Github - 403 for issue permission

[JoshuaJackson-jobvite]

Upgrading from 0.6.40 to 0.6.42 resulted in the following error:
error getting pull request (as issue): GET https://api.github.com/repos/ORG/REPO/issues/1316: 403 Resource not accessible by integration []

On 0.6.40 exact same workflow executes without any errors to the api nor were permissions needed to be extended. In testing with added permissions for issue and pullrequest no change in error. I have not adjusted the workflows permissions yet to test that change.

digger.yml:

generate_projects:
  blocks:
    - include: "environments/<ENVNAME>/**"
      workflow: default_work_flow
      aws_role_to_assume:
        state: "arn:aws:iam::<ACCOUNT>:role/<envname>-digger_terraform_state_iam_role"
        command: "arn:aws:iam::<ACCOUNT>:role/<envname>-digger_iam_role"
   
auto_merge: true

workflows:
  default_work_flow:
    plan:
      steps:
        - init
        - plan
        - run: infracost breakdown --path=. | tee -a $DIGGER_OUT
    apply:
      steps:
        - init
        - apply
    workflow_configuration:
      on_pull_request_pushed: ["digger plan"]
      on_pull_request_closed: ["digger unlock"]
      on_commit_to_default: ["digger apply"]

Github action:

name: Digger PR flow

on:
  pull_request:
    branches: ["main"]
    types: [closed, opened, synchronize, reopened]
  issue_comment:
    types: [created]
    if: startsWith(github.event.comment.body, 'digger')
  workflow_dispatch:
    inputs:
      spec:
        required: true
      run_name:
        required: false

run-name: "${{inputs.run_name}}"

permissions:
  contents: write
  id-token: write
  pull-requests: write
  statuses: write

jobs:
  digger-job:
    runs-on: ubuntu-latest
    if: ${{ github.actor != 'automated-commit-application[bot]' }}
    permissions:
      contents: write # required to merge PRs
      id-token: write # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      statuses: write # required to validate combined PR status
      packages: read # required to read the packages
      actions: read
    steps:
      # create a temp. token from the github app installed in the org.
      # The app needs to have read access to all private terraform repos  in the org
      # this token is used in the next step to allow cloning terraform module repos
      - name: Generate Token
        id: generate_token
        uses: tibdex/github-app-token@v2.1.0
        with:
          app_id: ${{ secrets.COMMIT_AUTOMATION_APP_ID }}
          private_key: ${{ secrets.COMMIT_AUTOMATION_CLIENT_SECRET }}
      # allow terraform to download our private modules
      - name: Set git config
        run: /usr/bin/git config --global --add url."https://github:$GITHUB_TOKEN_READ_REPOS@github.com/<ORG>".insteadOf https://github.com/<ORG>
        env:
          GITHUB_TOKEN_READ_REPOS: ${{ steps.generate_token.outputs.token }}
      - uses: actions/checkout@v4
      - name: Setup Infracost
        uses: infracost/actions/setup@v3
        # See https://github.com/infracost/actions/tree/master/setup for other inputs
        # If you can't use this action, see Docker images in https://infracost.io/cicd
        with:
          api-key: ${{ secrets.INFRACOST_TOKEN }}
      - uses: diggerhq/digger@v0.6.42
        with:
          digger-spec: ${{ inputs.spec }}
          setup-aws: false
          cache-dependencies: true
          #aws-role-to-assume: {{ ENV .assume_role }}
          no-backend: true
          disable-locking: true
          digger-hostname: "https://cloud.digger.dev"
          digger-organisation: "<ORG>"
          digger-token: ${{ secrets.DIGGER_TOKEN }}
          #upload-plan-destination: 'github'
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
          GITHUB_OWNER: <COMPANY>
          AWS_REGION: us-east-1
          TF_VAR_GITHUB_APP_PEM: ${{ secrets.TF_VAR_GITHUB_APP_PEM }}

[JoshuaJackson-jobvite]

Odd bit is that the main bits of code:

digger/libs/ci/github/github.go

Lines 304 to 308 in 9b155e3

	pr, _, err := svc.Client.PullRequests.Get(context.Background(), svc.Owner, svc.RepoName, prNumber)
	if err != nil {
	log.Printf("error getting pull request: %v", err)
	return fmt.Errorf("error getting pull request: %v", err)
	}

haven't changed in 2 months. So its not anything that should be new...

[samroweemployinc]

I added issue: write to the permissions: section and it continued to fail while also saying that all checks had passed.

[motatoes]

Hi @samroweemployinc try issues: write (plural) and let me know if it resolves it for you

[motatoes]

I suspect its related to this change

if confirmed to fix I will be updating the docs

[samroweemployinc]

Sorry the typo was in my comment, not in my test. I'd written issues: write in the actual file.

[motatoes]

Ensure it looks like this:

    permissions:
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      issues: write
      statuses: write      # required to validate combined PR status

also ensure it exists in the main branch

[samroweemployinc]

I'll try to test soon.

[samroweemployinc]

Still seeing error getting pull request (as issue): error checking if pull request is issue: with permissions like so:

permissions:
  actions: write # required for plan persistence
  contents: write # required to merge PRs
  id-token: write # required for workload-identity-federation
  issues: write
  pull-requests: write # required to post PR comments
  statuses: write # required to validate combined PR status

[JoshuaJackson-jobvite]

Still seeing error getting pull request (as issue): error checking if pull request is issue: with permissions like so:

permissions:
  actions: write # required for plan persistence
  contents: write # required to merge PRs
  id-token: write # required for workload-identity-federation
  issues: write
  pull-requests: write # required to post PR comments
  statuses: write # required to validate combined PR status

Please note we did modifications to the job and global level, and as job and global were the same stripped it down to just global for the permissions configuration.

I can also confirm for the github app, that we have read/write access to issues, and pull requests on the repo level.

[motatoes]

Thanks for continued investigation on this. I had someone report exact same error and it was fixed with issues: write. Not sure what may be going on in your case but if at all possible could we reproduce it in a minimal repo somehow? That would be immensely helpful!

[jacksonwilliamsva]

Can confirm moving the permissions from the job level to the global level has resolved this issue for me.

[motatoes]

Great! Glad it helped

[minamijoyo]

Today I hit the same problem. Starting from digger v0.6.41, issues permissions are appear to be required. Whether issues: write permission is required or not may depending on which functionality you use, but at least the minimum issues: read permissions worked for me.