Workflows are missing permissions requests

[jsoref]

https://github.com/check-spelling-sandbox/codeql/actions/runs/7699091660/workflow

https://github.com/check-spelling-sandbox/codeql/actions/runs/7699091660/job/20979906681#step:19:55

Post job cleanup.
Warning: Debugging artifacts are unavailable since the 'init' Action failed before it could produce any.
RequestError [HttpError]: Resource not accessible by integration
    at /home/runner/work/_actions/github/codeql-action/v2/node_modules/@octokit/request/dist-node/index.js:86:21
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async requestWithGraphqlErrorHandling (/home/runner/work/_actions/github/codeql-action/v2/node_modules/@octokit/plugin-retry/dist-node/index.js:71:20)
    at async Job.doExecute (/home/runner/work/_actions/github/codeql-action/v2/node_modules/bottleneck/light.js:405:18) {
  status: 403,
  response: {
    url: 'https://api.github.com/repos/check-spelling-sandbox/codeql/code-scanning/analysis/status',
    status: 403,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      connection: 'close',
      'content-encoding': 'gzip',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: 'Mon, 29 Jan 2024 16:16:02 GMT',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'github.com',
      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
      'transfer-encoding': 'chunked',
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-api-version-selected': '2022-11-28',
      'x-github-media-type': 'github.v3; format=json',
      'x-github-request-id': '94E3:79CB:3878D:7311B:65B7CF42',
      'x-ratelimit-limit': '1000',
      'x-ratelimit-remaining': '961',
      'x-ratelimit-reset': '1706548556',
      'x-ratelimit-resource': 'core',
      'x-ratelimit-used': '39',
      'x-xss-protection': '0'
    },
    data: {
      message: 'Resource not accessible by integration',
      documentation_url: 'https://docs.github.com/rest'
    }
  },
  request: {
    method: 'PUT',
    url: 'https://api.github.com/repos/check-spelling-sandbox/codeql/code-scanning/analysis/status',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'CodeQL-Action/2.23.2 octokit-core.js/3.6.0 Node.js/16.20.2 (linux; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: '{"action_name":"init-post","action_oid":"unknown","action_ref":"v2","action_started_at":"2024-01-29T16:16:02.392Z","action_version":"2.23.2","analysis_key":".github/workflows/ql-for-ql-dataset_measure.yml:measure","commit_oid":"aeae208dc3291109d6c798179bb8944961348823","job_name":"measure","job_run_uuid":"75681a8a-17f0-4c74-b850-172cffab9a66","ref":"refs/heads/main","runner_available_disk_space_bytes":31716970496,"runner_os":"Linux","runner_total_disk_space_bytes":89297309696,"started_at":"2024-01-29T16:16:01.614Z","status":"success","testing_environment":"","workflow_name":"Collect database stats for QL for QL","workflow_run_attempt":1,"workflow_run_id":7699091660,"completed_at":"2024-01-29T16:16:02.416Z","matrix_vars":"{\\n  \\"repo\\": \\"github/codeql\\"\\n}","runner_arch":"X64","runner_image_version":"20240126.1.0","job_status":"JOB_STATUS_UNKNOWN"}',
    request: { agent: [Agent], hook: [Function: bound bound register] }
  }
}
Error: Resource not accessible by integration

I presume that it needs:

permissions:
  security-events: write

or similar, but this api isn't documented in https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28 so I have absolutely no idea.

[aibaars]

I believe /code-scanning/analysis/status is a telemetry related API. It should not fail unless a repository does not have Github Advanced Security or CodeScanning enabled. Advanced Security is a payed feature for private repositories, but for public ones it should just work (as far as I know)

[jsoref]

https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning

Code scanning is available for all public repositories on github.com. Code scanning is also available for private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. For more information, see "About GitHub Advanced Security."

I see no way for me to control it.

This org actively relies on sarif analysis, so it shouldn't be disabled... I certainly don't actively try to turn things like this off...

[aeisenberg]

Thanks for reporting this. Could you try re-running the workflows. It might be that the problem was temporary. If it works now (or doesn't work), this will give us more information for us to address the root cause.

[jsoref]

https://github.com/check-spelling-sandbox/codeql/actions/runs/7699091660/job/21030726761

[jsoref]

https://github.com/check-spelling-sandbox/codeql/actions/runs/7699091660/job/21030726761#step:3:21

response: {
    url: 'https://api.github.com/repos/check-spelling-sandbox/codeql/code-scanning/analysis/status',
    status: 403,
...
      'x-github-request-id': '8442:7780:CB905C:19C3CB6:65B93D93',
...
    data: {
      message: 'Resource not accessible by integration',
      documentation_url: 'https://docs.github.com/rest'
    }
  },
  request: {
    method: 'PUT',
    url: 'https://api.github.com/repos/check-spelling-sandbox/codeql/code-scanning/analysis/status',
...

[jsoref]

It sounds like @angelapwen and co will write a PR to make the /code-scanning/analysis/status API calls themselves non-critical -- my naive understanding is that they're for telemetry and such things really should never be required/fatal, that seems like a good thing, and given that the team is committed to not documenting them as they're internal APIs, that part of things is outside of the scope of what I can do.

That said, I've posted a PR which should cover the general problem that these workflows aren't declaring their required permissions (they don't) which is a problem for paranoid forks -- and ideally most contributors to a project like codeql would configure their forks with the safer permissions settings.

[angelapwen]

Ah, you beat me to writing an update on this issue! Yes, we also just noticed that your workflow began succeeding 🥳 once you added the security-events: write permission earlier. We'll also try to add some validation so that our own workflows that use the Action aren't missing the necessary permission. Thank you for the PR — you've done most of the hard work already ✨

Regarding the API, yes, your understanding is accurate! The change to make the /code-scanning/analysis/status API calls non-critical will be in the CodeQL Action. We're tracking the issue internally and will discuss prioritization shortly.

As a side note, the CodeQL Action is also open source (https://github.com/github/codeql-action/) if you'd like to contribute in the future 😆

[jsoref]

Fwiw, it'd be really nice if the codeql things that make these api calls reported a friendly error when they detect a missing permissions.

check-spelling does this in various places:
check-spelling/check-spelling@0acd92b

[jsoref]

I've contributed to both.

https://github.com/github/codeql-action/pulls?q=is%3Apr+author%3Ajsoref+is%3Aclosed

[angelapwen]

Fwiw, it'd be really nice if the codeql things that make these api calls reported a friendly error when they detect a missing permissions.

check-spelling does this in various places: check-spelling/check-spelling@0acd92b

Thanks for sharing. We'll look at adding this (or some alternative that does something similar) to the CodeQL Action!

[jsoref]

I've posted:

• Document token input codeql-action#2110
  which I hope will cover those bits. But ... at this point, I can't really tell anything because my personal account seems stuck.

[jsoref]

This isn't actually fixed yet. The downside of splitting things is that I apparently broke the metadata.

[angelapwen]

Oh, yes 😺 Reopening this issue to track.