GitHub Actions - Resource not accessible by integration

GitHub Actions - Resource not accessible by integration

ยท

2 min read

This post will hopefully help anyone searching for the following error.

RequestError [HttpError]: Resource not accessible by integration
    at /__w/_actions/actions/github-script/v3.1.0/dist/index.js:2137:23
    at processTicksAndRejections (internal/process/task_queues.js:97:5) {
Error: Unhandled error: HttpError: Resource not accessible by integration
  status: 403

Solution

If you need to fetch an OIDC token for a workflow, then the permission can be set at the workflow level. For example:

permissions:
  id-token: write # This is required for requesting the JWT
  contents: read  # This is required for actions/checkout

If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. For example:

permissions:
  id-token: write # This is required for requesting the JWT

Depending on your workflow's requirements, you may need to specify additional permissions here.

Background Configuration

I've got a pretty simple inline bit of GitHub script in a workflow that will update the target Pull Request with the output of a Terraform plan.

- name: Update Pull Request
uses: actions/github-script@v3.1.0
if: github.event_name == 'pull_request'
with:
  github-token: ${{ secrets.GITHUB_TOKEN }}
  script: |
    const output = `${ "${{ steps.terraform_fmt.outcome }}" == "success" ? "\u2714" : "\u274c" } Terraform Format and Style ๐Ÿ–Œ
    ${ "${{ steps.terraform_init.outcome }}" == "success" ? "\u2714" : "\u274c" } Terraform Initialization โš™๏ธ
    ${ "${{ steps.terraform_plan.outcome }}" == "success" ? "\u2714" : "\u274c" } Terraform Plan ๐Ÿ“–
    ${ "${{ steps.terraform_validate.outcome }}" == "success" ? "\u2714" : "\u274c" } Terraform Validation ๐Ÿค–

    *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;

    github.issues.createComment({
      issue_number: context.issue.number,
      owner: context.repo.owner,
      repo: context.repo.repo,
      body: output
    })

All was working fine until I started to work with an OIDC integration with our GitHub Enterprise Instance.

As you can see in the above code, we inject the standard GitHub token that is available to the action workflow. More information on what it does is available in the official doc here.

However, when you start to work with OIDC, it is necessary to configure some specific permissions within the workflow as follows:-

permissions:
  id-token: write
  contents: read

Due to my setting this, I had unknowingly removed the necessary access from the default GitHub token.

The fix was to add the necessary permissions for issues & pull requests as follows:-

permissions:
  id-token: write
  contents: read
  issues: write
  pull-requests: write

Summary I scratched my head until I found a reference in an issue, hence the write-up.

The official documentation here shows a complete list of all the available permissions and their defaults.

I hope this helps someone else!

Cheers

Did you find this article valuable?

Support Stephen Jones by becoming a sponsor. Any amount is appreciated!

ย