Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resource not accessible by integration #8843

Closed
serathius opened this issue Apr 24, 2022 · 7 comments
Closed

Resource not accessible by integration #8843

serathius opened this issue Apr 24, 2022 · 7 comments
Labels
question Further information is requested

Comments

@serathius
Copy link

Description of the issue

Etcd CodeQL analysis is broken returning 403. etcd-io/etcd#13978

RequestError [HttpError]: Resource not accessible by integration
    at /home/runner/work/_actions/github/codeql-action/v1/node_modules/@octokit/request/dist-node/index.js:66:[2](https://github.com/etcd-io/etcd/runs/6141920349?check_suite_focus=true#step:3:2)[3](https://github.com/etcd-io/etcd/runs/6141920349?check_suite_focus=true#step:3:3)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async Job.doExecute (/home/runner/work/_actions/github/codeql-action/v1/node_modules/bottleneck/light.js:[4](https://github.com/etcd-io/etcd/runs/6141920349?check_suite_focus=true#step:3:4)0[5](https://github.com/etcd-io/etcd/runs/6141920349?check_suite_focus=true#step:3:5):18) {
  status: 403,
@serathius serathius added the question Further information is requested label Apr 24, 2022
@serathius
Copy link
Author

serathius commented Apr 25, 2022

Heh, this is not a question, but a bug report.
cc @adityasharad

@MathiasVP
Copy link
Contributor

Hi @serathius,

In general, that error usually indicates something wrong with GitHub Actions token permissions.

It looks like you've changed your default token permissions to be restrictive by default without updating the workflow to include the permissions needed for Code Scanning.

Updating the permissions to:

permissions:
  actions: read
  contents: read
  security-events: write

should fix your issue.

@serathius
Copy link
Author

Thanks for info, however please stop introducing breaking changes in v1 version.

@MathiasVP
Copy link
Contributor

I don't think we introduced any breaking changes in this case. These permissions have been the suggested defaults for a long time. You can check out the readme on https://github.com/github/codeql-action for the details.

@L3m0nb4tt3ry
Copy link

L3m0nb4tt3ry commented Sep 19, 2022

@MathiasVP Not necessarily the same issue, but I am receiving same error while fetching dependabot issues via a graphql query, I tried with permissions: write-all as well but no luck. I can execute same query with my PAT with
repo permissions(i.e Full control of private repositories) but unable to fetch with default token, not sure what exactly is the reason or issue here.

@MathiasVP
Copy link
Contributor

Hi @L3m0nb4tt3ry,

Thanks for posting! We'll be happy to take a look at your situation. Would you mind opening a fresh issue with this?

bhrutledge added a commit to bhrutledge/twine that referenced this issue Dec 5, 2022
Looking into the [`Resource not accessible by integration` error](https://github.com/pypa/twine/actions/runs/3616376262/jobs/6094277326),
I found [an issue](github/codeql#8843) that
recommended setting the `permissions`. Looks like this has been added
to the [current CodeQL template](https://github.com/pypa/twine/new/main?filename=.github%2Fworkflows%2Fcodeql.yml&workflow_template=code-scanning%2Fcodeql),
so I copy & pasted that here.
bhrutledge added a commit to pypa/twine that referenced this issue Dec 5, 2022
Looking into the [`Resource not accessible by integration` error](https://github.com/pypa/twine/actions/runs/3616376262/jobs/6094277326),
I found [an issue](github/codeql#8843) that
recommended setting the `permissions`. Looks like this has been added
to the [current CodeQL template](https://github.com/pypa/twine/new/main?filename=.github%2Fworkflows%2Fcodeql.yml&workflow_template=code-scanning%2Fcodeql),
so I copy & pasted that here.
prazian added a commit to digi-wolk/oss-license-auditor that referenced this issue Jun 3, 2023
prazian added a commit to digi-wolk/oss-license-auditor that referenced this issue Jun 3, 2023
eiffel-fl added a commit to inspektor-gadget/inspektor-gadget that referenced this issue Dec 20, 2023
This is needed by CodeQL to be able to report events.

Signed-off-by: Francis Laniel <[email protected]>
Fixes: f04d95b ("ci: Add CWE checks for ig.")
[1]: github/codeql#8843 (comment)
eiffel-fl added a commit to inspektor-gadget/inspektor-gadget that referenced this issue Dec 20, 2023
This is needed by CodeQL to be able to report events.

Signed-off-by: Francis Laniel <[email protected]>
Fixes: f04d95b ("ci: Add CWE checks for ig.")
[1]: github/codeql#8843 (comment)
jeswr added a commit to jeswr/rdfjs-sign that referenced this issue Apr 9, 2024
jeswr added a commit to jeswr/rdfjs-sign that referenced this issue Apr 9, 2024
slyon added a commit to slyon/netplan that referenced this issue Jul 24, 2024
This is needed after switching default token permissions to be restrictive by default.
github/codeql#8843
slyon added a commit to canonical/netplan that referenced this issue Jul 24, 2024
This is needed after switching default token permissions to be restrictive by default.
github/codeql#8843
saschalucas added a commit to saschalucas/ganeti that referenced this issue Aug 15, 2024
In commit 977e717 token permissions are
set to read. However codeql needs also write for uploading
security-events:

    Uploading results
      Processing sarif files: ["/home/runner/work/ganeti/results/python.sarif"]
      Validating /home/runner/work/ganeti/results/python.sarif
      Combining SARIF files using the CodeQL CLI
      Adding fingerprints to SARIF file. See https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs for more information.
      Uploading results
      Warning: Resource not accessible by integration
      Error: Resource not accessible by integration

See also github/codeql#8843

Signed-off-by: Sascha Lucas <[email protected]>
saschalucas added a commit to ganeti/ganeti that referenced this issue Aug 15, 2024
In commit 977e717 token permissions are
set to read. However codeql needs also write for uploading
security-events:

    Uploading results
      Processing sarif files: ["/home/runner/work/ganeti/results/python.sarif"]
      Validating /home/runner/work/ganeti/results/python.sarif
      Combining SARIF files using the CodeQL CLI
      Adding fingerprints to SARIF file. See https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs for more information.
      Uploading results
      Warning: Resource not accessible by integration
      Error: Resource not accessible by integration

See also github/codeql#8843

Signed-off-by: Sascha Lucas <[email protected]>
ilgrosso added a commit to apache/syncope that referenced this issue Aug 19, 2024
ilgrosso added a commit to apache/syncope that referenced this issue Aug 19, 2024
WeihanLi added a commit to WeihanLi/kubernetes-client-csharp that referenced this issue Sep 8, 2024
fixes codeql action error

see details: github/codeql#8843 (comment)
k8s-ci-robot pushed a commit to kubernetes-client/csharp that referenced this issue Sep 8, 2024
@o0101
Copy link

o0101 commented Sep 27, 2024

Hi @serathius,

In general, that error usually indicates something wrong with GitHub Actions token permissions.

It looks like you've changed your default token permissions to be restrictive by default without updating the workflow to include the permissions needed for Code Scanning.

Updating the permissions to:

permissions:
  actions: read
  contents: read
  security-events: write

should fix your issue.

Thank you @MathiasVP that fixed it for us

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

5 participants