-
Notifications
You must be signed in to change notification settings - Fork 510
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG: githubv4.Query: Resource not accessible by integration in Branch-Protection #1097
Comments
Possibly similar to actions/first-interaction#10. Need to investigate further. |
This seems to still be occurring: https://github.com/ossf/scorecard/security/code-scanning/2869?query=ref%3Arefs%2Fheads%2Fmain |
another occurrence in step-security/agent#35 (comment) |
another one #1074 (comment) |
Apparently, this happened all the time in step-security/agent#35 (comment) |
I see this error both for pull requests and push. BTW this error is probably due to a token permissions issue. The workflow only has |
I agree it looks like a permission problem. We use Mhhhh.. this page https://docs.github.com/en/graphql/guides/forming-calls-with-graphql states If that's the reason, looks like we would either need to use the RESTful APIs for the GitHub action, or disable branch protection in GitHub action. We initially moved away from REST APIs to graphQl because of rate limiting. In the case of a GitHub action, developers only need to access their own repo so we don't really need to worry about rate limiting: that seems to be confirmed since other checks use REST APIs and appear to be working as expected. @azeemsgoogle wdut? |
@josepalafox the graphQl APIs seem to require a PAT/OAuth token and don't automatically work with the GitHub token provisioned to workflows. Do you know the reasoning behind this? Is there a particular permission needed for the workflow GitHub token to make this work? |
JFYI - I realized that looking up branch protection requires |
Interesting, thanks for sharing! I don't understand why the GitHu tokens have different permission models though :/ |
The issue is that the generic actions does not get the right permissions.
User will need to generate PAT and store as a secret to use in actions.
This can be described as a configuration step.
…On Thu, Dec 2, 2021, 16:49 laurentsimon ***@***.***> wrote:
Interesting, thanks for sharing!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1097 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AALPN2EQMJGB7BIJEF7UY2TUPAH2ZANCNFSM5FFVKYEA>
.
|
Thanks for the info! Do you know the reasoning behind this? Is there a security concern? Or is this something that may get fixed in the future? |
This is evidently an intentional design limitation and exists across
multiple API services for security purposes.
…On Fri, Dec 3, 2021, 10:57 laurentsimon ***@***.***> wrote:
Thanks for the info! Do you know the reasoning behind this? Is there a
security concern? Or is this something that may get fixed in the future?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1097 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AALPN2BFNOUVKIYWYZ6M4RLUPEHKFANCNFSM5FFVKYEA>
.
|
@laurentsimon, if this is the case, then moving to REST API won't solve the problem. Basically, we'll need PAT if we want to run Branch-Protection. Have you tried running the Action without the Branch-Protection check if that works? |
yes I meant to mention that. It may be the case that REST APIs will never work. I have a TODO item to test it out in the action using |
SG. Will assign this to you for now. Can close this issue after confirming. |
@josepalafox reviving this thread. As we try to make scorecard as friction-less as possible for installation, we realize the PAT requirement does create friction. I wanted to understand what you meant by What can workflow tokens not expose a read permission to read branch protection settings? What is the security concern? |
I was sort of just repeating an answer I was given internally. I'll poke
around. My general sense is that you don't want to expose all the branch
protection rules because it essentially explains what review policies are
for contributions.
…On Wed, Jan 26, 2022 at 8:06 AM laurentsimon ***@***.***> wrote:
@josepalafox <https://github.com/josepalafox> reviving this thread. As we
try to make scorecard as friction-less as possible for installation, we
realize the PAT requirement does create friction. I wanted to understand
what you meant by This is evidently an intentional design limitation and
exists across multiple API services for security purposes.
What can workflow tokens not expose a read permission to read branch
protection. What is the security concern?
I know there's a new token-id permission that was introduced for OIDC,
for example.
—
Reply to this email directly, view it on GitHub
<#1097 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AALPN2BROSONXQEOIOYO47DUYALXPANCNFSM5FFVKYEA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Jose Palafox
Technical Partnerships and Engineering @ GitHub
***@***.***
503.877.2403
|
Thanks Jose. Let us know what you find. So long as the permission is controlled by a workflow field, it does not strike me as being more dangerous than |
Feedback from our team is that to get branch protection rules you'd have to have admin:read which is too broad to enable. cc @cschleiden |
Thanks for the info. Fyi, branch protection is accessible with a PAT owned by a non-repo maintainer, except 3 settings that require Also, in general, using ephemeral workflow tokens is beneficial because PATs cannot be rotated easily. Let me know if I mis-understood something. |
Hi. It's been a while since this issue is open. Is there any support planned for private repos ? I found the following on the scorecard actions docs.
This implies using scorecard on private repositories is risky by design... |
The fine-grained PAT should help aleviate this. But we'll need to update our instructions at: It will probably also need read permissions to a few more fields for private repos (I'm guessing
I believe this has been resolved in the slack, but the classic PATs need the Note: Hopefully all of this will be a problem of the past soon due to Repository Rules (see: #3326) |
Document on the Scorecard repo pointing to the scorecard-action documentation, which may need to be updated for clarity as well. |
An interesting error came up in the run for the GitHub action https://github.com/ossf/scorecard/security/code-scanning/2869?query=ref%3Arefs%2Fheads%2Fmain
error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Note: this was for a push event, not a PR. Let's see if this continues in next push. It did not happen before in previous pushes.
I've never seen it before. @azeemsgoogle ideas?
The text was updated successfully, but these errors were encountered: