test --no-restore --verbosity normal --collect:"XPlat Code Coverage" --logger trx --results-directory coverage

    - name: Copy Coverage To Predictable Location
      run: cp coverage/*/coverage.cobertura.xml coverage/coverage.cobertura.xml

    - name: Code Coverage Summary Report
      uses: irongut/CodeCoverageSummary@v1.3.0
      # uses: joshjohanning/CodeCoverageSummary@v1.0.2
      with:
        filename: coverage/coverage.cobertura.xml
        badge: true
        format: 'markdown'
        output: 'both'

    - name: Add Coverage PR Comment
      uses: marocchino/sticky-pull-request-comment@v2
      if: github.event_name == 'pull_request'
      with:
        recreate: true
        path: code-coverage-results.md

Thanks!

[marocchino]

Check your Settings > Actions > General > Workflow permissions Older repos don't, but the latest default is read, so you need to change it to read and write.

[marocchino]

oh.. I read the pr and the user has no privileges in the repo. In that case, you're right that they can't do it. In my case, I separated it to run in different privileges check my settings: https://github.com/marocchino/sticky-pull-request-comment/blob/0c53bc8d62642be4955925aac529c75077e44828/.github/workflows/test.yml#L19-L23 https://github.com/marocchino/sticky-pull-request-comment/blob/0c53bc8d62642be4955925aac529c75077e44828/.github/workflows/comment_on_workflow_run.yml#L1-L32

[ardalis]

Oh so it's expected that this won't work if random GitHub users make pull requests to open source projects, unless I set up something like what you're showing here? Most of my community contributors will have zero affiliation with or permissions on the repo. I'm not sure I understand what your workflows are doing but I'll take a closer look and see how I might apply that to my situation. Thanks!

[marocchino]

It wasn't like that when I first created this repo, but there was a policy change in the Github API itself. you can found details in: https://github.com/marocchino/sticky-pull-request-comment/issues/227 and discussions will be helpful. https://github.com/community/community/discussions?discussions_q=Error%3A+Resource+not+accessible+by+integration+label%3AActions

GitHub

community/community · Discussions · GitHub

Explore the GitHub Discussions forum for community/community. Discuss code, ask questions & collaborate with the developer community.