RequestError [HttpError]: Resource not accessible by integration

[coiby]

Hi,

Thanks for creating this GitHub App action! I tried adding it to one repo but somehow the jobs failed (e.g. this job) with the following logs,

Reviewed-by: Coiby
/home/runner/work/_actions/ntessore/add-reviewed-by-action/v1/dist/index.js:4266
      const error = new requestError.RequestError(toErrorMessage(data), status, {
                    ^

RequestError [HttpError]: Resource not accessible by integration
    at /home/runner/work/_actions/ntessore/add-reviewed-by-action/v1/dist/index.js:4266:21
    at process.processTicksAndRejections (node:internal/process/task_queues:9[5](https://github.com/rhkdump/kdump-utils/actions/runs/9965938132/job/27537140482#step:2:6):5) {
  status: 403,
  response: {
    url: 'https://api.github.com/repos/rhkdump/kdump-utils/pulls/2[6](https://github.com/rhkdump/kdump-utils/actions/runs/9965938132/job/27537140482#step:2:7)',
    status: 403,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      'content-encoding': 'gzip',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: 'Wed, 1[7](https://github.com/rhkdump/kdump-utils/actions/runs/9965938132/job/27537140482#step:2:8) Jul 2024 00:16:10 GMT',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'github.com',
      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
      'transfer-encoding': 'chunked',
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-accepted-github-permissions': 'pull_requests=write',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-api-version-selected': '2022-11-2[8](https://github.com/rhkdump/kdump-utils/actions/runs/9965938132/job/27537140482#step:2:9)',
      'x-github-media-type': 'github.v3; format=json',
      'x-github-request-id': '0401:C78B3:3D33[9](https://github.com/rhkdump/kdump-utils/actions/runs/9965938132/job/27537140482#step:2:10):3DCF8:66970D4A',
      'x-ratelimit-limit': '5000',
      'x-ratelimit-remaining': '4998',
      'x-ratelimit-reset': '1721178970',
      'x-ratelimit-resource': 'core',
      'x-ratelimit-used': '2',
      'x-xss-protection': '0'
    },
    data: {
      message: 'Resource not accessible by integration',
      documentation_url: 'https://docs.github.com/rest/pulls/pulls#update-a-pull-request',
      status: '403'
    }
  },
  request: {
    method: 'PATCH',
    url: 'https://api.github.com/repos/rhkdump/kdump-utils/pulls/26',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'octokit-core.js/3.6.0 Node.js/20.13.1 (linux; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: '{"body":"Using Privatetmp=yes will cause mountinfo changes, which will cause kdump started via systemd to fail in scenarios using bind mount such as coreos. Temporarily disable it until the bind mount problem is resolved.\\r\\n\\r\\nFixes: ea00b7db(\\"kdumpctl: Move temp file in get_kernel_size to global temp dir\\")\\nReviewed-by: Coiby\\n"}',
    request: {
      agent: Agent {
        _events: [Object: null prototype] {
          free: [Function (anonymous)],
          newListener: [Function: maybeEnableKeylog]
        },
        _eventsCount: 2,
        _maxListeners: undefined,
        defaultPort: 443,
        protocol: 'https:',
        options: [Object: null prototype] {
          keepAlive: true,
          scheduling: 'lifo',
          timeout: 5000,
          noDelay: true,
          path: null
        },
        requests: [Object: null prototype] {},
        sockets: [Object: null prototype] {},
        freeSockets: [Object: null prototype] {
          'api.github.com:443:::::::::::::::::::::': [ [TLSSocket] ]
        },
        keepAliveMsecs: [10](https://github.com/rhkdump/kdump-utils/actions/runs/9965938132/job/27537140482#step:2:11)00,
        keepAlive: true,
        maxSockets: Infinity,
        maxFreeSockets: 256,
        scheduling: 'lifo',
        maxTotalSockets: Infinity,
        totalSocketCount: 1,
        maxCachedSessions: 100,
        _sessionCache: {
          map: {
            'api.github.com:443:::::::::::::::::::::': [Buffer [Uint8Array]]
          },
          list: [ 'api.github.com:443:::::::::::::::::::::' ]
        },
        [Symbol(shapeMode)]: false,
        [Symbol(kCapture)]: false
      },
      hook: [Function: bound bound register]
    }
  }
}

Node.js v20.[13](https://github.com/rhkdump/kdump-utils/actions/runs/9965938132/job/27537140482#step:2:14).1

The added Github Action yaml is the same to https://github.com/glass-dev/glass/blob/main/.github/workflows/pull_request_review.yml except for the job name and I use the default Workflow permissions as shown below,

So I'm not sure what's wrong. Can you give a clue? Thanks!

[ntessore]

Hi, thanks for the report. I don't see anything wrong with the configuration. However, in the job you linked, the write permission for pull requests doesn't actually seem to get set:

[coiby]

Thanks for finding GITHUB_TOKEN doesn't have write permission! I did a further look and noticed this comment,

Because your PRs come from a public fork, GITHUB_TOKEN only has read permissions (see here). You might be able to get write permissions by using pull_request_target as the trigger.

Indeed Maximum access for pull requests from public forked repositories is read for all scopes including pull-request.

[ntessore]

Thanks @coiby for investigating! Is there something I need to change on my side?