Skip to content

[Help] Error: Resource not accessible by integration #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
morningman opened this issue Jul 20, 2021 · 4 comments
Open

[Help] Error: Resource not accessible by integration #7

morningman opened this issue Jul 20, 2021 · 4 comments

Comments

@morningman
Copy link

image

https://github.com/apache/incubator-doris/pull/6274/checks?check_run_id=3110675706

I have no idea why it happened...
Could you please help me?
@TobKed
Copy link
Owner

TobKed commented Jul 20, 2021

Hi @morningman
I suspect that problem may lay in permissions set to secrets.GITHUB_TOKEN.
I will verify which permissions exactly are required and let you know.

@TobKed
Copy link
Owner

TobKed commented Jul 20, 2021

@morningman I created working example: apache/doris#6279
but I need to improve description and documentation

@morningman
Copy link
Author

Hi @morningman
I suspect that problem may lay in permissions set to secrets.GITHUB_TOKEN.
I will verify which permissions exactly are required and let you know.

Thanks a lot!
The apache/incubator-doris in an Apache Incubating project. And there are some rules about how to use github action in Apache Project: https://infra.apache.org/github-actions-secrets.html

And I notice that We only allow Actions that are official "Made by GitHub" or local to the Apache org on GitHub.
So I created a ticket to Apache Infra to allow TobKed/label-when-approved-action GitHub Action to be used in ASF GitHub builds. And it has been approved.

@TobKed TobKed mentioned this issue Jul 21, 2021
Merged
13 tasks
@TobKed
Copy link
Owner

TobKed commented Jul 21, 2021

Thanks @morningman !

morningman pushed a commit to apache/doris that referenced this issue Jul 25, 2021
@TobKed
[Community] Fix PR labeling github action workflow (#6279)
8d1c1ef 
My change is the fix and improvement for github action which labels approved PRs (introduced in this [PR](#6239)).

It is inspired by solution introduced and tested in [Apache Airflow](https://github.com/apache/airflow) (thanks @potiuk @ashb 🚀 )

Corresponding Apache Airflow workflows on which I based this PR:
 - https://github.com/apache/airflow/blob/main/.github/workflows/label_when_reviewed.yml
 - https://github.com/apache/airflow/blob/main/.github/workflows/label_when_reviewed_workflow_run.yml

Problems which were solved in this PR:

 - **Permissions**.
  @morningman opened a related bug: [[Help] Error: Resource not accessible by integration](TobKed/label-when-approved-action#7). It is related to limited permissions of workflows being triggered by `pull_request_review` (`GITHUB_TOKEN` has read-only permissions). More information about it you can find in the article:  [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
   TL;DR:  On pull request review event (`on: pull_request_review` ) "dummy" workflow `Label when reviewed` triggers another workflow `Label when approved workflow run` which has sufficient permissions (`on:  workflow_run:  workflows: ["Label when reviewed"]`).

 - **Safe use of 3rd-party Github Actions by using submodules pattern.**  It is decribed in:    
 https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+status

    >  NEVER use 3rd-party actions directly in your workflows - use the "submodule" pattern.
    
    This pattern is successfully used by projects like:
     - [Apache Airflow](https://github.com/apache/airflow) ([PR](apache/airflow#13514))
     - [Apache Beam](https://github.com/apache/beam) ([PR](apache/beam#13736))
     - [Apache Superset](https://github.com/apache/superset) ([PR](apache/superset#12709))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@morningman @TobKed