Resource not accessible by integration
kir0ul opened this issue · comments
Hi,
I'm trying to use this GH Action in openai/gym#2789. On my fork it seems to works fine: https://github.com/kir0ul/gym/runs/6244334853?check_suite_focus=true, but on the main repo I get Error: HttpError: Resource not accessible by integration: https://github.com/openai/gym/runs/6244334980?check_suite_focus=true.
I tried to modify the permissions as suggested in #30 (comment), but it didn't work.
Is there any way to work around this error?
Try adding pull-requests: write to your permissions for the GITHUB_TOKEN
Try adding
pull-requests: writeto your permissions for theGITHUB_TOKEN
Thanks for the suggestion!
So I tried it in openai/gym@ab61592 but I still get the same error: https://github.com/kir0ul/gym/runs/6708528879?check_suite_focus=true
@kir0ul can you try please this:
issues: write pull-requests: write
Thanks @MishaKav! I just tried it in openai/gym@76d6a65 but I also get the same error: https://github.com/kir0ul/gym/runs/6709357231?check_suite_focus=true 😓
I am also encountering the same error myself; any updates on this @MishaKav ? Thanks a lot for your work on this!
I have tested my actions file with below permissions setting and it works.
jobs:
pytest:
runs-on: ubuntu-latest
permissions:
pull-requests: write
I'm also still seeing this error with the following configuration:
jobs:
test:
runs-on: ubuntu-latest
timeout-minutes: 8
permissions:
pull-requests: write
contents: read
id-token: write
steps:
......
- name: Run Unit Tests with Coverage
run: make test-cov
- name: Pytest coverage comment
uses: MishaKav/pytest-coverage-comment@9689962ff78b20865e4ec0b90789e62309498aab
with:
pytest-coverage-path: ./pytest-coverage.txt
junitxml-path: ./pytest.xml
Looks like you do a fork you don't have permission to run the action.
Looks like it GitHub issue as described actions/first-interaction#10 (comment)
I'm also still seeing this error with the following configuration:
jobs: test: runs-on: ubuntu-latest timeout-minutes: 8 permissions: pull-requests: write contents: read id-token: write steps: ...... - name: Run Unit Tests with Coverage run: make test-cov - name: Pytest coverage comment uses: MishaKav/pytest-coverage-comment@9689962ff78b20865e4ec0b90789e62309498aab with: pytest-coverage-path: ./pytest-coverage.txt junitxml-path: ./pytest.xml
I was able to fix something similar by changing it from push to pull_request
name: Check changes on branch
on:
pull_request:
Hi there, I will add to this issue, because it fits thematically.
If a PR is merged to master/main. The "pytest-coverage-comment" action tries to comment on a commit on master/main, right?
In my setup it comments perfectly in the PR and after merge, I get:
Error: HttpError: Resource not accessible by integration
Error: Resource not accessible by integration
It is due to branch protection? Maybe you could add a hint in the documentation about branch protection and the required permissions for the GitHub token please?
Thanks for the great action!
I'm having a similar issue not sure if its related
- name: Run Tests
run: pytest --junitxml=unit-testresults.xml --cov-report "xml:coverage.xml" --cov=. .
- name: Pytest Coverage Comment
uses: MishaKav/pytest-coverage-comment@v1.1.45
with:
pytest-xml-coverage-path: coverage.xml
junitxml-path: unit-testresults.xml
create-new-comment: true
I get these results
Run MishaKav/pytest-coverage-comment@v1.1.45
with:
pytest-xml-coverage-path: coverage.xml
junitxml-path: unit-testresults.xml
create-new-comment: true
github-token: ***
pytest-coverage-path: ./pytest-coverage.txt
title: Coverage Report
badge-title: Coverage
hide-badge: false
hide-report: false
hide-comment: false
report-only-changed-files: false
default-branch: main
remove-link-from-badge: false
env:
pythonLocation: /opt/hostedtoolcache/Python/3.9.16/x64
LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.9.16/x64/lib
File read successfully "/home/runner/work/datatransfer_eligibility_core/datatransfer_eligibility_core/coverage.xml"
Generating coverage report
File read successfully "/home/runner/work/datatransfer_eligibility_core/datatransfer_eligibility_core/unit-testresults.xml"
File read successfully "/home/runner/work/datatransfer_eligibility_core/datatransfer_eligibility_core/unit-testresults.xml"
errors: 0
failures: 0
skipped: 0
tests: 13
time: 36.1[2](https://github.com/RANDOM_CO/datatransfer_eligibility_core/actions/runs/4288515546/jobs/7470881475#step:9:2)0
File read successfully "/home/runner/work/datatransfer_eligibility_core/datatransfer_eligibility_core/unit-testresults.xml"
coverage.xml
coverage: [6](https://github.com/RANDOM_CO/datatransfer_eligibility_core/actions/runs/4288515546/jobs/7470881475#step:9:6)[7](https://github.com/RANDOM_CO/datatransfer_eligibility_core/actions/runs/4288515546/jobs/7470881475#step:9:7)%
color: yellow
Create commit comment
but nothing shows up in the output
Wish I could share more but its a company repo
Seems like it does all the work but no section is created in the output
I encountered this same error while working on a class project for university. I was able to resolve it after reviewing the github organization and repository documentation for configuring the default GITHUB_TOKEN permissions.
Organization documentation link :https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization
Repository documentation link: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-default-github_token-permissions
Essentially, you need to change the workflow read/write permissions from the defaults on the repository or organization level. I believe that you need to be the owner of the repo/organization to make the change. I have not tried as admin, but I know that you are unable to as a member.
The default settings:
Settings that fix the error:
Thanks this is very helpful
Of course, I'm glad I was able to help! ❤️
My understanding of the issue is that PRs from forked repos can never get write access (and really, they never should).
Seems like a better approach would be to use a separate workflow with read-write access that fetches the coverage artifacts from the read-only workflow, which deals with (untrusted) code from the PR.
I have tried the following in the read-only workflow:
- name: Unit+doc+integration tests with pytest + coverage
run: |
mkdir -p ./testresults
pytest --junitxml=testresults/pytest.xml \
--cov-report=term-missing:skip-covered \
--cov=speechbrain --cov-context=test \
--doctest-modules \
./speechbrain ./tests \
| tee testresults/pytest-coverage.txt
- uses: actions/upload-artifact@v2
with:
name: testresults
path: testresults/and in this as the whole read-write workflow:
name: Comment coverage status on the pull request
on: # yamllint disable-line rule:truthy
workflow_run:
workflows: ["SpeechBrain toolkit CI"]
types:
- completed
jobs:
covcomment:
runs-on: ubuntu-latest
if: >
github.event.workflow_run.event == 'pull_request'
steps:
- name: 'Download artifact'
uses: actions/github-script@v7.0.1
with:
script: |
var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: ${{ github.event.workflow_run.id }},
});
var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "testresults"
})[0];
var download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
var fs = require('fs');
fs.writeFileSync('${{github.workspace}}/testresults.zip', Buffer.from(download.data));
- run: unzip testresults.zip
- name: Read the pull_request_number.txt file
id: pr_id_reader
uses: juliangruber/read-file-action@v1.1.6
with:
path: ./issue_id.txt
- name: Pytest coverage comment
uses: MishaKav/pytest-coverage-comment@main
with:
pytest-coverage-path: ./pytest-coverage.txt
junitxml-path: ./pytest.xml
hide-report: True
issue-number: ${{ steps.pr_id_reader.outputs.content }}However, this fails to send a comment on the PR because the workflow type is workflow_run, even though I specified issue-number. Wouldn't it work to just allow trying to push the comment if issue-number is specified?
Additionally, this approach has the downside that only showing the modified files in the table is not possible as is... On a side note, it would be nifty if the table could be omitted when the comment is found to be too long.
Is there a simpler way I've missed?
Oh! I think I get it! I was having a similar problem even after adding the following code and following Ryan's suggestion
on:
push:
branches:
- master
pull_request:
jobs:
build-test:
runs-on: ubuntu-22.04
strategy:
matrix:
python-version: ["3.9"]
permissions:
issues: write
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@v3
<---- Snip ---->
- name: Pytest coverage comment
uses: MishaKav/pytest-coverage-comment@main
with:
pytest-xml-coverage-path: ./coverage.xml
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}I noticed that it passed on pushing to my feature, but failed on merging to master. So, I added contents: write based on this comment and it then passed on merge.
So basically, I think I will set pytest-coverage-comment to not run on merge with an if condition as I think it is not required at that stage.
Hopefully this is useful for someone! :)
Hello! For some reason I get this error on pull requests created by dependabot.
Running:
git commit --amend --no-edit && git push --force
on the branch seems to fix the issue.
Maybe this is a permission issue with dependabot?
Edit: To answer my own question: Dependabot permissions are by default set to read-all. Changing the permissions for the workflow fixed the issue.
I have tried adding permission to the job
permissions:
checks: write
id-token: write
issues: write
pull-requests: write
everything works fine if the workflow is trigger with a manual dispatch
however, if the workflow is trigger by a branch push, then I get the error
Error: HttpError: Resource not accessible by integration
Error: Resource not accessible by integration
I am very confused by why it behaves different depending on the event that trigger the workflow.
I added the pull-requests: write permissions at the root of my workflow file and also removed the on: push , so only the pull_request trigger remains, that solved it for me.