Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document what permissions are required #464

Open
brettcannon opened this issue Apr 28, 2021 · 6 comments
Open

Document what permissions are required #464

brettcannon opened this issue Apr 28, 2021 · 6 comments
Assignees

Comments

@brettcannon
Copy link

@brettcannon brettcannon commented Apr 28, 2021

We switched our repo to the default read-only permissions for GitHub Actions and our CodeQL workflow started to fail. Based on the failure message it seems the statuses: write permission is required.

P.S. Sorry to file an issue when the issue template selector only says to open an issue with GitHub Support, but none of the options really made sense since there's not "issues with a GitHub project" option.

@aeisenberg
Copy link
Contributor

@aeisenberg aeisenberg commented Apr 28, 2021

Thanks, @brettcannon! Let me look at that.

We should also revisit our issue templates.

@aeisenberg aeisenberg self-assigned this Apr 28, 2021
@aeisenberg
Copy link
Contributor

@aeisenberg aeisenberg commented Apr 28, 2021

As far as I can tell, if you are using the default workflow, you should only need the following permissions:

    permissions:
      contents: read
      security-events: write
      pull-requests: read

Is your workflow doing anything special?

@The-Compiler
Copy link
Contributor

@The-Compiler The-Compiler commented Apr 28, 2021

@aeisenberg I'm not entirely sure if you're aware (apologies if you are!), but there was a recent change which allows restricting the default GitHub secret to read-only access.

This seems like an excellent best practice to follow (principle of least privilege), but indeed the CodeQL action fails with a non-obvious error message:

[...]
  request: {
    method: 'PUT',
    url: 'https://api.github.com/repos/qutebrowser/qutebrowser/code-scanning/analysis/status',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'CodeQL Action octokit-core.js/3.1.2 Node.js/12.13.1 (linux; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: [...]
    request: { agent: [Agent], hook: [Function: bound bound register] }
  },
  documentation_url: 'https://docs.github.com/rest'
}
Error: Resource not accessible by integration

like @brettcannon I initially suspected it'd need statuses: write (based on the API URL used), but that didn't help.

Indeed just setting:

permissions:
  security-events: write

seemed to fix this for me, but I probably wouldn't have found if it wasn't for this issue.

brettcannon added a commit to brettcannon/vscode-python that referenced this issue Apr 28, 2021
See github/codeql-action#464 for details
@brettcannon
Copy link
Author

@brettcannon brettcannon commented Apr 28, 2021

@aeisenberg It's the vanilla workflow with just the languages we don't use left out: https://github.com/microsoft/vscode-python/blob/main/.github/workflows/codeql-analysis.yml.

But you and the @The-Compiler have the solution I was after and couldn't find in the docs! We have flipped all of our repos to the read-only access on workflows, hence the sudden failure (thanks for the forcing function, codecov 😉 ).

@aeisenberg
Copy link
Contributor

@aeisenberg aeisenberg commented Apr 28, 2021

Glad this worked out for you. We've recently (ie- yesterday) moved over to using permissions on our own repositories and workflows, so we are still figuring this out ourselves.

It sounds like the best solution here is to update the documentation.

@aeisenberg
Copy link
Contributor

@aeisenberg aeisenberg commented Apr 28, 2021

It's possible that you will also need the: actions: read permission. Some code flows will make requests to introspect the current workflow and this permission is needed. So, if you get any more failures, try adding that permission as well.

charleskorn added a commit to batect/abacus that referenced this issue May 11, 2021
samth added a commit to racket/racket that referenced this issue May 12, 2021
maueroats pushed a commit to maueroats/racket that referenced this issue Jun 17, 2021
maueroats pushed a commit to maueroats/racket that referenced this issue Jun 17, 2021
NicolasT added a commit to scality/changelog-binder that referenced this issue Jun 23, 2021
Hopefully this fixes the CI actions on the `main`/`master` branches.

See: github/codeql-action#464
See: https://github.com/scality/changelog-binder/runs/2896442908?check_suite_focus=true
See: #29
NicolasT added a commit to scality/changelog-binder that referenced this issue Jun 23, 2021
Hopefully this fixes the CI actions on the `main`/`master` branches.

See: github/codeql-action#464
See: https://github.com/scality/changelog-binder/runs/2896442908?check_suite_focus=true
See: #29
potiuk added a commit to potiuk/airflow that referenced this issue Jun 25, 2021
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.
potiuk added a commit to apache/airflow that referenced this issue Jun 25, 2021
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.
yuqian90 added a commit to yuqian90/airflow that referenced this issue Jun 26, 2021
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants