githubv4.Query: Resource not accessible by integration #856
Comments
|
Thanks for the report. I can reproduce this on my end. Seems like switching on specific branch-protection settings (like |
|
Here are the branch protection settings I have enabled in the above repo: |
|
It happens for https://github.com/WeblateOrg/weblate/ as well, the only branch protection we have enabled is "Require status checks to pass before merging". Failing workflow run: https://github.com/WeblateOrg/weblate/runs/8262284657 PS: It also started to happen with upgrade to version 2. |
|
Not adding additional noise, but happens in https://github.com/dirien/minectl-sdk too. https://github.com/dirien/minectl-sdk/runs/8267086312?check_suite_focus=true Only change is the update to 2.0.0. |
|
I compared a the output from cosign (Ping @cpanato) and my and see following difference by same pipline file: cosign: Repository: sigstore/cosign
Fork repository: false
Private repository: false
Publication enabled: false
Format: json
Policy file:
Default branch: main
Using payload from: results.jsonthe failed one: Private repository: false
Publication enabled: false
Format: sarif
Policy file: /policy.yml
Default branch: main
Error: one or more checks had a runtime error: internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
2022/09/09 09:35:31 error during command execution: one or more checks had a runtime error: internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integrationWhy is there a /policy.yaml? |
|
Found the issue - seems to have started after we upgraded to scorecard from v4.5.0 -> v4.6.0. Confirmed that #894 fixes this. Will cut a release for v2.0.1 with this PR to fix the breakages while I investigate the real issue. |
|
@azeemshaikh38 I think the root cause is due to this line When Scorecard is run with the You can search for this string |
|
fyi - https://github.com/ossf/scorecard-action/releases/tag/v2.0.1 @varunsh-coder - good point, I think that's it. Will look into it. |
|
strange that the policy file is not set for the cosign repo. This should be set, otherwise we will be reporting results in the scanning dashboard that we should not. |
Works for me now! https://github.com/dirien/minectl-sdk/runs/8274045473?check_suite_focus=true @laurentsimon now I have the policy.yaml also not anymore like cosign! Repository: dirien/minectl-sdk
Fork repository: false
Private repository: false
Publication enabled: false
Format: json
Policy file:
Default branch: main
Using payload from: results.json
Generating ephemeral keys... |
Yes I made the change as part of ossf/scorecard#2124, unaware it would spill over to scorecard-action. Fixing it would probably involve using a specific error here that we check for using |
|
Sounds like a plan. Let's also add some e2e tests to catch these moving forward. |
|
Not fixed quite yet. |
|
This is still an issue when creating an action using "Code scanning alerts" within the GitHub web interface, e.g https://github.com/konstruktoid/hardening/blob/6149f73c708347911362d147cd099d2382b2bc43/.github/workflows/scorecards.yml#L33. |
actions/starter-workflows#1746 should fix this. |
|
Yeah, looks good @azeemshaikh38 |
ref ossf/scorecard-action#856 Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
I am curious when is the next release planned for scorecard? So that the scorecard-action can be updated. Thanks! |
|
@varunsh-coder, |
|
Yes. v2.0.3 should work. And now that #948 is merged, future releases will use a different fix. |
|
I tried using the latest commit @spencerschrock did you also need to update the |
Yes, there should be a proper v2.0.4 tag soon. There's a bit of a chicken-and-egg problem in the release procedure, you can read more here
It's done as part of the cloudbuild workflows. There are two, but the tagged releases are handled by https://github.com/ossf/scorecard-action/blob/main/cloudbuild-tag.yaml |
|
I still get this same error on my organization's private repository: Here are "GITHUB_TOKEN Permissions": What should I do? |
Here is the query that's failing which is a good starting point for what permissions the Scorecard Action may need. Skimming through this and the permissions list, I would expect you may also need to add:
Although I suspect there will be more |
|
@spencerschrock This works, thank you! |
I'm using the default GitHub Action workflow, though with tags instead of commit hashes in https://github.com/brave/simplepadding/blob/master/.github/workflows/scorecards.yml and I'm seeing this error now that I've upgraded to v2:
Is there a permission missing from the example workflow?
I see it's also been reported in ossf/scorecard#1097, but I'm not sure I'm seeing the same issue since it was working fine before I upgraded from v1.1.2 to v2.
The text was updated successfully, but these errors were encountered: