"Resource not accessible by integration", despite permissions settings on private repo
schlosser opened this issue · comments
Hi there! I ran into the Resource not accessible by integration
issue, and found #76. I've adjusted my organization / repo settings to be maximally permissive:
but I continue to see this error. Is it possible to use this action on private repro dependabot (fork) PRs? Or is the only solution to skip all create-or-update-comment
steps on fork PRs?
Hi @schlosser
Dependabot is a special case. By default it does not have access to your secrets and if your workflow triggered by dependabot needs a secret to run then you must create a dependabot secret.
See here for details:
https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions#accessing-secrets
Thanks Peter! Strangely, I have the same secrets setup in dependabot secrets as my actions secrets; the rest of my steps work fine, but my create-or-update-comment
step is throwing the error. I think that all it should need secrets-wise is my GITHUB_TOKEN
. Do I need to explicitly add GITHUB_TOKEN
to my dependabot secrets? My reading of the docs made it look like it should be included automatically in the environment. Is there a way I could debug the token further?
For the default GITHUB_TOKEN
there is a separate section in the doc about how to give it further permissions.
https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions#changing-github_token-permissions
It will need issues: write
and/or pull-requests: write
.
Ah! That's almost certainly it. Thanks for the pointer! Have been hunting and hunting for this. Appreciate it!