Closed 7MinSec closed 1 year ago
Hi @7MinSec, I only saw the "resource not accessible by integration" error a couple of time in the past. It's not specific to this action, it's more of a global issue. To be honest, I'm not entirely sure about the cause of the issue but here are some ideas:
I hope that this helps, let me know if you find the cause of the issue.
Same issue. Needed permissions: write-all
Would be very helpful to supply this basic hello world: that goes in .github/workflows/main.yml
name: Issue assignment
on:
issues:
types: [opened]
jobs:
auto-assign:
permissions: write-all
runs-on: ubuntu-latest
steps:
- name: 'Auto-assign issue'
uses: pozil/auto-assign-issue@v1.11.0
with:
assignees: h-unterp
numOfAssignee: 1
@h-unterp I beg to differ, I'm using the action in a couple of repositories and I never needed to set any permission.
Also, I wouldn't recommend write-all
as it is not reasonable from a security standpoint because it opens the door to everything. If you were to explore permissions, you'd want to open them to the relevant objects only (issues
in this case).
Kind of curious how two of us have run into this...
name: Issue assignment
on:
issues:
types: [opened]
jobs:
auto-assign:
permissions:
issues: write
runs-on: ubuntu-latest
steps:
- name: 'Auto-assign issue'
uses: pozil/auto-assign-issue@v1.11.0
with:
assignees: h-unterp
numOfAssignee: 1
Just to further comment on this, tried creating to create an issue while auto-assign-issue
was active using the same code I put in my original post:
name: Issue assignment
on:
issues:
types: [opened]
jobs:
auto-assign:
runs-on: ubuntu-latest
steps:
- name: 'Auto-assign issue'
uses: pozil/auto-assign-issue@v1.11.0
with:
assignees: 7MinSec
allowSelfAssign: true
Shortly after I got an email saying the job failed in the same way that I originally posted.
Then using @h-unterp 's idea, I added this to my file:
permissions:
issues:write
This time it ran!
However, it sounds like write
permissions might be a bad idea? I mostly want this auto-assign-issue
to run on private repos, but I won't run it at all if there are security concerns.
@7MinSec @h-unterp sorry if I was unclear. I'm not saying write
permission is a bad idea just that we should provide a scope and avoid write-all
.
Could one of you share the output of your "Set up job" task? I'm interested in the GITHUB_TOKEN part.
For reference, this what I have on a private repo with default settings and no specific token passed to the action: note that the permission to write issues is already set.
When I remove the write permission and run the job again (so it fails) this is my job output:
run pozil/auto-assign-issue@v1.11.0
with:
assignees: 7MinSec
allowSelfAssign: true
repo-token: ***
abortIfPreviousAssignees: false
removePreviousAssignees: false
allowNoAssignees: false
/home/runner/work/_actions/pozil/auto-assign-issue/v1.11.0/node_modules/@octokit/request/dist-node/index.js:86
const error = new requestError.RequestError(toErrorMessage(data), status, {
^
RequestError [HttpError]: Resource not accessible by integration
at /home/runner/work/_actions/pozil/auto-assign-issue/v1.11.0/node_modules/@octokit/request/dist-node/index.js:86:[2](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:2)1
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async getAssignees (/home/runner/work/_actions/pozil/auto-assign-issue/v1.11.0/src/utils.js:52:19)
at async runAction (/home/runner/work/_actions/pozil/auto-assign-issue/v1.11.0/src/action.js:71:26) {
status: 40[3](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:3),
response: {
url: 'https://api.github.com/repos/7MinSec/ovh/issues/21',
status: [4](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:4)03,
headers: {
'access-control-allow-origin': '*',
'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
connection: 'close',
'content-encoding': 'gzip',
'content-security-policy': "default-src 'none'",
'content-type': 'application/json; charset=utf-8',
date: 'Fri, 26 May 2023 1[5](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:5):2[6](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:6):01 GMT',
'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
server: 'GitHub.com',
'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
'transfer-encoding': 'chunked',
vary: 'Accept-Encoding, Accept, X-Requested-With',
'x-content-type-options': 'nosniff',
'x-frame-options': 'deny',
'x-github-api-version-selected': '2022-11-28',
'x-github-media-type': 'github.v3; format=json',
'x-github-request-id': 'DC41:4DBB:2B2[7](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:7)3B:5[8](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:8)35F2:6470CF8[9](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:10)',
'x-ratelimit-limit': '[10](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:11)00',
'x-ratelimit-remaining': '999',
'x-ratelimit-reset': '1685[11](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:12)8361',
'x-ratelimit-resource': 'core',
'x-ratelimit-used': '1',
'x-xss-protection': '0'
},
data: {
message: 'Resource not accessible by integration',
documentation_url: 'https://docs.github.com/rest/reference/issues#get-an-issue'
}
},
request: {
method: 'GET',
url: 'https://api.github.com/repos/7MinSec/ovh/issues/21',
headers: {
accept: 'application/vnd.github.v3+json',
'user-agent': 'octokit-core.js/3.6.0 Node.js/[16](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:17).16.0 (linux; x64)',
authorization: 'token [REDACTED]'
},
request: {
agent: Agent {
_events: [Object: null prototype] {
free: [Function (anonymous)],
newListener: [Function: maybeEnableKeylog]
},
_eventsCount: 2,
_maxListeners: undefined,
defaultPort: 443,
protocol: 'https:',
options: [Object: null prototype] { path: null },
requests: [Object: null prototype] {},
sockets: [Object: null prototype] {},
freeSockets: [Object: null prototype] {},
keepAliveMsecs: 1000,
keepAlive: false,
maxSockets: Infinity,
maxFreeSockets: [25](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:26)6,
scheduling: 'lifo',
maxTotalSockets: Infinity,
totalSocketCount: 0,
maxCachedSessions: 100,
_sessionCache: {
map: {
'api.github.com:4[43](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:44):::::::::::::::::::::': [Buffer [Uint8Array]]
},
list: [ 'api.github.com:[44](https://github.com/7MinSec/ovh/actions/runs/5092462947/jobs/9153834481#step:2:45)3:::::::::::::::::::::' ]
},
[Symbol(kCapture)]: false
},
hook: [Function: bound bound register]
}
}
}
Thanks for your help with the investigation. I'm still not 100% clear as to why certain repositories require this permission to be set and others don't but I think that it can't hurt to be explicit about the permissions that are required for this action to run. I've added the issue write permission to the doc examples.
Sorry for the necro, but I'm having the same issue, instead with PRs.
name: PR assignment
on:
pull_request:
types: [opened, edited, synchronize, reopened]
jobs:
auto-assign:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: 'Auto-assign PR'
uses: pozil/auto-assign-issue@v1
with:
assignees: socuul
allowNoAssignees: true
Hi @SoCuul, if the issue is consistent, I would try to explore permissions.
Start with a simple test: add permissions: write-all
in a test environment to see if this is indeed a permission issue. If this solves the "resource not available to integration" issue then, you need to figure out which permission is needed.
From there, go back to pull-requests: write
and iterate by adding permissions until you figure out which one you need. Since PRs are a special type of issue, I would try to add both the pull-requests: write
and issues: write
as a start.
Let me know if you find something so that I can improve the docs.
Hello!
I'm a newb to workflows so please be gentle :-). I made one that looks like this:
When I create an issue, I get an email from GitHub with subject
Run failed: issue assignment.
When I look at the details, I see:Could you please advise on how I can fix this?