jasonkarns
commented
4 months ago I removed harden-runner from this job temporarily but it still failed, so I have no idea what's going on now.
Closed jasonkarns closed 4 months ago
jasonkarns
commented
4 months ago I removed harden-runner from this job temporarily but it still failed, so I have no idea what's going on now.
varunsh-coder
commented
4 months ago @jasonkarns I had not seen this issue earlier.
The reason it is failing is because it does not have the right GITHUB_TOKEN permissions. You can see this here: https://github.com/nodenv/.github/actions/runs/9400740224/job/25891783213#step:1:17
This might be because when PR is created from a fork GITHUB_TOKEN permissions are limited to read
The fact that it got a 403 returned means harden-runner did not block it. If it had blocked it, it would get a timeout error.
jasonkarns
commented
4 months ago Yep. I closed it quickly after confirming that commenting the harder runner action didn't resolve anything. Apologies for the noise!
I have a PR that introduces harden-runner with an audit policy. My presumption is that with 'audit', nothing will be blocked (yet); only reported.
However, the super-linter job in this workflow is now failing to add its status checks to the PR. The api calls are shown to fail in the logs:
The egress report is here: https://app.stepsecurity.io/github/nodenv/.github/actions/runs/9400740224?jobid=25891783213&tab=network-events but claims nothing was blocked.
(It's noteworthy that the job provides the correct
statuses:writepermission and has been working onmainalready. Only this PR which introduces harden-runner has the failures.)