Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resource not accessible by integration #68

Open
kir0ul opened this issue May 28, 2022 · 20 comments
Open

Resource not accessible by integration #68

kir0ul opened this issue May 28, 2022 · 20 comments

Comments

@kir0ul
Copy link

kir0ul commented May 28, 2022

Hi,

I'm trying to use this GH Action in openai/gym#2789. On my fork it seems to works fine: https://github.com/kir0ul/gym/runs/6244334853?check_suite_focus=true, but on the main repo I get Error: HttpError: Resource not accessible by integration: https://github.com/openai/gym/runs/6244334980?check_suite_focus=true.
I tried to modify the permissions as suggested in #30 (comment), but it didn't work.
Is there any way to work around this error?

@maxyousif15
Copy link

Try adding pull-requests: write to your permissions for the GITHUB_TOKEN

@kir0ul
Copy link
Author

kir0ul commented Jun 2, 2022

Try adding pull-requests: write to your permissions for the GITHUB_TOKEN

Thanks for the suggestion!
So I tried it in openai/gym@ab61592 but I still get the same error: https://github.com/kir0ul/gym/runs/6708528879?check_suite_focus=true

@MishaKav
Copy link
Owner

MishaKav commented Jun 2, 2022

@kir0ul can you try please this:

issues: write
pull-requests: write

more info

@kir0ul
Copy link
Author

kir0ul commented Jun 2, 2022

@kir0ul can you try please this:

issues: write
pull-requests: write

Thanks @MishaKav! I just tried it in openai/gym@76d6a65 but I also get the same error: https://github.com/kir0ul/gym/runs/6709357231?check_suite_focus=true 😓

@avitalb
Copy link

avitalb commented Jul 6, 2022

I am also encountering the same error myself; any updates on this @MishaKav ? Thanks a lot for your work on this!

@kahnwong
Copy link

I have tested my actions file with below permissions setting and it works.

jobs:
  pytest:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write

@danielazheleva
Copy link

danielazheleva commented Sep 22, 2022

I'm also still seeing this error with the following configuration:

jobs:
  test:
    runs-on: ubuntu-latest
    timeout-minutes: 8
    permissions:
      pull-requests: write
      contents: read
      id-token: write
    
    steps:
      ......
      - name: Run Unit Tests with Coverage
        run: make test-cov
      - name: Pytest coverage comment
        uses: MishaKav/pytest-coverage-comment@9689962ff78b20865e4ec0b90789e62309498aab
        with:
          pytest-coverage-path: ./pytest-coverage.txt
          junitxml-path: ./pytest.xml

@MishaKav
Copy link
Owner

Looks like you do a fork you don't have permission to run the action.
Looks like it GitHub issue as described actions/first-interaction#10 (comment)

@hmajid2301
Copy link

I'm also still seeing this error with the following configuration:

jobs:
  test:
    runs-on: ubuntu-latest
    timeout-minutes: 8
    permissions:
      pull-requests: write
      contents: read
      id-token: write
    
    steps:
      ......
      - name: Run Unit Tests with Coverage
        run: make test-cov
      - name: Pytest coverage comment
        uses: MishaKav/pytest-coverage-comment@9689962ff78b20865e4ec0b90789e62309498aab
        with:
          pytest-coverage-path: ./pytest-coverage.txt
          junitxml-path: ./pytest.xml

I was able to fix something similar by changing it from push to pull_request

name: Check changes on branch

on:
  pull_request:

@afuetterer
Copy link

Hi there, I will add to this issue, because it fits thematically.

If a PR is merged to master/main. The "pytest-coverage-comment" action tries to comment on a commit on master/main, right?

In my setup it comments perfectly in the PR and after merge, I get:

Error: HttpError: Resource not accessible by integration
Error: Resource not accessible by integration

It is due to branch protection? Maybe you could add a hint in the documentation about branch protection and the required permissions for the GitHub token please?

Thanks for the great action!

@adclose-td
Copy link

I'm having a similar issue not sure if its related


      - name: Run Tests
        run: pytest --junitxml=unit-testresults.xml --cov-report "xml:coverage.xml" --cov=. .
      - name: Pytest Coverage Comment
        uses: MishaKav/[email protected]
        with:
          pytest-xml-coverage-path: coverage.xml
          junitxml-path: unit-testresults.xml
          create-new-comment: true

I get these results

Run MishaKav/[email protected]
  with:
    pytest-xml-coverage-path: coverage.xml
    junitxml-path: unit-testresults.xml
    create-new-comment: true
    github-token: ***
    pytest-coverage-path: ./pytest-coverage.txt
    title: Coverage Report
    badge-title: Coverage
    hide-badge: false
    hide-report: false
    hide-comment: false
    report-only-changed-files: false
    default-branch: main
    remove-link-from-badge: false
  env:
    pythonLocation: /opt/hostedtoolcache/Python/3.9.16/x64
    LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.9.16/x64/lib
File read successfully "/home/runner/work/datatransfer_eligibility_core/datatransfer_eligibility_core/coverage.xml"
Generating coverage report
File read successfully "/home/runner/work/datatransfer_eligibility_core/datatransfer_eligibility_core/unit-testresults.xml"
File read successfully "/home/runner/work/datatransfer_eligibility_core/datatransfer_eligibility_core/unit-testresults.xml"
errors: 0
failures: 0
skipped: 0
tests: 13
time: 36.1[2](https://github.com/RANDOM_CO/datatransfer_eligibility_core/actions/runs/4288515546/jobs/7470881475#step:9:2)0
File read successfully "/home/runner/work/datatransfer_eligibility_core/datatransfer_eligibility_core/unit-testresults.xml"
coverage.xml
  coverage: [6](https://github.com/RANDOM_CO/datatransfer_eligibility_core/actions/runs/4288515546/jobs/7470881475#step:9:6)[7](https://github.com/RANDOM_CO/datatransfer_eligibility_core/actions/runs/4288515546/jobs/7470881475#step:9:7)%
  color: yellow
Create commit comment

but nothing shows up in the output

Wish I could share more but its a company repo

Seems like it does all the work but no section is created in the output

@ryan-edwall
Copy link

I encountered this same error while working on a class project for university. I was able to resolve it after reviewing the github organization and repository documentation for configuring the default GITHUB_TOKEN permissions.

Organization documentation link :https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization

Repository documentation link: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-default-github_token-permissions

Essentially, you need to change the workflow read/write permissions from the defaults on the repository or organization level. I believe that you need to be the owner of the repo/organization to make the change. I have not tried as admin, but I know that you are unable to as a member.

The default settings:
image

Settings that fix the error:
image

@adclose-td
Copy link

Thanks this is very helpful

@ryan-edwall
Copy link

Of course, I'm glad I was able to help! ❤️

bcantoni added a commit to tableau/server-client-python that referenced this issue Nov 10, 2023
Right now this action is failing with what appears to be this issue:
MishaKav/pytest-coverage-comment#68

It seems to be failing on PRs from outside contributors only, so making this
change will let thoses PRs through while we sort this out.
@asumagic
Copy link

asumagic commented Dec 1, 2023

My understanding of the issue is that PRs from forked repos can never get write access (and really, they never should).

Seems like a better approach would be to use a separate workflow with read-write access that fetches the coverage artifacts from the read-only workflow, which deals with (untrusted) code from the PR.

I have tried the following in the read-only workflow:

            - name: Unit+doc+integration tests with pytest + coverage
              run: |
                  mkdir -p ./testresults
                  pytest --junitxml=testresults/pytest.xml \
                  --cov-report=term-missing:skip-covered \
                  --cov=speechbrain --cov-context=test \
                  --doctest-modules \
                  ./speechbrain ./tests \
                  | tee testresults/pytest-coverage.txt
            - uses: actions/upload-artifact@v2
              with:
                  name: testresults
                  path: testresults/

and in this as the whole read-write workflow:

name: Comment coverage status on the pull request

on: # yamllint disable-line rule:truthy
    workflow_run:
        workflows: ["SpeechBrain toolkit CI"]
        types:
            - completed

jobs:
    covcomment:
        runs-on: ubuntu-latest
        if: >
            github.event.workflow_run.event == 'pull_request'
        steps:
            - name: 'Download artifact'
              uses: actions/[email protected]
              with:
                  script: |
                      var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
                          owner: context.repo.owner,
                          repo: context.repo.repo,
                          run_id: ${{ github.event.workflow_run.id }},
                      });
                      var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
                          return artifact.name == "testresults"
                      })[0];
                      var download = await github.rest.actions.downloadArtifact({
                          owner: context.repo.owner,
                          repo: context.repo.repo,
                          artifact_id: matchArtifact.id,
                          archive_format: 'zip',
                      });
                      var fs = require('fs');
                      fs.writeFileSync('${{github.workspace}}/testresults.zip', Buffer.from(download.data));
            - run: unzip testresults.zip
            - name: Read the pull_request_number.txt file
              id: pr_id_reader
              uses: juliangruber/[email protected]
              with:
                  path: ./issue_id.txt
            - name: Pytest coverage comment
              uses: MishaKav/pytest-coverage-comment@main
              with:
                  pytest-coverage-path: ./pytest-coverage.txt
                  junitxml-path: ./pytest.xml
                  hide-report: True
                  issue-number: ${{ steps.pr_id_reader.outputs.content }}

However, this fails to send a comment on the PR because the workflow type is workflow_run, even though I specified issue-number. Wouldn't it work to just allow trying to push the comment if issue-number is specified?

Additionally, this approach has the downside that only showing the modified files in the table is not possible as is... On a side note, it would be nifty if the table could be omitted when the comment is found to be too long.

Is there a simpler way I've missed?

@darkpandarts
Copy link

Oh! I think I get it! I was having a similar problem even after adding the following code and following Ryan's suggestion

on:
    push:
      branches:
        - master
    pull_request:

jobs:
  build-test:
    runs-on: ubuntu-22.04
    strategy:
      matrix:
        python-version: ["3.9"]
    permissions:
      issues: write
      pull-requests: write
    steps:
    - name: Checkout
      uses: actions/checkout@v3
<---- Snip ---->

    - name: Pytest coverage comment
      uses: MishaKav/pytest-coverage-comment@main
      with:
        pytest-xml-coverage-path: ./coverage.xml
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

I noticed that it passed on pushing to my feature, but failed on merging to master. So, I added contents: write based on this comment and it then passed on merge.

So basically, I think I will set pytest-coverage-comment to not run on merge with an if condition as I think it is not required at that stage.

Hopefully this is useful for someone! :)

@MishaKav
Copy link
Owner

Also may be solved with workflow_run like in this example #153

@akarnavasco
Copy link

akarnavasco commented Feb 29, 2024

Hello! For some reason I get this error on pull requests created by dependabot.

Running:
git commit --amend --no-edit && git push --force
on the branch seems to fix the issue.

Maybe this is a permission issue with dependabot?

Edit: To answer my own question: Dependabot permissions are by default set to read-all. Changing the permissions for the workflow fixed the issue.

@vt-rc
Copy link

vt-rc commented Mar 28, 2024

I have tried adding permission to the job

    permissions:
      checks: write
      id-token: write
      issues: write
      pull-requests: write

everything works fine if the workflow is trigger with a manual dispatch
however, if the workflow is trigger by a branch push, then I get the error

Error: HttpError: Resource not accessible by integration
Error: Resource not accessible by integration

I am very confused by why it behaves different depending on the event that trigger the workflow.

@thomaspaulin
Copy link

I added the pull-requests: write permissions at the root of my workflow file and also removed the on: push , so only the pull_request trigger remains, that solved it for me.

gconklin pushed a commit to gconklin/tableauserverclient that referenced this issue May 28, 2024
Right now this action is failing with what appears to be this issue:
MishaKav/pytest-coverage-comment#68

It seems to be failing on PRs from outside contributors only, so making this
change will let thoses PRs through while we sort this out.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests