The use of Github App results in "403 Resource not accessible by integration" #3771
Description
Checks
- I've already read https://github.com/actions/actions-runner-controller/blob/master/TROUBLESHOOTING.md and I'm sure my issue is not covered in the troubleshooting guide.
- I'm not using a custom entrypoint in my runner image
Controller Version
0.27.6
Helm Chart Version
0.23.7
CertManager Version
1.12.1
Deployment Method
Helm
cert-manager installation
I have followed the instructions here:https://github.com/actions/actions-runner-controller/blob/master/docs/installing-arc.md
Cert-manager is working fine.
Checks
- This isn't a question or user support case (For Q&A and community support, go to Discussions. It might also be a good idea to contract with any of contributors and maintainers if your business is so critical and therefore you need priority support
- I've read releasenotes before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes
- My actions-runner-controller version (v0.x.y) does support the feature
- I've already upgraded ARC (including the CRDs, see charts/actions-runner-controller/docs/UPGRADING.md for details) to the latest and it didn't fix the issue
- I've migrated to the workflow job webhook event (if you using webhook driven scaling)
Resource Definitions
apiVersion: actions.summerwind.dev/v1alpha1
kind: RunnerDeployment
metadata:
name: azure-github-runner
namespace: azure-github-runner
resourceVersion: "667378852"
uid: 6640c03a-39b7-498e-8ec1-e117bf2143b6
spec:
replicas: 1
template:
spec:
dockerEnabled: false
dockerdWithinRunnerContainer: false
# we have pushed the public image to our private Azure Container Registry
image: <REDACTED>.azurecr.io/summerwind/actions-runner:v2.319.1-ubuntu-22.04-1be410b
labels:
- azure-github-runner-prod
repository: <REDACTED>/ansible-gitlab
status:
availableReplicas: 1
desiredReplicas: 1
readyReplicas: 1
replicas: 1
updatedReplicas: 1To Reproduce
See description below ("Describe the bug")Describe the bug
Hi, I am trying to use Github App as the authentication method, but currently this results in an error "403 Resource not accessible by integration". The PAT authentication method works without problems. Here are the details:
--Setup
aks cluster: v1.28.9
actions-runner-controller helm chart version: 0.23.7
controller-image version: 0.27.6
--Description
I am trying to configure actions-runner-controller (with a Helm chart) to run Github actions from a repository (one single repository) in my Github organization (for this Organization I have an owner role). Everything works fine when I configure a PAT token, but when I try to replace the PAT token with a Github App (under the organization, not by using my personal account) I run into the following error: "403 Resource not accessible by integration" . As per my understanding the Github App configuration in Github as well as the values.yaml file for the helm chart installation have been configured correctly:
Github App (which is owned by the organization) has the following permissions:
-Repository Permissions: Actions (read + write), Checks (read + write), Contents (read + write), Metadata (read), Workflows (read + write)
-Organization Permissions: Self-hosted runners (Read + write)
Any help on this issue would be highly appreciated. Thank you.
Describe the expected behavior
I would be able to use the Github App authentication method instead of PAT.
Whole Controller Logs
https://gist.github.com/taneli-kantomaa/5067ee88a322465c08a7282a18c2fc99Whole Runner Pod Logs
The runner pod does not start at all (or then it starts, but terminates immediately).Additional Context
No response