Unable to fetch dependabot metadata with v1.3.0 and `alert-lookup` & `compat-lookup` enabled
SalimBensiali opened this issue · comments
HI,
Thanks again for latest updates in v1.3.0 incorporating more alert metadata.
I tried enabling the new alert-lookup
& compat-lookup
options but I am getting a cryptic message Error: Resource not accessible by integration
during the "Parsing Dependabot metadata" phase of the action. See the action run at https://github.com/SalimBensiali/le-blanc-jewellery/runs/5545641006?check_suite_focus=true
When not passing the additional options the action runs successfully, but obviously the additional metadata is not available in this case.
Is there anything else I would need to configure? I looked at the documentation and could not find anything else.
Thanks
It turns out the default secrets.GITHUB_TOKEN
does not have enough permissions to allow access to the dependabot vulnerabilities graphQL endpoints. I was able to fix that by creating a PAT with the public_repo
scope and pass it to the github-token
action parameter instead. See https://github.com/SalimBensiali/le-blanc-jewellery/blob/584b38d698d92edbd62d5f93ce8d4edf4333d4ca/.github/workflows/dependabot-auto-label.yml#L24
I only found out about this this by accident/luck as documentation around this was very limited. See https://chezsoi.org/lucas/blog/listing-all-github-security-alerts-of-a-user-s-projects-using-graphql-and-python.html where it is being mentioned.
To create a PAT see https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token
I can raise a PR to add this to the docs.
@SalimBensiali Ah, apologies for that. We have a few places where the GITHUB_TOKEN
should be substituted for one with augmented permissions.
I need to make some other updates to the documentation so I will incorporate this.