Skip to content

Fix workflow permissions to resolve "Resource not accessible by integration" error#721

Merged
A1L13N merged 2 commits into
mainfrom
copilot/update-workflow-permissions
Oct 14, 2025
Merged

Fix workflow permissions to resolve "Resource not accessible by integration" error#721
A1L13N merged 2 commits into
mainfrom
copilot/update-workflow-permissions

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Oct 14, 2025
edited
Loading

Problem

The pr-file-count-labeler.yml workflow was failing with the error:

Resource not accessible by integration

This error occurred when the workflow attempted to remove old file count labels from pull requests using github.rest.issues.removeLabel().

Root Cause

The workflow had pull-requests: read permission, but GitHub requires pull-requests: write permission to modify labels on pull requests. Even though the workflow uses the issues API endpoint (github.rest.issues.removeLabel()), GitHub enforces stricter permissions for pull request modifications as a security measure.

Solution

Updated the permissions block in .github/workflows/pr-file-count-labeler.yml to grant write access to pull requests:

Before:

permissions:
  contents: write
  pull-requests: read
  issues: write

After:

permissions:
  contents: write
  pull-requests: write  # required to add/remove labels on PRs
  issues: write

Impact

This fix resolves the permission error and allows the workflow to successfully:

  • Count files changed in pull requests
  • Remove outdated file count labels (e.g., f5, f10)
  • Add new file count labels (e.g., f15)
  • Create new labels dynamically if they don't exist

The workflow will now function correctly for all pull requests, including those from forked repositories, since it uses pull_request_target trigger with proper permissions.

Testing

The YAML syntax has been validated and the change is minimal (1 line modified), maintaining all existing permissions while adding the necessary write access for pull request label modifications.

Original prompt

Please find a solution for this failing job. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate.
1 reference
The job failed with the error: Resource not accessible by integration. This occurred when attempting to remove a label from a pull request using the GitHub REST API.

Root Cause: This error typically happens when a GitHub Actions workflow running on a pull_request trigger attempts to use a token (usually GITHUB_TOKEN) that does not have sufficient permissions to perform certain actions, like modifying labels on pull requests from forks or when using workflows with insufficient permissions.

Solution:

Update Workflow Permissions: Ensure your workflow has the correct permissions set in .github/workflows/pr-file-count-labeler.yml. Add or update the permissions block to grant write access to issues and pull requests:
yaml permissions: issues: write pull-requests: write

Use the Correct Token: If you are using a custom token, verify that it has the required permissions. If using GITHUB_TOKEN, make sure you are not running into limitations when the workflow is triggered by a forked repository; in that case, GitHub restricts token permissions for security.
Example Correction in Workflow File: yaml

.github/workflows/pr-file-count-labeler.yml
permissions: issues: write pull-requests: write

If you already have a permissions block, ensure it includes at least issues: write.

If you need to reference the code where the error occurs, it is here: if (fLabelRegex.test(name) && name !== newLabel) { try { await github.rest.issues.removeLabel({ owner, repo, issue_number: pull_number, name }); } catch (err) { core.warning(Failed to remove label ${name}: ${err.message}); } }

Summary:

Add or update the permissions block in your workflow YAML to include issues: write and pull-requests: write.
Be aware of pull requests from forks, as GITHUB_TOKEN will have read-only permissions in that context.
After making these changes, commit and push to the repository, then re-run your workflow. This should resolve the "Resource not accessible by integration" error.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Oct 14, 2025

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

@A1L13N
Fix workflow permissions by adding pull-requests: write
31089e1 
Co-authored-by: A1L13N <193832434+A1L13N@users.noreply.github.com>
Copilot AI changed the title [WIP] Update workflow permissions for label modification Fix workflow permissions to resolve "Resource not accessible by integration" error Oct 14, 2025
Copilot AI requested a review from A1L13N October 14, 2025 14:30
@A1L13N A1L13N marked this pull request as ready for review October 14, 2025 14:47
@A1L13N A1L13N merged commit b5941db into main Oct 14, 2025
1 of 2 checks passed
@A1L13N A1L13N deleted the copilot/update-workflow-permissions branch October 14, 2025 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@A1L13N A1L13N Awaiting requested review from A1L13N

Assignees

@A1L13N A1L13N

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@A1L13N