You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm implementing some of the fixes that Scorecard is suggesting. I am currently fixing up Token-Permissions that are being flagged in some of our workflows. So accordingly I have changed the top (i.e. workflow) level permissions as such:
But now in the PR where I am doing this AND have added the Scorecard workflow I am getting new errors from making the suggested change:
But if the above moving of the checks: write permission from the workflow permissions to the job permissions is the right thing to do, why am I still getting a Check failure for Token-Permissions? It is most certain that a job in the workflow needs checks: write as it breaks if I remove it:
2024-04-02 23:22:51 +0000 - publish - INFO - Available memory to read files: 140.7 GiB
2024-04-02 23:22:51 +0000 - publish - INFO - Reading JUnit XML files Functional on EL 8.8/**/results.xml (11 files, 4.3 KiB)
2024-04-02 23:22:51 +0000 - publish - INFO - Finished reading 11 files in 0.00 seconds
2024-04-02 23:22:52 +0000 - publish - INFO - Publishing failure results for commit c65e6b9f1ce7d85b35a1989e0fe1af0492404884
Request POST /repos/daos-stack/daos/check-runs failed with 403: Forbidden
2024-04-02 23:22:53 +0000 - github.GithubRetry - INFO - Request POST /repos/daos-stack/daos/check-runs failed with 403: Forbidden
Traceback (most recent call last):
File "/action/publish_test_results.py", line 546, in <module>
main(settings, gha)
File "/action/publish_test_results.py", line 269, in main
Publisher(settings, gh, gha).publish(stats, results.case_results, conclusion)
File "/action/publish/publisher.py", line 233, in publish
data = self.publish_check(data)
File "/action/publish/publisher.py", line 461, in publish_check
check_run = self._repo.create_check_run(name=self._settings.check_name,
File "/usr/local/lib/python3.8/site-packages/github/Repository.py", line 3793, in create_check_run
headers, data = self._requester.requestJsonAndCheck(
File "/usr/local/lib/python3.8/site-packages/github/Requester.py", line 537, in requestJsonAndCheck
return self.__check(*self.requestJson(verb, url, parameters, headers, input, self.__customConnection(url)))
File "/usr/local/lib/python3.8/site-packages/github/Requester.py", line 702, in requestJson
return self.__requestEncode(cnx, verb, url, parameters, headers, input, encode)
File "/usr/local/lib/python3.8/site-packages/github/Requester.py", line 799, in __requestEncode
status, responseHeaders, output = self.__requestRaw(cnx, verb, url, requestHeaders, encoded_input)
File "/usr/local/lib/python3.8/site-packages/github/Requester.py", line 833, in __requestRaw
response = cnx.getresponse()
File "/usr/local/lib/python3.8/site-packages/github/Requester.py", line 195, in getresponse
r = verb(
File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 637, in post
return self.request("POST", url, data=data, json=json, **kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 589, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 703, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 486, in send
resp = conn.urlopen(
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 938, in urlopen
retries = retries.increment(method, url, response=response, _pool=self)
File "/usr/local/lib/python3.8/site-packages/github/GithubRetry.py", line 183, in increment
raise Requester.createException(response.status, response.headers, content) # type: ignore
github.GithubException.GithubException: 403 {"message": "Resource not accessible by integration", "documentation_url": "https://docs.github.com/rest/checks/runs#create-a-check-run"}
So what's my path forward here given this new Token-Permissions error when taking the suggested action?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I'm implementing some of the fixes that Scorecard is suggesting. I am currently fixing up Token-Permissions that are being flagged in some of our workflows. So accordingly I have changed the top (i.e. workflow) level permissions as such:
and added the needed permissions to the job:
But now in the PR where I am doing this AND have added the Scorecard workflow I am getting new errors from making the suggested change:
But if the above moving of the
checks: write
permission from the workflow permissions to the job permissions is the right thing to do, why am I still getting a Check failure for Token-Permissions? It is most certain that a job in the workflow needschecks: write
as it breaks if I remove it:So what's my path forward here given this new Token-Permissions error when taking the suggested action?
Beta Was this translation helpful? Give feedback.
All reactions