New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
githubv4.Query: Resource not accessible by integration #856
Comments
Thanks for the report. I can reproduce this on my end. Seems like switching on specific branch-protection settings (like |
It happens for https://github.com/WeblateOrg/weblate/ as well, the only branch protection we have enabled is "Require status checks to pass before merging". Failing workflow run: https://github.com/WeblateOrg/weblate/runs/8262284657 PS: It also started to happen with upgrade to version 2. |
Not adding additional noise, but happens in https://github.com/dirien/minectl-sdk too. https://github.com/dirien/minectl-sdk/runs/8267086312?check_suite_focus=true Only change is the update to 2.0.0. |
I compared a the output from cosign (Ping @cpanato) and my and see following difference by same pipline file: cosign: Repository: sigstore/cosign
Fork repository: false
Private repository: false
Publication enabled: false
Format: json
Policy file:
Default branch: main
Using payload from: results.json the failed one: Private repository: false
Publication enabled: false
Format: sarif
Policy file: /policy.yml
Default branch: main
Error: one or more checks had a runtime error: internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
2022/09/09 09:35:31 error during command execution: one or more checks had a runtime error: internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Why is there a /policy.yaml? |
Found the issue - seems to have started after we upgraded to scorecard from v4.5.0 -> v4.6.0. Confirmed that #894 fixes this. Will cut a release for v2.0.1 with this PR to fix the breakages while I investigate the real issue. |
@azeemshaikh38 I think the root cause is due to this line When Scorecard is run with the You can search for this string |
fyi - https://github.com/ossf/scorecard-action/releases/tag/v2.0.1 @varunsh-coder - good point, I think that's it. Will look into it. |
strange that the policy file is not set for the cosign repo. This should be set, otherwise we will be reporting results in the scanning dashboard that we should not. |
Works for me now! https://github.com/dirien/minectl-sdk/runs/8274045473?check_suite_focus=true @laurentsimon now I have the policy.yaml also not anymore like cosign! Repository: dirien/minectl-sdk
Fork repository: false
Private repository: false
Publication enabled: false
Format: json
Policy file:
Default branch: main
Using payload from: results.json
Generating ephemeral keys... |
Yes I made the change as part of ossf/scorecard#2124, unaware it would spill over to scorecard-action. Fixing it would probably involve using a specific error here that we check for using |
Sounds like a plan. Let's also add some e2e tests to catch these moving forward. |
Not fixed quite yet. |
This is still an issue when creating an action using "Code scanning alerts" within the GitHub web interface, e.g https://github.com/konstruktoid/hardening/blob/6149f73c708347911362d147cd099d2382b2bc43/.github/workflows/scorecards.yml#L33. |
actions/starter-workflows#1746 should fix this. |
Yeah, looks good @azeemshaikh38 |
ref ossf/scorecard-action#856 Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
I am curious when is the next release planned for scorecard? So that the scorecard-action can be updated. Thanks! |
@varunsh-coder, |
Yes. v2.0.3 should work. And now that #948 is merged, future releases will use a different fix. |
I tried using the latest commit @spencerschrock did you also need to update the |
Yes, there should be a proper v2.0.4 tag soon. There's a bit of a chicken-and-egg problem in the release procedure, you can read more here
It's done as part of the cloudbuild workflows. There are two, but the tagged releases are handled by https://github.com/ossf/scorecard-action/blob/main/cloudbuild-tag.yaml |
I still get this same error on my organization's private repository:
Here are "GITHUB_TOKEN Permissions":
What should I do? |
Here is the query that's failing which is a good starting point for what permissions the Scorecard Action may need. Skimming through this and the permissions list, I would expect you may also need to add:
Although I suspect there will be more |
@spencerschrock This works, thank you! |
I'm using the default GitHub Action workflow, though with tags instead of commit hashes in https://github.com/brave/simplepadding/blob/master/.github/workflows/scorecards.yml and I'm seeing this error now that I've upgraded to v2:
Is there a permission missing from the example workflow?
I see it's also been reported in ossf/scorecard#1097, but I'm not sure I'm seeing the same issue since it was working fine before I upgraded from v1.1.2 to v2.
The text was updated successfully, but these errors were encountered: