codeql-action: Change of behavior "Error: Resource not accessible by integration"
It started to happen two days ago without any relevant change from our side in all PRs:
https://github.com/rizinorg/rizin/pull/1222
Here is our CodeQL action configuration: https://github.com/rizinorg/rizin/blob/dev/.github/workflows/code-analysis.yml
The error message is the following:
https://github.com/rizinorg/rizin/pull/1222/checks?check_run_id=2855028592#step:4:1
RequestError [HttpError]: Resource not accessible by integration
at /home/runner/work/_actions/github/codeql-action/v1/node_modules/@octokit/request/dist-node/index.js:66:23
at processTicksAndRejections (internal/process/task_queues.js:93:5)
at async Job.doExecute (/home/runner/work/_actions/github/codeql-action/v1/node_modules/bottleneck/light.js:405:18) {
name: 'HttpError',
status: 403,
headers: {
'access-control-allow-origin': '*',
'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, Deprecation, Sunset',
connection: 'close',
'content-encoding': 'gzip',
'content-security-policy': "default-src 'none'",
'content-type': 'application/json; charset=utf-8',
date: 'Fri, 18 Jun 2021 03:41:52 GMT',
'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
server: 'GitHub.com',
'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
'transfer-encoding': 'chunked',
vary: 'Accept-Encoding, Accept, X-Requested-With',
'x-content-type-options': 'nosniff',
'x-frame-options': 'deny',
'x-github-media-type': 'github.v3; format=json',
'x-github-request-id': '0405:5D98:A0F49:119F3A:60CC1600',
'x-ratelimit-limit': '5000',
'x-ratelimit-remaining': '4848',
'x-ratelimit-reset': '1623989200',
'x-ratelimit-resource': 'core',
'x-ratelimit-used': '152',
'x-xss-protection': '0'
},
request: {
method: 'PUT',
url: 'https://api.github.com/repos/rizinorg/rizin/code-scanning/analysis/status',
headers: {
accept: 'application/vnd.github.v3+json',
'user-agent': 'CodeQL-Action/1.0.2 octokit-core.js/3.1.2 Node.js/12.13.1 (linux; x64)',
authorization: 'token [REDACTED]',
'content-type': 'application/json; charset=utf-8'
},
body: '{"workflow_run_id":948607521,"workflow_name":"Code scanning","job_name":"build","analysis_key":".github/workflows/code-analysis.yml:build","commit_oid":"3dc5ffebacc2420e860f67c3dfcfe08fcf87e09d","ref":"refs/heads/codeql-fixes","action_name":"init","action_ref":"v1","action_oid":"unknown","started_at":"2021-06-18T03:41:51.948Z","action_started_at":"2021-06-18T03:41:51.948Z","status":"starting","matrix_vars":"{\\n \\"name\\": \\"CodeQL-cpp\\"\\n}"}',
request: { agent: [Agent], hook: [Function: bound bound register] }
},
documentation_url: 'https://docs.github.com/rest'
}
Error: Resource not accessible by integration
About this issue
- Original URL
- State: open
- Created 3 years ago
- Comments: 20 (8 by maintainers)
Commits related to this issue
- permissionsフィールドでGITHUB_TOKENの権限を設定した sarifファイルのアップロードにはsecurity-eventsのwrite権限が必要 - https://github.com/github/codeql-action/issues/572#issuecomment-966301090 - https://efcl.info/2021/07/21/update-gi... — committed to Tatsumi0000/MobSF-Practice by Tatsumi0000 2 years ago
- Update tmux.yml Related: https://github.com/github/codeql-action/issues/572#issuecomment-966291195 — committed to pdxjohnny/static-builds by pdxjohnny a year ago
- Chapter6: Publishing container images with GitHub Actions https://github.com/github/codeql-action/issues/572 — committed to Ivypas/cloud-native-spring-in-action-config-service by Ivypas a year ago
We didn’t touch, and this is set to RW:
Answering my own question: I need the permissions block, otherwise the OpenID connect fails and it has to look like this:
You can actually see in a workflow run what permissions it has. It gets printed out near the top. In your run it did appear to have
write
permission, so it seems like a different class of bug than others where the workflow runs withread
permissions for some reason.I do note that there have been passing runs since, including runs on the
push
event. So I’d hope perhaps this is just a one-off.Please take a look at Enabling Advanced Security Features. You will need an enterprise account to enable Advanced Security on private repositories.
Hi, Kindly enable advance security using this Advance Github Security Then go ahead and add these permission to your workflow for private repos. permissions: actions: read contents: read security-events: write statuses: write
@martinschaef you are correct that you have to configure the
permissions
block accordingly. If a particular permission is not mentioned in thepermissions
block then it gets set tonone
.The minimal permissions that should be needed for a workflow to use the CodeQL Action are mentioned in the example workflow at https://github.com/github/codeql-action#usage:
security-events: write
, and for private reposcontents: read
andactions: read
. This assumes you are usingactions/checkout@v2
.To address some earlier questions in the thread, Dependabot runs will now respect the
permissions
block.@WaKeMaTTa Make sure to enable advanced security on your repository. The docs are here.
If you are still seeing problems, please raise a new issue and include the relevant parts of the workflow.
@AlCalzone, check out the “analysis still failing on the default branch” section of https://github.com/github/codeql-action/issues/416. Apologies this information is not yet in the proper troubleshooting docs but that change is in progress and we’ll update the error message to point there when done.