Unable to fetch dependabot metadata with v1.3.0 and alert-lookup & compat-lookup enabled

[SalimBensiali]

HI,

Thanks again for latest updates in v1.3.0 incorporating more alert metadata.
I tried enabling the new alert-lookup & compat-lookup options but I am getting a cryptic message Error: Resource not accessible by integration during the "Parsing Dependabot metadata" phase of the action. See the action run at https://github.com/SalimBensiali/le-blanc-jewellery/runs/5545641006?check_suite_focus=true

When not passing the additional options the action runs successfully, but obviously the additional metadata is not available in this case.

Is there anything else I would need to configure? I looked at the documentation and could not find anything else.

Thanks

[SalimBensiali]

It turns out the default secrets.GITHUB_TOKEN does not have enough permissions to allow access to the dependabot vulnerabilities graphQL endpoints. I was able to fix that by creating a PAT with the public_repo scope and pass it to the github-token action parameter instead. See https://github.com/SalimBensiali/le-blanc-jewellery/blob/584b38d698d92edbd62d5f93ce8d4edf4333d4ca/.github/workflows/dependabot-auto-label.yml#L24

I only found out about this this by accident/luck as documentation around this was very limited. See https://chezsoi.org/lucas/blog/listing-all-github-security-alerts-of-a-user-s-projects-using-graphql-and-python.html where it is being mentioned.

To create a PAT see https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token

I can raise a PR to add this to the docs.

[brrygrdn]

@SalimBensiali Ah, apologies for that. We have a few places where the GITHUB_TOKEN should be substituted for one with augmented permissions.

I need to make some other updates to the documentation so I will incorporate this.