Skip to content

Plugin tries to access repository issues when successComment and failComment are disabled #1083

Closed
Closed
Plugin tries to access repository issues when successComment and failComment are disabled#1083
@iwpnd

Description

@iwpnd
iwpnd
opened on Aug 29, 2025

Hey there 👋

Environment

  • semantic-release version: latest
  • @semantic-release/github version: latest
  • CI service: GitHub Actions
  • Action used: cycjimmy/semantic-release-action@v4

Expected Behavior

When successComment and failComment are explicitly disabled (set to false), the plugin should skip any operations that require access to repository issues and pull requests, and should not require issues: write permissions.

Actual Behavior

The plugin fails with "Resource not accessible by integration" error, specifically trying to access repository.issues, even when comment functionality is disabled.

Configuration

The semantic-release configuration has comments disabled:

{
  "branches": [
    "main"
  ],
  "plugins": [
    [
      "@semantic-release/commit-analyzer",
      {
        "preset": "conventionalcommits",
        "releaseRules": [
          {
            "type": "perf",
            "release": "patch"
          },
          {
            "type": "chore",
            "scope": "deps",
            "release": "patch"
          }
        ]
      }
    ],
    [
      "@semantic-release/release-notes-generator",
      {
        "preset": "conventionalcommits",
        "presetConfig": {
          "types": [
            {
              "type": "feat",
              "section": "✨ Features"
            },
            {
              "type": "fix",
              "section": "🐛 Bug Fixes"
            },
            {
              "type": "perf",
              "section": "🚀 Performance"
            },
            {
              "type": "chore",
              "section": "🧹 Miscellaneous"
            },
            {
              "type": "refactor",
              "section": "🧹 Miscellaneous"
            },
            {
              "type": "chore",
              "scope": "deps",
              "section": "🛠️ Dependencies"
            }
          ]
        }
      }
    ],
    [
      "@semantic-release/changelog",
      {
        "changelogFile": "CHANGELOG.md"
      }
    ],
    [
      "@semantic-release/git",
      {
        "assets": [
          "CHANGELOG.md"
        ],
        "message": "chore(release): ${nextRelease.version} [skip ci]"
      }
    ],
    "@semantic-release/github",
    {
      "successComment": false,
      "failComment": false,
      "failTitle": false,
      "labels": false,
      "releasedLabels": false
    }
  ]
}

Error Log

[semantic-release] › ✘ An error occurred while running semantic-release: Error: Resource not accessible by integration
 at file:///home/runner/_work/_actions/cycjimmy/semantic-release-action/v4/node_modules/semantic-release/node_modules/aggregate-error/index.js:23:26
 at Array.map (<anonymous>)
 at new AggregateError (file:///home/runner/_work/_actions/cycjimmy/semantic-release-action/v4/node_modules/semantic-release/node_modules/aggregate-error/index.js:16:19)
 at file:///home/runner/_work/_actions/cycjimmy/semantic-release-action/v4/node_modules/semantic-release/lib/plugins/pipeline.js:55:13
 at async pluginsConfigAccumulator.<computed> [as success] (file:///home/runner/_work/_actions/cycjimmy/semantic-release-action/v4/node_modules/semantic-release/lib/plugins/index.js:87:11)
 at async run (file:///home/runner/_work/_actions/cycjimmy/semantic-release-action/v4/node_modules/semantic-release/index.js:218:3)
 at async Module.default (file:///home/runner/_work/_actions/cycjimmy/semantic-release-action/v4/node_modules/semantic-release/index.js:278:22)
 at async release (/home/runner/_work/_actions/cycjimmy/semantic-release-action/v4/src/index.js:36:18) {
 type: 'FORBIDDEN',
 path: [ 'repository', 'issues' ],
 extensions: { saml_failure: false },
 locations: [ { line: 4, column: 7 } ],
 pluginName: '@semantic-release/github'
}

Analysis

The error indicates that:

  1. The plugin is attempting to access repository.issues
  2. The GitHub token lacks the necessary permissions (issues: write)
  3. This happens during the success phase of the plugin pipeline
  4. The access attempt occurs despite comments being explicitly disabled

Expected Fix

The plugin should check if successComment and failComment are disabled before attempting to access repository issues. When both are false, no issues/PRs permissions should be required.

Impact

This issue prevents the use of GitHub App tokens that have limited permissions. In organizational settings where GitHub App tokens are restricted and cannot be extended to include issues: write permissions, this makes the plugin unusable even when comment functionality is explicitly disabled.

Workaround Limitations

The typical workaround of granting additional permissions to the GitHub token is not feasible in this case, as the token is a GitHub App token with organizational restrictions that prevent extending permissions to include issues: write.

Additional Context

  • The release creation, changelog generation, and other core functionality work correctly
  • The error only occurs during the success phase when the plugin attempts to access issues
  • This behavior seems inconsistent with the expectation that disabling comments should eliminate the need for issues permissions
  • The GitHub token is a GitHub App token with organizational permission restrictions that cannot be modified

Reproduction Steps

  1. Set up semantic-release with @semantic-release/github plugin
  2. Disable successComment and failComment in plugin configuration
  3. Run semantic-release with a GitHub token that has contents: write but not issues: write
  4. Observe the "Resource not accessible by integration" error

Appendix

Prepare all required actions
Getting action download info
Download action repository 'actions/setup-node@v4' (SHA:49933ea5288caeca8642d1e84afbd3f7d6820020)
Download action repository 'cycjimmy/semantic-release-action@v4' (SHA:16ca923e6ccbb50770c415a0ccd43709a8c5f7a4)
Run ./.github/actions/tag-and-release
Run actions/checkout@v4
Syncing repository: company/project
Getting Git version info
Temporarily overriding HOME='/home/runner/_work/_temp/c6b743db-3492-4661-b0c1-d70aa0cec226' before making global git config changes
Adding repository directory to the temporary git global config as a safe directory
/usr/bin/git config --global --add safe.directory /home/runner/_work/project/project
/usr/bin/git config --local --get remote.origin.url
https://github.com/company/project
Removing previously created refs, to avoid conflicts
/usr/bin/git submodule status
Cleaning the repository
Disabling automatic garbage collection
Setting up auth
Fetching the repository
Determining the checkout info
/usr/bin/git sparse-checkout disable
/usr/bin/git config --local --unset-all extensions.worktreeConfig
Checking out the ref
/usr/bin/git log -1 --format=%H
e5586696802be8c206db2dd72a876e80689206e9
Removing auth
Run actions/setup-node@v4
Attempting to download 20...
Acquiring 20.19.4 - x64 from https://github.com/actions/node-versions/releases/download/20.19.4-16309772647/node-20.19.4-linux-x64.tar.gz
Extracting ...
/usr/bin/tar xz --strip 1 --warning=no-unknown-keyword --overwrite -C /home/runner/_work/_temp/88e3338f-cbab-44db-95de-3eb0238949a4 -f /home/runner/_work/_temp/c6f3816a-866d-4b3a-8073-2ef74f0b337f
Adding to the cache ...
Environment details
Run cycjimmy/semantic-release-action@v4

added 342 packages, and audited 551 packages in 3s

107 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

[6:44:50 AM] [semantic-release] › ℹ  Running semantic-release version 24.2.7
[6:44:50 AM] [semantic-release] › ✔  Loaded plugin "verifyConditions" from "@semantic-release/changelog"
[6:44:50 AM] [semantic-release] › ✔  Loaded plugin "verifyConditions" from "@semantic-release/git"
[6:44:50 AM] [semantic-release] › ✔  Loaded plugin "verifyConditions" from "@semantic-release/github"
[6:44:50 AM] [semantic-release] › ✔  Loaded plugin "analyzeCommits" from "@semantic-release/commit-analyzer"
[6:44:50 AM] [semantic-release] › ✔  Loaded plugin "generateNotes" from "@semantic-release/release-notes-generator"
[6:44:50 AM] [semantic-release] › ✔  Loaded plugin "prepare" from "@semantic-release/changelog"
[6:44:50 AM] [semantic-release] › ✔  Loaded plugin "prepare" from "@semantic-release/git"
[6:44:50 AM] [semantic-release] › ✔  Loaded plugin "publish" from "@semantic-release/github"
[6:44:50 AM] [semantic-release] › ✔  Loaded plugin "addChannel" from "@semantic-release/github"
[6:44:50 AM] [semantic-release] › ✔  Loaded plugin "success" from "@semantic-release/github"
[6:44:50 AM] [semantic-release] › ✔  Loaded plugin "fail" from "@semantic-release/github"
[6:44:51 AM] [semantic-release] › ✔  Run automated release from branch main on repository https://github.com/company/project
[6:44:52 AM] [semantic-release] › ✔  Allowed to push to the Git repository
[6:44:52 AM] [semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/changelog"
[6:44:52 AM] [semantic-release] › ✔  Completed step "verifyConditions" of plugin "@semantic-release/changelog"
[6:44:52 AM] [semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/git"
[6:44:52 AM] [semantic-release] › ✔  Completed step "verifyConditions" of plugin "@semantic-release/git"
[6:44:52 AM] [semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/github"
[6:44:52 AM] [semantic-release] [@semantic-release/github] › ℹ  Verify GitHub authentication (https://api.github.com)
[6:44:52 AM] [semantic-release] › ✔  Completed step "verifyConditions" of plugin "@semantic-release/github"
[6:44:52 AM] [semantic-release] › ℹ  Found git tag v1.12.1 associated with version 1.12.1 on branch main
[6:44:52 AM] [semantic-release] › ℹ  Found 2 commits since last release
[6:44:52 AM] [semantic-release] › ℹ  Start step "analyzeCommits" of plugin "@semantic-release/commit-analyzer"
[6:44:52 AM] [semantic-release] [@semantic-release/commit-analyzer] › ℹ  Analyzing commit: fix: 🐛 release
[6:44:52 AM] [semantic-release] [@semantic-release/commit-analyzer] › ℹ  The release type for the commit is patch
[6:44:52 AM] [semantic-release] [@semantic-release/commit-analyzer] › ℹ  Analyzing commit: docs: 📚️ add tl;dr to readme [skip ci]
[6:44:52 AM] [semantic-release] [@semantic-release/commit-analyzer] › ℹ  The commit should not trigger a release
[6:44:52 AM] [semantic-release] [@semantic-release/commit-analyzer] › ℹ  Analysis of 2 commits complete: patch release
[6:44:52 AM] [semantic-release] › ✔  Completed step "analyzeCommits" of plugin "@semantic-release/commit-analyzer"
[6:44:52 AM] [semantic-release] › ℹ  The next release version is 1.12.2
[6:44:52 AM] [semantic-release] › ℹ  Start step "generateNotes" of plugin "@semantic-release/release-notes-generator"
[6:44:52 AM] [semantic-release] › ✔  Completed step "generateNotes" of plugin "@semantic-release/release-notes-generator"
[6:44:52 AM] [semantic-release] › ℹ  Start step "prepare" of plugin "@semantic-release/changelog"
[6:44:52 AM] [semantic-release] [@semantic-release/changelog] › ℹ  Update /home/runner/_work/project/project/CHANGELOG.md
[6:44:52 AM] [semantic-release] › ✔  Completed step "prepare" of plugin "@semantic-release/changelog"
[6:44:52 AM] [semantic-release] › ℹ  Start step "prepare" of plugin "@semantic-release/git"
[6:44:52 AM] [semantic-release] [@semantic-release/git] › ℹ  Found 1 file(s) to commit
[6:44:53 AM] [semantic-release] [@semantic-release/git] › ℹ  Prepared Git release: v1.12.2
[6:44:53 AM] [semantic-release] › ✔  Completed step "prepare" of plugin "@semantic-release/git"
[6:44:53 AM] [semantic-release] › ℹ  Start step "generateNotes" of plugin "@semantic-release/release-notes-generator"
[6:44:53 AM] [semantic-release] › ✔  Completed step "generateNotes" of plugin "@semantic-release/release-notes-generator"
[6:44:54 AM] [semantic-release] › ✔  Created tag v1.12.2
[6:44:54 AM] [semantic-release] › ℹ  Start step "publish" of plugin "@semantic-release/github"
[6:44:54 AM] [semantic-release] [@semantic-release/github] › ℹ  Published GitHub release: https://github.com/company/project/releases/tag/v1.12.2
[6:44:54 AM] [semantic-release] › ✔  Completed step "publish" of plugin "@semantic-release/github"
[6:44:54 AM] [semantic-release] › ℹ  Start step "success" of plugin "@semantic-release/github"
[6:44:56 AM] [semantic-release] › ✘  Failed step "success" of plugin "@semantic-release/github"
[6:44:56 AM] [semantic-release] › ✘  An error occurred while running semantic-release: Error: Resource not accessible by integration
    at file:///home/runner/_work/_actions/cycjimmy/semantic-release-action/v4/node_modules/semantic-release/node_modules/aggregate-error/index.js:23:26
    at Array.map (<anonymous>)
    at new AggregateError (file:///home/runner/_work/_actions/cycjimmy/semantic-release-action/v4/node_modules/semantic-release/node_modules/aggregate-error/index.js:16:19)
    at file:///home/runner/_work/_actions/cycjimmy/semantic-release-action/v4/node_modules/semantic-release/lib/plugins/pipeline.js:55:13
    at async pluginsConfigAccumulator.<computed> [as success] (file:///home/runner/_work/_actions/cycjimmy/semantic-release-action/v4/node_modules/semantic-release/lib/plugins/index.js:87:11)
    at async run (file:///home/runner/_work/_actions/cycjimmy/semantic-release-action/v4/node_modules/semantic-release/index.js:218:3)
    at async Module.default (file:///home/runner/_work/_actions/cycjimmy/semantic-release-action/v4/node_modules/semantic-release/index.js:278:22)
    at async release (/home/runner/_work/_actions/cycjimmy/semantic-release-action/v4/src/index.js:36:18) {
  type: 'FORBIDDEN',
  path: [ 'repository', 'issues' ],
  extensions: { saml_failure: false },
  locations: [ { line: 4, column: 7 } ],
  pluginName: '@semantic-release/github'
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions