Resource not accessible by integration #8843

serathius · 2022-04-24T12:23:27Z

Description of the issue

Etcd CodeQL analysis is broken returning 403. etcd-io/etcd#13978

RequestError [HttpError]: Resource not accessible by integration
    at /home/runner/work/_actions/github/codeql-action/v1/node_modules/@octokit/request/dist-node/index.js:66:[2](https://github.com/etcd-io/etcd/runs/6141920349?check_suite_focus=true#step:3:2)[3](https://github.com/etcd-io/etcd/runs/6141920349?check_suite_focus=true#step:3:3)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async Job.doExecute (/home/runner/work/_actions/github/codeql-action/v1/node_modules/bottleneck/light.js:[4](https://github.com/etcd-io/etcd/runs/6141920349?check_suite_focus=true#step:3:4)0[5](https://github.com/etcd-io/etcd/runs/6141920349?check_suite_focus=true#step:3:5):18) {
  status: 403,

The text was updated successfully, but these errors were encountered:

serathius · 2022-04-25T11:05:08Z

Heh, this is not a question, but a bug report.
cc @adityasharad

MathiasVP · 2022-04-25T11:46:06Z

Hi @serathius,

In general, that error usually indicates something wrong with GitHub Actions token permissions.

It looks like you've changed your default token permissions to be restrictive by default without updating the workflow to include the permissions needed for Code Scanning.

Updating the permissions to:

permissions:
  actions: read
  contents: read
  security-events: write

should fix your issue.

serathius · 2022-04-25T12:00:37Z

Thanks for info, however please stop introducing breaking changes in v1 version.

MathiasVP · 2022-04-25T12:40:43Z

I don't think we introduced any breaking changes in this case. These permissions have been the suggested defaults for a long time. You can check out the readme on https://github.com/github/codeql-action for the details.

L3m0nb4tt3ry · 2022-09-19T11:33:10Z

@MathiasVP Not necessarily the same issue, but I am receiving same error while fetching dependabot issues via a graphql query, I tried with permissions: write-all as well but no luck. I can execute same query with my PAT with
repo permissions(i.e Full control of private repositories) but unable to fetch with default token, not sure what exactly is the reason or issue here.

MathiasVP · 2022-09-26T09:57:11Z

Hi @L3m0nb4tt3ry,

Thanks for posting! We'll be happy to take a look at your situation. Would you mind opening a fresh issue with this?

Looking into the [`Resource not accessible by integration` error](https://github.com/pypa/twine/actions/runs/3616376262/jobs/6094277326), I found [an issue](github/codeql#8843) that recommended setting the `permissions`. Looks like this has been added to the [current CodeQL template](https://github.com/pypa/twine/new/main?filename=.github%2Fworkflows%2Fcodeql.yml&workflow_template=code-scanning%2Fcodeql), so I copy & pasted that here.

github/codeql#8843

This is needed by CodeQL to be able to report events. Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com> Fixes: f04d95b ("ci: Add CWE checks for ig.") [1]: github/codeql#8843 (comment)

github/codeql#8843 (comment)

See github/codeql#8843

This is needed after switching default token permissions to be restrictive by default. github/codeql#8843

In commit 977e717 token permissions are set to read. However codeql needs also write for uploading security-events: Uploading results Processing sarif files: ["/home/runner/work/ganeti/results/python.sarif"] Validating /home/runner/work/ganeti/results/python.sarif Combining SARIF files using the CodeQL CLI Adding fingerprints to SARIF file. See https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs for more information. Uploading results Warning: Resource not accessible by integration Error: Resource not accessible by integration See also github/codeql#8843 Signed-off-by: Sascha Lucas <sascha_lucas@web.de>

fixes codeql action error see details: github/codeql#8843 (comment)

o0101 · 2024-09-27T06:02:43Z

Hi @serathius,

In general, that error usually indicates something wrong with GitHub Actions token permissions.

It looks like you've changed your default token permissions to be restrictive by default without updating the workflow to include the permissions needed for Code Scanning.

Updating the permissions to:
permissions:
  actions: read
  contents: read
  security-events: write
should fix your issue.

Thank you @MathiasVP that fixed it for us

serathius added the question Further information is requested label Apr 24, 2022

serathius mentioned this issue May 5, 2022

github: Add necessery permissions for CodeQL etcd-io/etcd#14010

Merged

hmakholm closed this as completed Jun 15, 2022

bhrutledge mentioned this issue Dec 5, 2022

Update CodeQL workflow. pypa/twine#952

Merged

This was referenced Mar 2, 2023

🤖 Attach trivy scan reports kairos-io/kairos#1019

Merged

🤖 Update workflow permissions kairos-io/kairos#1021

Merged

CBID2 mentioned this issue Apr 21, 2023

hacker news site added rupali-codes/LinksHub#467

Closed

prazian added a commit to digi-wolk/oss-license-auditor that referenced this issue Jun 3, 2023

Allow Action to write security events

d55a120

github/codeql#8843

prazian added a commit to digi-wolk/oss-license-auditor that referenced this issue Jun 3, 2023

Allow Action to write security events

4978136

github/codeql#8843

mauriciovasquezbernal mentioned this issue Dec 20, 2023

ci: Add write permission to security events when building ig. inspektor-gadget/inspektor-gadget#2315

Merged

Kramer0x0 mentioned this issue Feb 2, 2024

Overwriting permissions on security related jobs cortexproject/cortex#5762

Merged

3 tasks

lemmy added a commit to microsoft/CCF that referenced this issue Mar 26, 2024

Extend permissions to upload security reports that we reuse for TLAi.

4c92be7

github/codeql#8843 (comment)

jeswr added a commit to jeswr/rdfjs-sign that referenced this issue Apr 9, 2024

Update codeql-analysis.yml

1b1461f

See github/codeql#8843

jeswr mentioned this issue Apr 9, 2024

Update codeql-analysis.yml jeswr/rdfjs-sign#14

Merged

jeswr added a commit to jeswr/rdfjs-sign that referenced this issue Apr 9, 2024

Update codeql-analysis.yml (#14)

46b2321

See github/codeql#8843

Christian-B mentioned this issue May 1, 2024

Permissions SpiNNakerManchester/JavaSpiNNaker#1143

Merged

nicomiguelino mentioned this issue Jul 3, 2024

Specifies permissions when doing CodeQL analysis via CI Screenly/Anthias#1956

Merged

waltjones mentioned this issue Jul 9, 2024

Update codeql and github token permissions rollbar/terraform-provider-rollbar#403

Closed

1 task

slyon added a commit to slyon/netplan that referenced this issue Jul 24, 2024

CI: fix CodeQL permissions

bb112ef

This is needed after switching default token permissions to be restrictive by default. github/codeql#8843

slyon mentioned this issue Jul 24, 2024

CI: fix CodeQL permissions canonical/netplan#491

Merged

5 tasks

slyon added a commit to canonical/netplan that referenced this issue Jul 24, 2024

CI: fix CodeQL permissions

b13d36b

This is needed after switching default token permissions to be restrictive by default. github/codeql#8843

saschalucas mentioned this issue Aug 15, 2024

fix token permissions for codeql ganeti/ganeti#1791

Merged

ilgrosso added a commit to apache/syncope that referenced this issue Aug 19, 2024

Fixing CodeQL permissions - see github/codeql#8843

bf2777b

ilgrosso added a commit to apache/syncope that referenced this issue Aug 19, 2024

Fixing CodeQL permissions - see github/codeql#8843

6717686

WeihanLi added a commit to WeihanLi/kubernetes-client-csharp that referenced this issue Sep 8, 2024

Configure permissions for codeql

eea0573

fixes codeql action error see details: github/codeql#8843 (comment)

WeihanLi mentioned this issue Sep 8, 2024

Configure permissions for codeql action kubernetes-client/csharp#1583

Merged

k8s-ci-robot pushed a commit to kubernetes-client/csharp that referenced this issue Sep 8, 2024

Configure permissions for codeql (#1583)

1f71c47

fixes codeql action error see details: github/codeql#8843 (comment)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Resource not accessible by integration #8843

Resource not accessible by integration #8843

serathius commented Apr 24, 2022

serathius commented Apr 25, 2022 •

edited

Loading

MathiasVP commented Apr 25, 2022

serathius commented Apr 25, 2022

MathiasVP commented Apr 25, 2022

L3m0nb4tt3ry commented Sep 19, 2022 •

edited

Loading

MathiasVP commented Sep 26, 2022

o0101 commented Sep 27, 2024

Resource not accessible by integration #8843

Resource not accessible by integration #8843

Comments

serathius commented Apr 24, 2022

serathius commented Apr 25, 2022 • edited Loading

MathiasVP commented Apr 25, 2022

serathius commented Apr 25, 2022

MathiasVP commented Apr 25, 2022

L3m0nb4tt3ry commented Sep 19, 2022 • edited Loading

MathiasVP commented Sep 26, 2022

o0101 commented Sep 27, 2024

serathius commented Apr 25, 2022 •

edited

Loading

L3m0nb4tt3ry commented Sep 19, 2022 •

edited

Loading