No permission to create comment #15
Comments
|
This set of permissions I have set on my job that works are: That is only set on the job and I don't pass in |
|
You can see at the top of your run when you expand the "Set up job" step and then click on
Just a hunch but can you check if you defined a variable or secret called The reason why I am asking is because In my own working tests, the |
|
There's no |
|
Not sure how to proceed here as the issue seems to be in your repository or workflow/job configuration. I checked on a recent job run in your repo and verified the same issue I tried to explain in my last comment. The
Interestingly I also found another run in your repository which was triggered by merging into your main branch. In this case, the permissions are set to |
|
To debug this, you can try if there is any effect when you remove the top-level Unfortunately the help doesn't state explicitly what happens if you set both the workflow and job permissions but it says you can either do one or the other but I suppose that's probably not meant in a strict way 🤷
Good luck! |
Looks like that is on the pull request open action, and the branch is my personal fork rather than the regclient project repo, so I'm guessing GitHub security is blocking the GitHub action from getting access to my personal fork, or maybe it's blocking the fork from getting access to the project.
Removing the top level permissions was one of the things I tested without luck, and adding the write permission there also didn't help. I'll revisit this later when I have more time to see if I can sort out the difference in token permissions. |
|
A quick check of the GITHUB_TOKEN permissions shows that GitHub removes all write access from the token on pull requests from a fork of a public repository. I'm going to need to do some more homework on if I want to change that setting since it's there for security reasons that I probably want. |
|
Yeah that makes sense. I didn't really think about forks yet but I think this action wouldn't work well for them exactly because of these (sensible) security defaults 🤔 |
|
I believe the workaround would be to use pull_request_target, but that comes with a big security warning to not checkout code that was submitted by the user. The risk is probably fairly small for a job that can only update the pull request and that doesn't execute any of the code that is checked out. But given the added risk I'm going to put this on my backlog to revisit sometime when I have more availability. Feel free to close this issue out if it's not a scenario you want to work on. Overall, I still think this is a neat idea that fills a need. So even if I'm not able to use it, thanks for creating it! |
|
I ended up mentioning this under "Limitations" in the README.md . Thanks again for pointing out this issue and helping to debug it. |
Fixes fgrosse#15 Add a note about using `pull_request_target` as a workaround for forks in the `README.md`. * Add a section titled "Workaround for Forks" explaining the use of `pull_request_target`. * Include a security warning about the risks associated with using `pull_request_target`. * Provide a link to the GitHub documentation on `pull_request_target`. --- For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/fgrosse/go-coverage-report/issues/15?shareId=XXXX-XXXX-XXXX-XXXX).
Fixes fgrosse#15 Add workaround for commenting on pull requests from forks * **README.md** - Add a note about using `pull_request_target` as a workaround for forks, with a security warning. * **.github/workflows/ci.yml** - Add `contents: write` permission for `pull_request_target`. - Remove unnecessary comments and steps related to checking out the source code and setting up Go. --- For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/fgrosse/go-coverage-report/issues/15?shareId=XXXX-XXXX-XXXX-XXXX).
While trying out this action, I'm encountering the error: "GraphQL: Resource not accessible by integration (addComment)".
I tried passing the
GITHUB_TOKENenvironment variable, setting thepull-requests: writepermission on the workflow rather than only the job, and adding theissues: writepermission, but so far no luck. My best guess is that theghcommand is running in the context of your repository instead of my own.Here's an example run: https://github.com/regclient/regclient/actions/runs/8484759635/job/23248287252?pr=706
(Note that I have
continue-on-error: truedefined on the job so that it always shows as successful.)The text was updated successfully, but these errors were encountered: