Open raisedadead opened 2 years ago
Hi 👋 @raisedadead
Thanks for opening your first issue here! Be sure to follow the issue template!
Hi folks, I just ran into this one as well. I think this comes from the changes that where made going from pull_request
to pull_request_target
, with these differences in the new triggers:
Runs in the context of the pull_request source, so the repo that has the changes. These incoming changes might have security issues, and therefor have less authorizations: e.g. they are not allowed to write to the PR (that could potentially lead to approving the PR for example :-) ), or write to the .github/worfklows
folder.
This also prevents access to any secrets that might be in the repo, as that could lead to secrets being leaked to anyone sending in a PR
This setup now has full access to the repos, so it can write to PR's, has access to secrets, etc.
I'm not sure how we can create comments on the PR, without running on pull_request_target
(which I do not recommend for all the security reasons above).
Tagging @bubkoo and @KeisukeYamashita for visibility 😄
We are seeing a "Resource not accessible by integration" when this is run. Here is our workflow file: https://github.com/freeCodeCamp/freeCodeCamp/actions/runs/2503722663/workflow
Expected Behavior
The workflow should leave a comment on the PR by a first-timer.
Current Behavior
The workflow runs error out.
Possible Solution
Not sure how to approach debugging this better.
Steps To Reproduce
Here is a run with debug logs enabled to help analyze the issue: https://github.com/freeCodeCamp/freeCodeCamp/runs/6906136489?check_suite_focus=true#step:2:31
Error Message & Stack Trace
```txt ##[debug]Evaluating condition for step: 'Run wow-actions/welcome@v1' ##[debug]Evaluating: success() ##[debug]Evaluating success: ##[debug]=> true ##[debug]Result: true ##[debug]Starting: Run wow-actions/welcome@v1 ##[debug]Loading inputs ##[debug]Evaluating: secrets.GITHUB_TOKEN ##[debug]Evaluating Index: ##[debug]..Evaluating secrets: ##[debug]..=> Object ##[debug]..Evaluating String: ##[debug]..=> 'GITHUB_TOKEN' ##[debug]=> '***' ##[debug]Result: '***' ##[debug]Loading env Run wow-actions/welcome@v1 with: GITHUB_TOKEN: *** FIRST_PR_MERGED: #### :sparkles: :tada: **AWESOME!** :tada: :sparkles: Hi @{{ author }}, Thanks for this pull request and for contributing to the code-base for the first time. We are looking forward to more contributions from you in the future. Cheers & happy contributing! ##[debug]event: pull_request ##[debug]action: closed Error: HttpError: Resource not accessible by integration Error: Resource not accessible by integration ##[debug]Node Action run completed with exit code 1 ##[debug]Finishing: Run wow-actions/welcome@v1 ```
Additional Context
We have set up the workflow as recommended in the docs for the workflow.
Your Environment
GitHub Actions on Ubuntu 20.04