Default action triggers HTTP 403 Permissions Error

Question

Default action triggers HTTP 403 Permissions Error

hydrosquall opened this issue 2 years ago · comments

On my first run of a public repo using this template, my action was unable to complete. I suspect I could work around it if I create a personal access token with elevated permissions as an environment variable, but it doesn't look like from the setup guide for this repository that this extra step should be necessary.

Example failed run: https://github.com/hydrosquall/shot-scraper-strava-datadog/runs/6220621197?check_suite_focus=true

Simon Willison · Answer 1 · Fri Apr 29 2022 08:23:20 GMT+0800 (China Standard Time)

This is odd. I'm suspicious that GitHub may have changed something here.

I think there may be a fix involving https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs - but I can't find anything anywhere saying that they've changed how the default permissions work.

Simon Willison · Answer 2 · Fri Apr 29 2022 08:23:58 GMT+0800 (China Standard Time)

Created this repo just now to see if I can replicate the error: https://github.com/simonw/shot-scraper-template-issue-8

Simon Willison · Answer 3 · Fri Apr 29 2022 08:24:38 GMT+0800 (China Standard Time)

Yes! That did indeed recreate the error:

https://github.com/simonw/shot-scraper-template-issue-8/runs/6220830646?check_suite_focus=true

[main 4eb8f1d] Fri Apr 29 00:24:07 UTC 2022
 2 files changed, 3 insertions(+)
 create mode 100644 shot.png
 create mode 100644 shots.yml
Current branch main is up to date.
remote: Permission to simonw/shot-scraper-template-issue-8.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/simonw/shot-scraper-template-issue-8/': The requested URL returned error: 403

Simon Willison · Answer 4 · Fri Apr 29 2022 08:25:06 GMT+0800 (China Standard Time)

OK, this is really bad. All of my previous examples of building GitHub Actions that commit back to the repo are likely broken!

I'll see if I can fix this template repository first.

Simon Willison · Answer 5 · Fri Apr 29 2022 08:25:45 GMT+0800 (China Standard Time)

The fix is actually in my blog entry from this morning: https://simonwillison.net/2022/Apr/28/issue-on-changes/

permissions:
  contents: write

Simon Willison · Answer 6 · Fri Apr 29 2022 08:27:34 GMT+0800 (China Standard Time)

Yup, that fixed it: https://github.com/simonw/shot-scraper-template-issue-8/actions/runs/2242683626 ran fine and the screenshot is now in that repo: https://github.com/simonw/shot-scraper-template-issue-8/blob/main/shot.png

Simon Willison · Answer 7 · Fri Apr 29 2022 08:29:09 GMT+0800 (China Standard Time)

OK, creating a new repository from this template should now work again.

Simon Willison · Answer 8 · Fri Apr 29 2022 08:55:12 GMT+0800 (China Standard Time)

Asked about this on the GitHub support forum: https://github.community/t/did-something-change-permissions-content-write-didnt-used-to-be-required/247769