"Error: Resource not accessible by integration" when using Dependabot #298
Comments
|
Opened a community issue, will make PR's when there comes a working set of permissions from there: https://github.saobby.my.eu.orgmunity/t/permissions-nesecary-to-comment-on-a-pr/179047
|
|
I recently split my This action thankfully has the I wasn't fond of the copy/paste of scripts (especially since I have to hand off to other project maintainers), so this action + a popular download artifact action (which supports artifacts from other workflows) helped simplify that 👍 Try something like this: Workflow 1 ( name: 'PR event for comment'
on:
pull_request:
jobs:
prep-comment-event:
name: 'Prep for comment action'
runs-on: ubuntu-20.04
steps:
- name: 'Prepare artifact for transfer'
run: |
# Save ENV for transfer
echo "PR_HEADSHA=${{ github.event.pull_request.head.sha }}" >> pr.env
echo "PR_NUMBER=${{ github.event.pull_request.number }}" >> pr.env
echo "PR_TITLE=${{ github.event.pull_request.title }}" >> pr.env
- name: 'Upload artifact for workflow transfer'
uses: actions/upload-artifact@v2
with:
name: pr-metadata
path: pr.env
retention-days: 1Workflow 2 ( name: 'Comment on PR'
on:
workflow_run:
workflows: ["PR event for comment"]
types:
- completed
jobs:
comment:
name: 'Comment on PR'
runs-on: ubuntu-20.04
if: ${{ github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' }}
steps:
- name: 'Download build artifact'
uses: dawidd6/action-download-artifact@v2
with:
github_token: "${{ secrets.GITHUB_TOKEN }}"
run_id: ${{ github.event.workflow_run.id }}
workflow: pr-comment.yml
name: pr-metadata
- name: 'Restore preserved ENV'
run: cat pr.env >> "${GITHUB_ENV}"
- uses: marocchino/sticky-pull-request-comment@v2
with:
number: ${{ env.PR_NUMBER }}
message: |
Comment on PR #${{ env.PR_NUMBER }} is ready! :tada:
Triggered via PR commit: ${{ env.PR_HEADSHA }}You can do a build or anything else in the first workflow that doesn't require secrets, that is for running untrusted third-party code (the reason Github prevents non-collaborators PRs from having secrets available). Then you can use upload to volley the data you need over to the 2nd workflow (this one runs from master/main branch), I show how to store some values into ENV and read in that file contents as ENV to use for the actions needing a secure context. It's definitely not as elegant or simple as I'd want it. In my case I'm doing a deploy that needs secrets, so I doubt I can keep it as a single workflow. |
|
I made a wrap so that I can simply put it in the output from the artifact, but I'd be happy if this helps.
|
|
Having a look at both, thanks! This turned out to be a lot more complicated then I thought :( |
|
I am sorry for that. 😢 This error did not exist before and is due to a policy change in GitHub. There seems to be no way unless GitHub changes thier minds. |
|
Hey if anything I'm annoyed at GitHub, not at you @marocchino 😄 . Will have a few tries at it this week to come up with the most concise solution. |
|
There are some actions that help simplify the workflow example I gave further, but I try to avoid relying on third-party too much. If you do find a better solution do share here :) |
|
Will do, been tweeting with someone from Dependabot yesterday about this which gave some interesting insights to make it simpler. But need to confirm a few things before testing that possibility out. |
|
Came to this solution in my case, not using this action since I wanted to provide the simplest set up possible for it's users, but it should also work for this action: name: Composer Diff
on:
pull_request_target:
types:
- opened
- synchronize
- reopened
permissions:
pull-requests: write
jobs:
comment-composer-lock-diff:
name: Comment composer.lock diff
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: Comment composer.lock diff
uses: WyriHaximus/github-action-composer.lock-diff@main
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
|
Ow for reference here is the Twitter thread, thought I posted this last week already: https://twitter.com/WyriHaximus/status/1393679576828686340
|
EDIT: Can probably ignore the collapsed content below. Note you can use v2 checkout and get the same intent IIRC, it's just an explicit option to not get a shallow checkout. Should be documented on the action README. Original comment with quotes and questionsI quote from that blog post some snippets related to two concerns, plus some extra related quotes that might be helpful to anyone not wanting to read the whole article: Concern 1
Since you're sharing the workflow I assume it does provide some meaningful diff as intended, but did you test updating the pull request which would change the diff and find that change is correctly picked up by your workflow, or does it remain the same? These blog post snippets seem relevant?:
My understanding of this is that if you're creating a PR for master branch, then when using Concern 2Your checking out code step seems to be advised against?:
**EDIT: It seems I might have misunderstood as this line references an example that uses the checkout action with a ref to the pull request head commit SHA:
Thus they do explicitly checkout the PR contents instead of the target branch commit contents (which would have none of the PR afaik) Still, you probably want to be careful when advising users with that snippet elsewhere. Be sure to make them aware that there are security risks if they modify it to include steps that are vulnerable as described in the blog post. And I assume your custom action is just doing a diff on the composer lock file, no downloading/running of dependencies that the contributor could add to a PR, just diffing dependencies? Other useful highlights from that linked article:
That last line is specifically stating that building/running content of PR is dangerous when it's from an untrusted third-party, thus users must be careful not to do that with
|
|
@polarathene Thanks for your long write up, will read it entirely later because my eye caught some interesting notes in there. About the announce the action on Twitter, but before that, I wanted to be sure of absolutely one thing: Changing the workflow in the PR doesn't run the changes made to the workflow with elevated permissions. So I asked a friend to make a PR altering the workflow and observe the output of the workflow. The PR https://github.com/WyriHaximus/github-action-composer.lock-diff/pull/35/files makes an innocent change, but the workflow from the default branch is executed: https://github.com/WyriHaximus/github-action-composer.lock-diff/runs/2603184264?check_suite_focus=true And also funny enough GitHub seems to suggest you use this to create comments and add labels:
I Will probably add an extra note about not adjusting without reading those pages thoroughly is not a bad idea. |
Yeah it's fine for that afaik 👍 Just as long as you're not relying on running untrusted code (technically includes any packages that are updated and looks harmless like version bumps from dependabot), Your diff works because your action is indirectly accessing the PR branch, that would be a no-no if a third-party contribution had any ability to manipulate that to run other code, which in this case I don't think it does (I'm not too familiar with PHP so I only glanced over it briefly). Workflows are never run from PR changes afaik, even on |
Yup, but still not happy with it, it's IMHO still to much permissions for what it really needs. Heck I wouldn't mind having to grant permissions per HTP method + path combination.
This is what worries me the most, getting a supply chain attack like that is a P.I.T.A., so going to have to inspect every PR dependabot makes. Which is also where that action comes in handy :D.
Well, this is where I also had lots of fun figuring some things out as it needs both the current and the PR branch HEAD locally. (Just realised the action is missing support for fork PR's to do that properly.) So the only way to get it to work easily was to use checkout v1. Making that there is no need to have write access to contents. (The same should be possible for any other package ecosystem out there.)
Funny enough: I know this, and I still check to be absolutely sure because I don't want to be wrong with these kinds of things. |
Have I misunderstood what you've said, or is the
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.base.sha }}
path: pr_target
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
path: prSomething like that should checkout the target branch for a PR and the PR branch itself into subdirectories to get the composer file to diff against. Note that the PR base ref/SHA may not always be the latest commit for the target branch. You can also as the
If there isn't a need for the git credentials, your I don't know if this applies to composer or other package managers, and when it just comes to diffing it probably doesn't matter at all, but I'd just generally be more concerned about copy/paste users that take your example and modify it with their own additions unaware of the security risks they add to compromising their repo secrets:
You should be able to checkout the PR and generate a diff with the More verbose/hassle but at least there is less risk since when a user needs access to secrets it has to be done in |
* see: marocchino/sticky-pull-request-comment#298 in upstream action repo Signed-off-by: Stephen L Arnold <nerdboy@gentoo.org>
* see: marocchino/sticky-pull-request-comment#298 in upstream action repo Signed-off-by: Stephen L Arnold <nerdboy@gentoo.org>
Ensure the CI job can write back to PRs to post code coverage. Apparently this is a whole thing for forked repos. Please see the following URL for more info: marocchino/sticky-pull-request-comment#298
This patch disables updating PRs with code coverage due to a change in GitHub policy about PRs from forked repos and GH actions. Please see the following URL for more info: marocchino/sticky-pull-request-comment#298
This patch adds a GH action that runs on a merged branch whenever a PR has completed its checks. The new action fetches the stored coverage from the PR and posts it to the PR as a comment. Please see the following URLs for more information: - marocchino/sticky-pull-request-comment#298 - https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow
This patch adds a GH action that runs on a merged branch whenever a PR has completed its checks. The new action fetches the stored coverage from the PR and posts it to the PR as a comment. Please see the following URLs for more information: - marocchino/sticky-pull-request-comment#298 - https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow
This patch adds a GH action that runs on a merged branch whenever a PR has completed its checks. The new action fetches the stored coverage from the PR and posts it to the PR as a comment. Please see the following URLs for more information: - marocchino/sticky-pull-request-comment#298 - https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow
|
Close because there is no activity. |
When using this action on a PR opened by Dependabot I still get the error in the title. Which permissions do I have to set on the workflow to make it work?
The text was updated successfully, but these errors were encountered: