Run failed: issue assignment

[7MinSec]

Hello!

I'm a newb to workflows so please be gentle :-). I made one that looks like this:

name: Issue assignment

on:
    issues:
        types: [opened]

jobs:
    auto-assign:
        runs-on: ubuntu-latest
        steps:
            - name: 'Auto-assign issue'
              uses: pozil/auto-assign-issue@v1.11.0
              with:
                  assignees: 7MinSec
                  allowSelfAssign: true                  

When I create an issue, I get an email from GitHub with subject Run failed: issue assignment. When I look at the details, I see:

Could you please advise on how I can fix this?

[pozil]

Hi @7MinSec, I only saw the "resource not accessible by integration" error a couple of time in the past. It's not specific to this action, it's more of a global issue. To be honest, I'm not entirely sure about the cause of the issue but here are some ideas:

• a temporary issue on the GitHub side that can be fixed by re-running the workflow
• a permission issue that prevents the action from reading/writing metadata
• an IP restriction policy on the repository set up by an admin that prevents the action from running

I hope that this helps, let me know if you find the cause of the issue.

[h-unterp]

Same issue. Needed permissions: write-all

Would be very helpful to supply this basic hello world: that goes in .github/workflows/main.yml

name: Issue assignment

on:
    issues:
        types: [opened]

jobs:
    auto-assign:
        permissions: write-all
        runs-on: ubuntu-latest
        steps:
            - name: 'Auto-assign issue'
              uses: pozil/auto-assign-issue@v1.11.0
              with:
                  assignees: h-unterp
                  numOfAssignee: 1

[pozil]

@h-unterp I beg to differ, I'm using the action in a couple of repositories and I never needed to set any permission. Also, I wouldn't recommend write-all as it is not reasonable from a security standpoint because it opens the door to everything. If you were to explore permissions, you'd want to open them to the relevant objects only (issues in this case).

[h-unterp]

Kind of curious how two of us have run into this...

name: Issue assignment

on:
    issues:
        types: [opened]

jobs:
    auto-assign:
        permissions: 
            issues: write
        runs-on: ubuntu-latest
        steps:
            - name: 'Auto-assign issue'
              uses: pozil/auto-assign-issue@v1.11.0
              with:
                  assignees: h-unterp
                  numOfAssignee: 1

[7MinSec]

Just to further comment on this, tried creating to create an issue while auto-assign-issue was active using the same code I put in my original post:

name: Issue assignment

on:
    issues:
        types: [opened]

jobs:
    auto-assign:
        runs-on: ubuntu-latest
        steps:
            - name: 'Auto-assign issue'
              uses: pozil/auto-assign-issue@v1.11.0
              with:
                  assignees: 7MinSec
                  allowSelfAssign: true                  

Shortly after I got an email saying the job failed in the same way that I originally posted.

Then using @h-unterp 's idea, I added this to my file:

permissions:
issues:write

This time it ran!

However, it sounds like write permissions might be a bad idea? I mostly want this auto-assign-issue to run on private repos, but I won't run it at all if there are security concerns.

[pozil]

@7MinSec @h-unterp sorry if I was unclear. I'm not saying write permission is a bad idea just that we should provide a scope and avoid write-all.

[pozil]

Could one of you share the output of your "Set up job" task? I'm interested in the GITHUB_TOKEN part.

For reference, this what I have on a private repo with default settings and no specific token passed to the action: note that the permission to write issues is already set.

[7MinSec]

When I remove the write permission and run the job again (so it fails) this is my job output:

run pozil/auto-assign-issue@v1.11.0
  with:
    assignees: 7MinSec
    allowSelfAssign: true
    repo-token: ***
    abortIfPreviousAssignees: false
    removePreviousAssignees: false
    allowNoAssignees: false
/home/runner/work/_actions/pozil/auto-assign-issue/v1.11.0/node_modules/@octokit/request/dist-node/index.js:86
      const error = new requestError.RequestError(toErrorMessage(data), status, {
                    ^

RequestError [HttpError]: Resource not accessible by integration
    at /home/runner/work/_actions/pozil/auto-assign-issue/v1.11.0/node_modules/@octokit/request/dist-node/index.js:86:[2](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:2)1
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async getAssignees (/home/runner/work/_actions/pozil/auto-assign-issue/v1.11.0/src/utils.js:52:19)
    at async runAction (/home/runner/work/_actions/pozil/auto-assign-issue/v1.11.0/src/action.js:71:26) {
  status: 40[3](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:3),
  response: {
    url: 'https://api.github.com/repos/7MinSec/ovh/issues/21',
    status: [4](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:4)03,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      connection: 'close',
      'content-encoding': 'gzip',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: 'Fri, 26 May 2023 1[5](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:5):2[6](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:6):01 GMT',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'GitHub.com',
      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
      'transfer-encoding': 'chunked',
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-api-version-selected': '2022-11-28',
      'x-github-media-type': 'github.v3; format=json',
      'x-github-request-id': 'DC41:4DBB:2B2[7](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:7)3B:5[8](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:8)35F2:6470CF8[9](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:10)',
      'x-ratelimit-limit': '[10](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:11)00',
      'x-ratelimit-remaining': '999',
      'x-ratelimit-reset': '1685[11](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:12)8361',
      'x-ratelimit-resource': 'core',
      'x-ratelimit-used': '1',
      'x-xss-protection': '0'
    },
    data: {
      message: 'Resource not accessible by integration',
      documentation_url: 'https://docs.github.com/rest/reference/issues#get-an-issue'
    }
  },
  request: {
    method: 'GET',
    url: 'https://api.github.com/repos/7MinSec/ovh/issues/21',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'octokit-core.js/3.6.0 Node.js/[16](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:17).16.0 (linux; x64)',
      authorization: 'token [REDACTED]'
    },
    request: {
      agent: Agent {
        _events: [Object: null prototype] {
          free: [Function (anonymous)],
          newListener: [Function: maybeEnableKeylog]
        },
        _eventsCount: 2,
        _maxListeners: undefined,
        defaultPort: 443,
        protocol: 'https:',
        options: [Object: null prototype] { path: null },
        requests: [Object: null prototype] {},
        sockets: [Object: null prototype] {},
        freeSockets: [Object: null prototype] {},
        keepAliveMsecs: 1000,
        keepAlive: false,
        maxSockets: Infinity,
        maxFreeSockets: [25](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:26)6,
        scheduling: 'lifo',
        maxTotalSockets: Infinity,
        totalSocketCount: 0,
        maxCachedSessions: 100,
        _sessionCache: {
          map: {
            'api.github.com:4[43](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:44):::::::::::::::::::::': [Buffer [Uint8Array]]
          },
          list: [ 'api.github.com:[44](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:45)3:::::::::::::::::::::' ]
        },
        [Symbol(kCapture)]: false
      },
      hook: [Function: bound bound register]
    }
  }
}

[pozil]

Thanks for your help with the investigation. I'm still not 100% clear as to why certain repositories require this permission to be set and others don't but I think that it can't hurt to be explicit about the permissions that are required for this action to run. I've added the issue write permission to the doc examples.

[SoCuul]

Sorry for the necro, but I'm having the same issue, instead with PRs.

name: PR assignment

on:
    pull_request:
        types: [opened, edited, synchronize, reopened]

jobs:
    auto-assign:
        runs-on: ubuntu-latest
        permissions:
            pull-requests: write
        steps:
            - name: 'Auto-assign PR'
              uses: pozil/auto-assign-issue@v1
              with:
                  assignees: socuul
                  allowNoAssignees: true

[pozil]

Hi @SoCuul, if the issue is consistent, I would try to explore permissions.

Start with a simple test: add permissions: write-all in a test environment to see if this is indeed a permission issue. If this solves the "resource not available to integration" issue then, you need to figure out which permission is needed.

From there, go back to pull-requests: write and iterate by adding permissions until you figure out which one you need. Since PRs are a special type of issue, I would try to add both the pull-requests: write and issues: write as a start.

Let me know if you find something so that I can improve the docs.