Error: Resource not accessible by integration

[ssbarnea]

I am getting Error: Resource not accessible by integration while using this action and I have no idea what is causing it.

Example: https://github.com/ansible-community/molecule/actions/runs/3842360113/jobs/6543589185

The body of of the action can be seen at https://github.com/ansible/devtools/blob/main/.github/workflows/ack.yml#L57-L61

The reason why this is in a different repository is because I use a reusable github action.

Before saying that this might not have the required access to editing the PR, take a look at previous action which is auto-approve-review, which runs successfully. So basically only this one is affected.

Any ideas about what can cause that?

[alexwilson]

Hey, I think this is caused by: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/ - and so the answer should be in #18. Can you confirm if you're using the default token, or injecting one into the workflow @ssbarnea?

[lcarva]

I'm still hitting this with the following:

---
name: Enable auto-merge
"on":
  pull_request_target:
    types:
      - opened
      - reopened
    branches:
      - main
jobs:
  enable-auto-merge:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'my-super-duper-bot'
    steps:
      - uses: alexwilson/enable-github-automerge-action@main
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

Presumably, this is because the workflow is getting triggered on opened and reopened which are not a "trusted event" like labeled?

If so, what's the workaround in this case? Maybe a personal access token is the only way forward.

[lcarva]

Actually, this seems to have worked after changing Settings > Actions > General > Workflow permissions from "read" to "read+write".

[alexwilson]

I think you've hit the nail on the head and that this is another change with Github's permissions, but can't substantiate that because there's no changelog: I'll update the documentation in the coming days (unless you would prefer to contribute something!)

[lcarva]

I'm hitting this again today and I think it's because I've updated my workflow and job to be explicit about which permissions it needs:

---
name: Enable auto-merge
"on":
  pull_request_target:
    types:
      - opened
      - reopened
    branches:
      - main

# This is new
permissions:
  pull-requests: read

jobs:
  enable-auto-merge:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'rh-tap-build-team[bot]'
    # This is also new
    permissions:
      pull-requests: write
    steps:
      - uses: alexwilson/enable-github-automerge-action@253948b2e2433d985bbbebe7887ca347e1e1b1ec # main
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

Any idea what the full set of permissions are?

[lcarva]

After some trial and error, it looks like the action requires contents: write instead of pull-requests: write. I guess enabling automerge falls into this category.