Action fails with "HttpError: Resource not accessible by integration" (v1.3)

[suniastar]

When using the github action with this workflow

name: Pull Requests Checks

on:
  pull_request:
    branches: [ "dev" ]
  workflow_dispatch:

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3.0.2
      - name: Set up Java JDK
        uses: actions/setup-java@v3.5.0
        with:
          java-version: '17'
          distribution: 'zulu'
      - name: Build with Maven
        run: mvn --batch-mode --update-snapshots test
      - name: JaCoCo Report
        uses: Madrapps/jacoco-report@v1.3
        with:
          paths: ${{ github.workspace }}/target/site/jacoco/jacoco.xml
          token: ${{ secrets.GITHUB_TOKEN }}
          min-coverage-overall: 80

the workflow fails with:

2022-09-26T05:36:16.4439290Z ##[group]Run Madrapps/jacoco-report@v1.3
2022-09-26T05:36:16.4439589Z with:
2022-09-26T05:36:16.4439928Z   paths: /home/runner/work/ms-address/ms-address/target/site/jacoco/jacoco.xml
2022-09-26T05:36:16.4440634Z   token: ***
2022-09-26T05:36:16.4440901Z   min-coverage-overall: 80
2022-09-26T05:36:16.4441209Z   min-coverage-changed-files: 80
2022-09-26T05:36:16.4441510Z   update-comment: false
2022-09-26T05:36:16.4441774Z   debug-mode: false
2022-09-26T05:36:16.4442007Z env:
2022-09-26T05:36:16.4442307Z   JAVA_HOME: /opt/hostedtoolcache/Java_Zulu_jdk/17.0.4-8/x64
2022-09-26T05:36:16.4442690Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Zulu_jdk/17.0.4-8/x64
2022-09-26T05:36:16.4442984Z ##[endgroup]
2022-09-26T05:36:16.5308197Z Event is pull_request
2022-09-26T05:36:16.5312473Z base sha: 585b6c90a6ee99cf93b39df7651fb8f8441a3699
2022-09-26T05:36:16.5312840Z head sha: 9e4e921341b6f13e4b021cbbb831fc55dab9ff8c
2022-09-26T05:36:17.1332963Z ##[error]HttpError: Resource not accessible by integration

however when using the main (Madrapps/jacoco-report@main) branch the worklfow completes successfully without a problem.

This does not make sense to me as the commits since the latest version (v1.3) only consists of README updates.
Does anyone has an idea what could cause this problem?

[suniastar]

This problem is related to dependabot instead of the action's version.
When this github workflow is run by dependabot (e.g. when creating a pull request on a dependency update) the API call to comment the pull request throws "Resource not accessible by integration" because of a lack of permissions.
Dependabot's github token is limited to read-only by default.

[suniastar]

It is possible to change the action's token read/write permissions to the needed permission but I dont know which permission is required.
Details here:

• https://github.blog/changelog/2021-10-06-github-actions-workflows-triggered-by-dependabot-prs-will-respect-permissions-key-in-workflows/
• https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

[cengdall]

Ran into this because my workflow had custom permission defined (and per docs, any unspecified permissions default to none). I believe pull-requests: write is the required permission, as the action wants to add results as a comment to the PR.

[butyear]

@suniastar
I faced same problem and I figured out what is problem.
I guess you made PR from forked repository.
For that, the origin repository have to allow some option about "Fork pull reqquest".
Here is the option:
Settings -> Actions -> General -> Fork pull request workflows -> Enable "Send write tokens to workflows from fork pull requests."
After that, jacoco report is shown in PR comment.
This is about security github action trigger from forked repository :
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token

[suniastar]

I know about that but I dont have that option in my settings.
Maybe it is only for enterprise/paid customers?

The "complete" list of default permissions for the token is listed here: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

But this list does not include the default permissions for dependebot.

I have tested all important access rights on one of my repositories.
I have made PR by myself, from another user via a forked repository, from another user which was also a collaborator and by dependbot on the primary repository.

PR from	GITHUB_TOKEN defaults to
myself	read/write
user (collaborator)	read/write
dependabot	read
user (forked repo)	none

When any github workflow is initiated by dependebot (e.g when it creates a PR because of a new version) the token's permssion will be set to read if not specified explicitly.

In my option simply adding:

permissions:
  pull-requests: write

to the workflow file should be enough (as @cengdall said) but I did not test if pull-requests is the correct scope.

[khoutz182]

At least in my repository, i needed the contents-read permission as well:

permissions:
  contents: read
  pull-requests: write

Otherwise I got a "Repository not found" error during the checkout action:

  remote: Repository not found.
  Error: fatal: repository 'https://github.com/<ORG>/<REPO>/' not found

[thsaravana]

Thanks @suniastar for investigating this. I already have a PR #26 to add this permission to README.md doc. In addition, I will also call this out in a separate Troubleshooting section, linking to this issue for more details.