Suddenly getting "Resource not accessible by integration"
Vinnl opened this issue · comments
I'm not sure whether something changed on the side of this GitHub Action or in the GitHub API, but since IIRC last week we're suddenly seeing the first execution of our job to create a GitHub Deployment fail:
Run octokit/request-action@v2.0.23
with:
route: POST /repos/:repository/deployments
repository: inrupt/solid-client-js
ref: 53ef88a177ee432c2942e5f50d6994c00641dc2d
environment: review
transient_environment: true
auto_merge: false
mediaType: {"previews": ["flash", "ant-man"]}
required_contexts: []
env:
CI: true
GITHUB_TOKEN: ***
POST /repos/:repository/deployments
> repository: inrupt/solid-client-js
> ref: 53ef88a177ee432c2942e5f50d6994c00641dc2d
> environment: review
> transient_environment: true
> auto_merge: false
> mediaType: [object Object]
> required_contexts:
Error: Resource not accessible by integration
These are not running in a fork, i.e. they're running in response to PRs from branches in the same repository as the one we want to create a Deployment for. Additionally, this used to work until recently, and after we select "Re-run all jobs" they do succeed. I think it might be just dependabot PRs that are failing in this way, but I haven't been able to verify that yet.
This is our job configuration:
jobs:
prepare-deployment:
runs-on: ubuntu-20.04
outputs:
tag-slug: ${{ steps.determine-npm-tag.outputs.tag-slug }}
deployment-id: ${{ fromJson(steps.create-deployment.outputs.data).id }}
steps:
- name: Create GitHub Deployment
id: create-deployment
uses: octokit/request-action@v2.x
with:
route: POST /repos/:repository/deployments
repository: ${{ github.repository }}
ref: ${{ github.sha }}
environment: review
transient_environment: true
auto_merge: false
mediaType: '{"previews": ["flash", "ant-man"]}'
# The deployment runs in parallel with CI, so status checks will never have succeeded yet:
required_contexts: '[]'
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
AFAIK we didn't make any changes, so any insights on what could be causing this would be much appreciated.
could you enable debugging and share the logs if it fails again?
https://github.com/octokit/request-action#debugging
I can't think of anything that we might have changed on our side. I could imagine that it's a bug introduced by GitHub, or a new setting to your repository/organization around environments maybe?
"Resource not accessible by integration" is an error that you would see if you authenticate as a GitHub App installation and try to send a request that you don't have the permission for. GitHub Actions are implemented using an internal GitHub App, the GITHUB_TOKEN secret is an installation access token. But as far as I know the GITHUB_TOKEN has every possible permission enabled, I didn't know there is anything you couldn't do on the same repository with it
Sorry @gr2m, I'd missed you posted a reply. I just tried it with debugging enabled, but I don't see any additional logs:
Warning: Unexpected input(s) 'repository', 'ref', 'environment', 'transient_environment', 'auto_merge', 'required_contexts', valid inputs are ['route', 'mediaType']
Run octokit/request-action@v2.0.26
with:
route: POST /repos/:repository/deployments
repository: inrupt/solid-client-js
ref: 6e06e916f85c9703a778f857551eb6b767fdc4d6
environment: review
transient_environment: true
auto_merge: false
mediaType: {"previews": ["flash", "ant-man"]}
required_contexts: []
env:
CI: true
GITHUB_TOKEN: ***
POST /repos/:repository/deployments
> repository: inrupt/solid-client-js
> ref: 6e06e916f85c9703a778f857551eb6b767fdc4d6
> environment: review
> transient_environment: true
> auto_merge: false
> mediaType: [object Object]
> required_contexts:
Error: Resource not accessible by integration
I'm not aware of any changes made on our side around environments.
Could it have anything to do with Dependabot being a GitHub App? And if it would be something introduced by GitHub, any idea where we could report that?
Thanks!
Found the source of the issue: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/ (see also dependabot/dependabot-core#3253)
Sorry for the distraction.