Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Necessary Permissions for Required Review action are unclear or incomplete #40626

Closed
wAuner opened this issue Dec 16, 2024 · 3 comments · Fixed by #40633
Closed

Necessary Permissions for Required Review action are unclear or incomplete #40626

wAuner opened this issue Dec 16, 2024 · 3 comments · Fixed by #40633

Comments

@wAuner
Copy link

wAuner commented Dec 16, 2024

Impacted plugin

None / Other

Quick summary

I'm failing to set up the Required Review GitHub action.
I did create a GitHub app with these permissions:

  • Repository permissions:
    • Checks: read and write
    • Metadata: read
    • Pull requests: read
  • Organization permissions:
    • Members: read
      But the action still fails with this trace:
Error: Resource not accessible by integration
HttpError: Resource not accessible by integration
    at /home/runner/work/_actions/Automattic/action-required-review/node_modules/.pnpm/@[email protected]/node_modules/@octokit/request/dist-node/index.js:86:1
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at Object.status (/home/runner/work/_actions/Automattic/action-required-review/v3/webpack:/required-review/src/reporter.js:31:1)
    at main (/home/runner/work/_actions/Automattic/action-required-review/v3/webpack:/required-review/src/main.js:94:1)
HttpError: Resource not accessible by integration
    at /home/runner/work/_actions/Automattic/action-required-review/node_modules/.pnpm/@[email protected]/node_modules/@octokit/request/dist-node/index.js:86:1
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at Object.status (/home/runner/work/_actions/Automattic/action-required-review/v3/webpack:/required-review/src/reporter.js:[31](https://github.com/eng-citrix/uberAgent/actions/runs/12349225036/job/34459615984#step:4:39):1)
    at main (/home/runner/work/_actions/Automattic/action-required-review/v3/webpack:/required-review/src/main.js:118:1)

The description of the required permissions in the comment is this:

# GitHub Access Token. The user associated with this token will show up
    # as the "creator" of the status check, and must have access to read
    # pull request data, create status checks (`repo:status`), and to read
    # your organization's teams (`read:org`).

Am I missing a permission or is this something else?

The problematic line seems to be this one:

await octokit.rest.repos.createCommitStatus( req );

The name suggests that it might be missing the Commit statuses permission, but I don't see that mentioned anywhere.

Steps to reproduce

  1. install a GitHub app with the above mentioned permissions
  2. Use this pipeline definition:
  reviewcheck:
    name: Checking required reviews
    runs-on: ubuntu-latest
    steps:
    - name: Generate Token
      uses: actions/create-github-app-token@v1
      id: generate_token
      with: 
        app-id: ${{ vars.REQUIRED_REVIEWS_APP_ID }}
        private-key: ${{ secrets.REQUIRED_REVIEWS_PRIVATE_KEY }}
    - name: Checkout
      uses: actions/checkout@v4
      with:
        lfs: true
    - uses: Automattic/action-required-review@v3
      with:
        token: ${{ steps.generate_token.outputs.token }}
        requirements-file: .github/required-review-config.yml
        request-reviews: true
Copy link
Contributor

OpenAI suggested the following labels for this issue:

  • [Feature Group] Support: The issue relates to a need for assistance regarding GitHub actions and required permissions.
  • [Feature] Error Reporting: The action failed with a specific error message, indicating an issue that could benefit from error reporting mechanisms.
  • [Feature] Manage: The task at hand involves managing GitHub app permissions, which falls under management features.

@jeherve
Copy link
Member

jeherve commented Dec 16, 2024

The name suggests that it might be missing the Commit statuses permission, but I don't see that mentioned anywhere.

The repo status permission is what you're looking for. Here is how it looks like in the GitHub token settings:

Image

name: Generate Token
uses: actions/create-github-app-token@v1
id: generate_token

What happens when you use a personal access token instead of using that action to generate an app token?

@jeherve jeherve added the [Status] Needs Author Reply We would need you to make some changes or provide some more details about your PR. Thank you! label Dec 16, 2024
@anomiex
Copy link
Contributor

anomiex commented Dec 16, 2024

Yes, you need the "Commit statuses" permission.

GitHub has two different permission systems now, one for OAuth apps and classic access tokens and another for GitHub Apps and fine-grained access tokens. The quoted documentation only documented the former. I've created #40633 to update the docs with the latter too.

@github-actions github-actions bot removed the [Status] Needs Author Reply We would need you to make some changes or provide some more details about your PR. Thank you! label Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging a pull request may close this issue.

4 participants