GitHub Actions - Resource not accessible by integration

GitHub Actions
Photo by Richy Great / Unsplash

This post will hopefully help anyone searching for the following error.

RequestError [HttpError]: Resource not accessible by integration
    at /__w/_actions/actions/github-script/v3.1.0/dist/index.js:2137:23
    at processTicksAndRejections (internal/process/task_queues.js:97:5) {
Error: Unhandled error: HttpError: Resource not accessible by integration
  status: 403

I've got a pretty simple inline bit of GitHub script in a workflow that will update the target Pull Request with the output of a Terraform plan.

- name: Update Pull Request
uses: actions/github-script@v3.1.0
if: github.event_name == 'pull_request'
  github-token: ${{ secrets.GITHUB_TOKEN }}
  script: |
    const output = `${ "${{ steps.terraform_fmt.outcome }}" == "success" ? "\u2714" : "\u274c" } Terraform Format and Style 🖌
    ${ "${{ steps.terraform_init.outcome }}" == "success" ? "\u2714" : "\u274c" } Terraform Initialization ⚙️
    ${ "${{ steps.terraform_plan.outcome }}" == "success" ? "\u2714" : "\u274c" } Terraform Plan 📖
    ${ "${{ steps.terraform_validate.outcome }}" == "success" ? "\u2714" : "\u274c" } Terraform Validation 🤖

    *Pusher: @${{ }}, Action: \`${{ github.event_name }}\`*`;

      issue_number: context.issue.number,
      owner: context.repo.owner,
      repo: context.repo.repo,
      body: output

All was working fine until I started to work with an OIDC integration with our GitHub Enterprise Instance.

As you can see in the above code, we inject the standard GitHub token that is available to the action workflow. More information on what it does is available in the official doc here.

However, when you start to work with OIDC, it is necessary to configure some specific permissions within the workflow as follows:-

  id-token: write
  contents: read

Due to my setting this, I had unknowingly removed the necessary access from the default GitHub token.

The fix was to add the necessary permissions for issues & pull requests as follows:-

  id-token: write
  contents: read
  issues: write
  pull-requests: write


I scratched my head on this one until I found a reference in an issue, hence the write-up.

The official documentation here shows a complete list of all the available permissions and their defaults.

I hope this helps someone else!