-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resource not accessible by integration, GraphqlError: Resource not accessible by integration #1581
Comments
Same issue for me and reproducible in multiple repositories. Each GH action is failing in this line |
Also experiencing this failure across all of our repos where we've used it to automate the merging of dependabot PRs, e.g.: https://github.com/catalyst-cooperative/pudl/actions/runs/3327104257 |
The same problem happens on all repos where I use this action to automate merge process of dependabot PRs such as: |
Hi everyone, sorry to hear you have these issues, and thank you for providing the examples. I'm not exactly a contributor to this action, but maybe I'll be able to help investigate this. The first thing that I can see is that the action works as expected across our repositories, for example you can see a recent successful run also triggered by dependabot in this repository itself. Secondly, I would say that the error message gives quite a lot of info: looking at the error message "GraphqlError: Resource not accessible by integration" and the code to which the stacktrace points to, I'm quite sure that what fails is this query to GitHub GraphQL API, so looks like the action fails to fetch branch protection rules, maybe some permissions missing? The main difference that I see between the examples provided here and what this repo uses is the token that authenticates the action. This repository is using a custom one, while all of the failed examples use It also seems that there is some mention of this in the action README, please see for example this section, an excerpt from there:
I would suggest you to try creating a custom token and try using that instead of the default Hope this helps. |
@aaneitchik you mean the fine-grained tokens that are in beta? Classic/regular tokens have only read-only access to public repositories. |
no, definitely not the fine-grained tokens, as they're not supported by the GraphQL API that is used in this action.
Could you please clarify what you mean by that? I definitely could be missing something, but looking at the docs I think you should be able to also grant write permissions to classic tokens as well.
I understand that, but it's also continues working for some repositories, that's why I mentioned that it could be that something changed in the GitHub API. Maybe you could also try checking if anything from here applies to your case. |
@aaneitchik is right, it's a permissions thing, but it's now apparent that as of the start of the week (2022-10-24) the standard action token cannot access the protected-branches You can replicate what merge-me is doing (thanks to aaneitchik) by having this step; it's a 200 OK, but the error message is the effectively the same. c.f https://github.com/quotidian-ennui/aws-kms-csr/actions/runs/3338749933/jobs/5526810170
If I add my "personal access token" as a secret so merge-me-action is now configured with Note that I did add I don't consider using a PAT a viable solution (it's a temporary work-around) since from an audit trail perspective; I am marked as having approved the PR and this might matter...
|
So.... maybe that's the case here, why the github_token stopped working for dependabot PRs 🤔 not sure though when it was introduced. And yes, PAT works when set up. |
@fizyk It also fails for non-Dependabot workflows. Note that PAT isn't the only authentication method that fixes this issue. It is also possible to set up a GitHub App with finer-grained permissions, and impersonate it inside workflows. This is in fact much more secure, and the recommended approach. The permissions required to use this Action are:
|
Signed-off-by: denis-tingaikin <[email protected]>
Recently this workflow started failing with 'Resource not accessible by integration' when using the default GitHub Actions access token. Ref. ridedott/merge-me-action#1581
@antoineco could you write a bit more about the GitHub app approach? Any specific setting to set on the Github Actions? |
Sure thing:
|
Given that probably several people here use this action to auto merge dependabot PRs on free private repositories where branch protections rules are not enforced by GitHub anyway, would it makes sense to add an option to not check those when the action is running? |
Recently this workflow started failing with 'Resource not accessible by integration' when using the default GitHub Actions access token. Ref. ridedott/merge-me-action#1581
Recently this workflow started failing with 'Resource not accessible by integration' when using the default GitHub Actions access token. Ref. ridedott/merge-me-action#1581
How would you describe the issue?
https://github.com/ClearcodeHQ/jira_timemachine/actions/runs/3327307904/jobs/5501967216
I'm getting this weird bug across all repositories I have. It happens after I merge the dependabot's pull requests (major version change so I have to do it manually) to main branch.
How can we reproduce the issue?
Not sure, merge something dependabot updates to major version to master?
What are the expected results?
One out of three:
What are the actual results?
https://github.com/ClearcodeHQ/jira_timemachine/actions/runs/3327307904/jobs/5501967216
How much does it hurt?
Not sure yet, worst case scenario, if it fails on all prs, then that means I'll have to merge event the patch dependabot updates across many of my repositories, if it's main branch only, that means a lot of spam emails.It fails also on regular patch updates so that means that the action does not work currently at all.
https://github.com/ClearcodeHQ/pytest-dynamodb/actions/runs/3326150718
The text was updated successfully, but these errors were encountered: