scorecard-action: githubv4.Query: Resource not accessible by integration

I’m using the default GitHub Action workflow, though with tags instead of commit hashes in https://github.com/brave/simplepadding/blob/master/.github/workflows/scorecards.yml and I’m seeing this error now that I’ve upgraded to v2:

Error: one or more checks had a runtime error: internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration

Is there a permission missing from the example workflow?

I see it’s also been reported in https://github.com/ossf/scorecard/issues/1097, but I’m not sure I’m seeing the same issue since it was working fine before I upgraded from v1.1.2 to v2.

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 2
Comments: 25 (11 by maintainers)

Commits related to this issue

update scorecard action ref https://github.com/ossf/scorecard-action/issues/856 Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> — committed to konstruktoid/hardening by konstruktoid 2 years ago

Most upvoted comments

@spencerschrock did you also need to update the action.yml with the latest docker image? Or is that only done as part of the scorecard-action release?

Yes, there should be a proper v2.0.4 tag soon. There’s a bit of a chicken-and-egg problem in the release procedure, you can read more here

I am also curious which workflow publishes this scorecard-action docker image. Thanks!

It’s done as part of the cloudbuild workflows. There are two, but the tagged releases are handled by https://github.com/ossf/scorecard-action/blob/main/cloudbuild-tag.yaml

spencerschrock on Sep 27, 2022

Yes. v2.0.3 should work. And now that #948 is merged, future releases will use a different fix. Please reopen if you have any issues.

spencerschrock on Sep 26, 2022

Not fixed quite yet. Still need 1 PR on the scorecard-action side of things after a new scorecard release is cut.

spencerschrock on Sep 12, 2022

@azeemshaikh38 I think the root cause is due to this line https://github.com/ossf/scorecard/blob/8de962e91d860f81916dbeb3b9a1a943fcf8a80f/cmd/root.go#L163

When Scorecard is run with the GITHUB_TOKEN, some checks (e.g. for branch protection) are expected to error out. Due to the above change, that causes the overall run to fail.

You can search for this string one or more checks had a runtime error in the output for the Action runs that failed. e.g. https://github.com/WeblateOrg/weblate/runs/8262284657#step:4:168

Yes I made the change as part of https://github.com/ossf/scorecard/issues/2124, unaware it would spill over to scorecard-action. Fixing it would probably involve using a specific error here that we check for using errors.Is here and here (or better yet, doing something in the entrypoint to wrap it for all uses)

spencerschrock on Sep 9, 2022

I compared a the output from cosign (Ping @cpanato) and my and see following difference by same pipline file:

cosign:

Repository: sigstore/cosign
Fork repository: false
Private repository: false
Publication enabled: false
Format: json
Policy file: 
Default branch: main
Using payload from: results.json

the failed one:

Private repository: false
Publication enabled: false
Format: sarif
Policy file: /policy.yml
Default branch: main
Error: one or more checks had a runtime error: internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
2022/09/09 09:35:31 error during command execution: one or more checks had a runtime error: internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration

Why is there a /policy.yaml?

dirien on Sep 9, 2022

Here are the branch protection settings I have enabled in the above repo: Screenshot from 2022-09-08 17-24-37

fmarier on Sep 9, 2022