Default action triggers HTTP 403 Permissions Error
hydrosquall opened this issue · comments
On my first run of a public repo using this template, my action was unable to complete. I suspect I could work around it if I create a personal access token with elevated permissions as an environment variable, but it doesn't look like from the setup guide for this repository that this extra step should be necessary.
Example failed run: https://github.com/hydrosquall/shot-scraper-strava-datadog/runs/6220621197?check_suite_focus=true
This is odd. I'm suspicious that GitHub may have changed something here.
I think there may be a fix involving https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs - but I can't find anything anywhere saying that they've changed how the default permissions work.
Created this repo just now to see if I can replicate the error: https://github.com/simonw/shot-scraper-template-issue-8
Yes! That did indeed recreate the error:
https://github.com/simonw/shot-scraper-template-issue-8/runs/6220830646?check_suite_focus=true
[main 4eb8f1d] Fri Apr 29 00:24:07 UTC 2022
2 files changed, 3 insertions(+)
create mode 100644 shot.png
create mode 100644 shots.yml
Current branch main is up to date.
remote: Permission to simonw/shot-scraper-template-issue-8.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/simonw/shot-scraper-template-issue-8/': The requested URL returned error: 403
OK, this is really bad. All of my previous examples of building GitHub Actions that commit back to the repo are likely broken!
I'll see if I can fix this template repository first.
The fix is actually in my blog entry from this morning: https://simonwillison.net/2022/Apr/28/issue-on-changes/
permissions:
contents: write
Yup, that fixed it: https://github.com/simonw/shot-scraper-template-issue-8/actions/runs/2242683626 ran fine and the screenshot is now in that repo: https://github.com/simonw/shot-scraper-template-issue-8/blob/main/shot.png
OK, creating a new repository from this template should now work again.
Asked about this on the GitHub support forum: https://github.community/t/did-something-change-permissions-content-write-didnt-used-to-be-required/247769