fetch.py: Resource not accessible by integration / 403 HTTP response

[jgehrcke]

When I started this project the GITHUB_TOKEN injected into a job was able to read repo traffic API endpoints.

However, that does not work anymore, probably for all repositories. I think this since this change: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/

Log example:

+ python //fetch.py jgehrcke/ghrs-test --snapshot-directory=newsnapshots --fork-ts-outpath=forks-raw.csv --stargazer-ts-outpath=stars-raw.csv
220519-13:07:12.357 INFO:MainThread: processed args: {
  "repo": "jgehrcke/ghrs-test",
  "snapshot_directory": "newsnapshots",
  "fork_ts_outpath": "forks-raw.csv",
  "stargazer_ts_outpath": "stars-raw.csv"
}
220519-13:07:12.357 INFO:MainThread: output directory already exists: newsnapshots
220519-13:07:12.588 INFO:MainThread: Working with repository `Repository(full_name="jgehrcke/ghrs-test")`
220519-13:07:12.723 INFO:MainThread: Request quota limit: RateLimit(core=Rate(reset=2022-05-19 14:06:03, remaining=994, limit=1000))
220519-13:07:12.723 INFO:MainThread: fetch top referrers
220519-13:07:12.867 ERROR:MainThread: this appears to be a permanent error, as in "access denied -- do not retry: 403 {"message": "Resource not accessible by integration", "documentation_url": "https://docs.github.com/rest/reference/repos#get-top-referral-sources"}
+ FETCH_ECODE=1
+ set +x
error: fetch.py returned with code 1 -- exit.

[jgehrcke]

It looks like even a full-scoped GITHUB_TOKEN isn't enough:

2022-05-19T12:41:29.5791167Z ##[group]GITHUB_TOKEN Permissions
2022-05-19T12:41:29.5791766Z Actions: write
2022-05-19T12:41:29.5792521Z Checks: write
2022-05-19T12:41:29.5792983Z Contents: write
2022-05-19T12:41:29.5793268Z Deployments: write
2022-05-19T12:41:29.5793624Z Discussions: write
2022-05-19T12:41:29.5793926Z Issues: write
2022-05-19T12:41:29.5794234Z Metadata: read
2022-05-19T12:41:29.5794553Z Packages: write
2022-05-19T12:41:29.5794864Z Pages: write
2022-05-19T12:41:29.5795139Z PullRequests: write
2022-05-19T12:41:29.5795497Z RepositoryProjects: write
2022-05-19T12:41:29.5795897Z SecurityEvents: write
2022-05-19T12:41:29.5796183Z Statuses: write

context: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

Seems like a personal access token is required now, injected via secrets.

[jgehrcke]

that is, the docs need to be overhauled.

[jgehrcke]

also, the ghtoken parameter must be declared required now -- via https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#inputsinput_idrequired

[jgehrcke]

Taken care of, I think.

[gtabboud]

Hi @jgehrcke - I have followed your tutorial and setup the personal token permissions as stated above, but I still have the Error: Resource not accessible by integration error message. How can I further debug this?

[jgehrcke]

How can I further debug this?

@gtabboud you could try doing

curl \
  -H "Accept: application/vnd.github+json" \ 
  -H "Authorization: token <TOKEN>" \
  https://api.github.com/repos/OWNER/REPO/traffic/views

with your authentication token -- this would for starters provide an unambiguous signal for whether or not the token you want to use really has the right privileges associated.