Github action issue : "Resource not accessible by integration"

[sbernard31]

Looking at #1313 contribution it seems that there is a permission issue with github action.

For each error a comment, should be created in the PR but we get a Resource not accessible by integration error instead.

I personally don't face it so this is maybe because I have more right than external contributor ? 🤔

Looking at https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
It seems that maximum access by forked repos are "read" only ...

So I don't know how to solve it. I will try to get support from Eclipse. It should be a common issue for eclipse project.

@adamsero I saw you fix several issue reported by github action, Could you not fix the last one about Check Android API Compliance ?

I would like to use the #1313 PR to try to fix this github action issue 🙏

[sbernard31]

Waiting for eclipse help : https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/1953

[sbernard31]

A discussion about that at : https://github.com/orgs/community/discussions/26644#discussioncomment-3690708

[sbernard31]

Reading :

• https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
• https://securitylab.github.com/research/github-actions-untrusted-input/
• https://securitylab.github.com/research/github-actions-building-blocks/
• https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

I guess the only way for now would be to have 2 jobs :

• one to build/execute untrusted code using pull_request
• another to add/delete/upgrade comment using workflow_run
• data from first job can be shared to second job using artifact (this data should be considered as untrusted)

About Test Reports, this is maybe too much work for not so much. So I will go to just remove it.

Reading all of this about security. I think we should double check if external action we use comes from trusted source and for not so trusted source we should :

• use fullhash of the action we use with uses: owner/action-name@26968a09c0ea4f3e233fdddbafd1166051a095f6
• check the code of corresponding commit.

[sbernard31]

@adamsero, Is it something you would like to help on ?

Feel free to answer no, if you don't want to play with github actions. 😉

[sbernard31]

I would like to use the #1313 PR to try to fix this github action issue pray

As we decide to release a M9 soon, and this github action issue is less "urgent" than the M9. I think that finally we will not used issue #1313 as testing PR to try to resolve this "Resource not accessible by integration" issue.

We will do test with another one later.

[sbernard31]

With commit fdef220, this should be fixed in master.
It should work for contributor without any committer rights. (we will see with next contribution).
I let this issue open until we get confirmation that works as expected.

That's was not so easy to came to this solution... I'm really not so fan of github action.
Too many restriction like : no loop, can not use variable in uses or id ...

My current solution are using lot of action from github action market place but not sure that was a good idea...

• that means we need to trust them (a bit mitigate by referring them via commit fullhash instead of version).
• probably overkill some time. (e.g. the github action used to read a properties file build a container from docker file and as there is no loop, I'm using github matrix as fall back and so this docker container is built 12 times by contribution ... 😞 )

Maybe I should have go with more shell script instead of abusing of github action.
Anyway, I spent too many time on this and if it works I will not go further for now.

[sbernard31]

(not directly link but I plan to add github workflow to delete old workflow)

[sbernard31]

It seems it works now, so I close this issue.