This post will hopefully help anyone searching for the following error.
RequestError [HttpError]: Resource not accessible by integration
at /__w/_actions/actions/github-script/v3.1.0/dist/index.js:2137:23
at processTicksAndRejections (internal/process/task_queues.js:97:5) {
Error: Unhandled error: HttpError: Resource not accessible by integration
status: 403
Solution
If you need to fetch an OIDC token for a workflow, then the permission can be set at the workflow level. For example:
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. For example:
permissions:
id-token: write # This is required for requesting the JWT
Depending on your workflow's requirements, you may need to specify additional permissions here.
Background Configuration
I've got a pretty simple inline bit of GitHub script in a workflow that will update the target Pull Request with the output of a Terraform plan.
- name: Update Pull Request
uses: actions/github-script@v3.1.0
if: github.event_name == 'pull_request'
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const output = `${ "${{ steps.terraform_fmt.outcome }}" == "success" ? "\u2714" : "\u274c" } Terraform Format and Style ๐
${ "${{ steps.terraform_init.outcome }}" == "success" ? "\u2714" : "\u274c" } Terraform Initialization โ๏ธ
${ "${{ steps.terraform_plan.outcome }}" == "success" ? "\u2714" : "\u274c" } Terraform Plan ๐
${ "${{ steps.terraform_validate.outcome }}" == "success" ? "\u2714" : "\u274c" } Terraform Validation ๐ค
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
github.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
All was working fine until I started to work with an OIDC integration with our GitHub Enterprise Instance.
As you can see in the above code, we inject the standard GitHub token that is available to the action workflow. More information on what it does is available in the official doc here.
However, when you start to work with OIDC, it is necessary to configure some specific permissions within the workflow as follows:-
permissions:
id-token: write
contents: read
Due to my setting this, I had unknowingly removed the necessary access from the default GitHub token.
The fix was to add the necessary permissions for issues & pull requests as follows:-
permissions:
id-token: write
contents: read
issues: write
pull-requests: write
Summary I scratched my head until I found a reference in an issue, hence the write-up.
The official documentation here shows a complete list of all the available permissions and their defaults.
I hope this helps someone else!
Cheers