-
Notifications
You must be signed in to change notification settings - Fork 333
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
codeql/upload-sarif@v3 action failed: Resource not accessible by integration - missing actions: read
#2117
Comments
Thanks for posting. We're taking a look at this. Can you let us know the org/name of the repository where this is happening so we can look for this in our telemetry? |
@aeisenberg You can see at |
It looks like your workflow is failing at the point it is trying to send telemetry back to github.com, which is why we are not able to find any error reports in our logs about this. On Friday, we merged #2112 (and has already been released), which may fix an instance of this problem, but I'm not sure if this is exactly what you are seeing. Would you try again to see if this addresses your problem? If not, there is another PR that is more likely to address your issue: #2110. We are in the process of reviewing it. Once this PR is merged to main, I would recommend that you try this fix out as well. (Just change the |
@aeisenberg I've just tried with I'll wait and try when #2110 gets merged. |
This is a private repository (which I haven't mentioned) - so maybe that is the reason telemetry is not there? |
Thanks for trying.
We collect metadata (repository name, runtime, run status, etc) and error messages about all code scanning runs even in private repositories. This is to help us measure our internal SLOs and quickly see if there is a problem or any worrying trend. The data is purged after 6 months. |
@aeisenberg just checked after merging of #2110 with
|
@SPodjasek The remaining changes in #2110 were just documentation. The functional change seems to be #2121 now. |
Ok, I'll monitor #2121 now... |
Oh. I bet I know what the problem ischeck-spelling has code for it: Check Spelling: .github/workflows/spelling.yml#L106 Odds are that your repository is not a GHES or similar or that if you're a GHES or similar you aren't also paying for GitHub Advanced Security. check-spelling has to bend over backwards to handle this stuff (which is part of why I'm working on these repositories to make my experience slightly less tortured). retroactive edit: My bet was wrong, although in a way it was along the right track -- as it turns out it was a permissions issue, just not |
@jsoref Well, we do have GitHub Advanced Security license and it's enabled on the repository that throws errors. |
Interesting... I don't suppose you could set up an empty repository (private, with advanced security) with https://github.com/check-spelling/spell-check-this/blob/main/.github/workflows/spelling.yml and see what it says? |
I've tried to downgrade Is it possible that the file itself is broken in some way and upload fails because of that? I'll try to store it in artifacts.... |
Here's the contents of SARIF file produced by Docker Scout: {
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"fullName": "Docker Scout",
"informationUri": "https://docker.com/products/docker-scout",
"name": "docker scout",
"rules": [],
"version": "1.4.1-SNAPSHOT-8f8fca4"
}
},
"results": []
}
]
} |
The main difference between v2 and v3 is just the runtime (runs.using: node16 vs runs.using: node20) -- it isn't an API break in the normal sense. I was wrong, the changes I'm working on should fix this... I've generated a number of bad json files, and generally that doesn't result in the error you're seeing. There should be a way to get all the headers (both sent and received) from the codeql action when it fails to post to the endpoint (I can't remember if there actually is, and in fact, I think it's missing, in which case we should add it). With those headers ... things become quite clear... |
So, some of the code paths are nice and will spit out a thing like:
The request id is (in theory) really helpful for doing things. I think the failure in my example above is more or less tied to this code path: codeql-action/src/init-action-post.ts Line 89 in 1515e2b
which I think eventually led to this really valuable line: codeql-action/src/status-report.ts Line 332 in 1515e2b
Now we just need to figure out which path you went down... |
For comparison, https://github.com/check-spelling-sandbox/decidim/actions/runs/7837152919/artifacts/1231830536 (currently) has an artifact tied to https://github.com/check-spelling-sandbox/decidim/actions/runs/7837152919#summary-21386271295 (which generated 238 sarif items). -- You're free to download the artifact and compare. Offhand, the lack of check-spelling's tool.driver doesn't have fullName, but otherwise there's nothing exciting in the json. |
Found the cause of this problem, missing permission: permissions:
actions: read which caused action to fail probably here (before any real upload occurs): codeql-action/src/upload-sarif-action.ts Lines 53 to 64 in 1515e2b
|
Oh! Then, um, maybe the fix I'm working on would fix it. Definitely try |
I've forked this action repository to add some logging to see what's really going on, but I've noticed that it never reached real upload code. After disabling code mentioned above I got After adding this permission on job level it started to work. We do use reusable workflow which has permissions:
actions: write permission declared in calling workflow, but job level declaration in called workflow was missing. |
Ok, we definitely want to add some code to ensure that that header is reported when things fail. I've filed: Which should improve life for the next person (once lots of things upgrade). Conveniently, triage for that project is on Fridays, so hopefully they'll look at it tomorrow. |
Fwiw, I won't be able to fully debug this edge case -- it requires having a GHES w/ GHAS and setting up a private repository. w/ public repositories, I did look through the code, but I can't precisely figure out where it's going off to try to talk to an actions endpoint (if I saw the url or had a stack trace of sorts, I might be able to figure things out). Could you update the description here to add "missing |
actions: read
Ok, with a bit of debugging, I can reproduce and it makes sense (check-spelling indeed does similar acrobatics)
Here's the culprit: codeql-action/src/api-client.ts Lines 128 to 135 in 1515e2b
|
In fact, check-spelling has fallback code where it rummages through the active repository trying to guess the answer in the case where it can't get the answer via the API: check-spelling/check-spelling@72af927 Pretty much every action author ends up reinventing some poor version of one of these various code things. It looks like this problem was fixed as of GHES 3.9 with the introduction of (Sadly there's still a 3.8 out there, but at least for most folks that's less of a problem.) |
With the fix to the above issue, the output I get for this case (private repository, no
Which is a huge improvement. (In order to get that, octokit would need to accept the PR, make a release, and then this repository would need to upgrade.) |
@SPodjasek: thanks for the help ... I think I now have two PRs to this repository that should be able to address the problem you've identified (plus the longer term debugging improvement to octokit). If you can comment on the open PRs indicating that they help this, that'd be helpful -- my testing involves creating a private repository and running a workflow w/ this action w/o |
@jsoref Just tested with your fork and after removing Should I keep this issue open until all PRs get merged for reference? |
Yes. I'd rather it be open to catch anyone else looking for it until it's fixed. |
Still catching up, but seems like |
if we are working with tar ball mode Could not determine current commit SHA using git. Continuing with data from user input or environment. fatal: ambiguous argument 'refs/remotes/pull/85/merge': unknown revision or path not in the working tree. We are using remote workflows from using invoke method.
issue during uploading of the results to github ; due to missing permissions and wrong branch name
|
@sudhakarinka, this appears to be a different problem. Can you please open a new issue and include your full workflow and the value of |
I'm seeing what might be a related failure with this action with I have the action configured in this workflow: https://github.com/pachli/pachli-android/blob/main/.github/workflows/ci.yml This works on PRs -- the SARIF file generated by Android lint is detected and uploaded, and the results appear in the GitHub UI. For example, https://github.com/pachli/pachli-android/security/code-scanning/79 from a recent PR (also visible as PR comments in the file However, when this same action runs as part of the belt-and-braces post-merge-to-main check it fails with a "Resource not accessible by integration" error. See https://github.com/pachli/pachli-android/actions/runs/12030366437/job/33537627280 for example. This is the same workflow that successfully ran when it was a PR, the GitHub Token permissions are identical ( |
@nikclayton, you can try rerunning the failing step -- I think that should trigger debug mode which should give a bit of an explanation of what it's complaining about. Indeed, your permissions are identical between those two jobs -- I don't have any guesses (I do have ~4 PRs I'm working through for this repo, but, I'll need to get most of them merged and to see some more output to have any chance of working on your variation). |
@nikclayton I'm actually surprised that any jobs are able to upload sarif. You need to set |
Required on `main` according to github/codeql-action#2117
Required on `main` according to github/codeql-action#2117
@jsoref Thanks. https://github.com/pachli/pachli-android/actions/runs/12030366437/job/33563161258 is a run that just finished with debug logging enabled. @aeisenberg Yeah, I'm surprised too after doing more reading. Thanks for the suggestion it (pachli/pachli-android#1140) worked (https://github.com/pachli/pachli-android/actions/runs/12038705795). |
So, unwrapped,... {
"color": "orange",
"store": "Google",
"type": "Release"
}
{
"action_name": "upload-sarif",
"action_oid": "unknown",
"action_ref": "f09c1c0a94de965c15400f5634aa42fac8fb8f88",
"action_started_at": "2024-11-26T20:06:48.112Z",
"action_version": "3.27.5",
"analysis_key": ".github/workflows/ci.yml:lint",
"commit_oid": "4a2a465bfe0bd57d5e06979891ee8d8d29a15a3e",
"first_party_analysis": false,
"job_name": "lint",
"job_run_uuid": "",
"ref": "refs/heads/main",
"runner_os": "Linux",
"started_at": "2024-11-26T20:06:48.112Z",
"status": "failure",
"steady_state_default_setup": false,
"testing_environment": "",
"workflow_name": "CI",
"workflow_run_attempt": 2,
"workflow_run_id": 12030366437,
"actions_event_name": "push",
"runner_available_disk_space_bytes": 19736158208,
"runner_total_disk_space_bytes": 77851254784,
"cause": "Resource not accessible by integration",
"exception": "HttpError: Resource not accessible by integration
at /home/runner/work/_actions/github/codeql-action/f09c1c0a94de965c15400f5634aa42fac8fb8f88/node_modules/@octokit/request/dist-node/index.js:86:21
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async requestWithGraphqlErrorHandling (/home/runner/work/_actions/github/codeql-action/f09c1c0a94de965c15400f5634aa42fac8fb8f88/node_modules/@octokit/plugin-retry/dist-node/index.js:71:20)
at async Job.doExecute (/home/runner/work/_actions/github/codeql-action/f09c1c0a94de965c15400f5634aa42fac8fb8f88/node_modules/bottleneck/light.js:405:18)",
"completed_at": "2024-11-26T20:06:49.047Z",
"matrix_vars": matrix_vars,
"runner_arch": "X64",
"runner_os_release": "6.5.0-1025-azure",
"runner_image_version": "20241124.1.0"
}
Sadly, I ironically, I think what we're seeing is the message about failing to send a notification that it failed to upload. Do you have/can you also get one where you have |
TL;DR
When you'r facing this issue in private repository please add
to your workflow, or wait until this PR gets merged:
Fixed in
GITHUB_WORKFLOW_REF
over usingactions: read
to calculate the workflow path #2126When trying to upload sarif file produced by Docker Scout we get:
Resource not accessible by integration
- despite thatsecurity-events
permission is set towrite
.Detailed workflow run logs are below. I've stripped output from scout as I believe it's irrelevant.
Logs
The text was updated successfully, but these errors were encountered: