Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Trying to test add a label in a github action on an approve review, fails to add the label due to permissions#598

Unanswered
davidradl asked this question inQ&A
Discussion options

I am using

on:  pull_request_review:jobs:  PR-auto-approve:    runs-on: ubuntu-latest    permissions: write-all    #environment: mine    steps:      - uses: actions/github-script@v5        with:            #github-token: ${{ secrets.MY_PAT }}            script: |                           if ( context.payload.review.state == 'approved') {                     github.rest.issues.addLabels({                          issue_number: context.issue.number,                          owner: context.repo.owner,                          repo: context.repo.repo,                          labels: ['David123']                        });

I see error:

RequestError [HttpError]: Resource not accessible by integration    at /home/runner/work/_actions/actions/github-script/v5/dist/index.js:4560:21    at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {  status: 403,  response: {    url: 'https://api.github.com/repos/davidradl/Git-action-test/issues/7/labels',    status: 403,    headers: {      'access-control-allow-origin': '*',      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',      'content-encoding': 'gzip',      'content-security-policy': "default-src 'none'",      'content-type': 'application/json; charset=utf-8',      date: 'Fri, 09 May 2025 16:06:48 GMT',      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',      server: 'github.com',      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',      'transfer-encoding': 'chunked',      vary: 'Accept-Encoding, Accept, X-Requested-With',      'x-accepted-github-permissions': 'issues=write; pull_requests=write',      'x-content-type-options': 'nosniff',      'x-frame-options': 'deny',      'x-github-api-version-selected': '2022-11-28',      'x-github-media-type': 'github.v3',      'x-github-request-id': '1C41:2AB6EE:1B3096:366C6F:681E2818',      'x-ratelimit-limit': '5000',      'x-ratelimit-remaining': '4996',      'x-ratelimit-reset': '17[46](https://github.com/davidradl/Git-action-test/actions/runs/14933010089/job/41953775189#step:2:47)807651',      'x-ratelimit-resource': 'core',      'x-ratelimit-used': '4',      'x-xss-protection': '0'    },    data: {      message: 'Resource not accessible by integration',      documentation_url: 'https://docs.github.com/rest/issues/labels#add-labels-to-an-issue',      status: '403'    }  },  request: {    method: 'POST',    url: 'https://api.github.com/repos/davidradl/Git-action-test/issues/7/labels',    headers: {      accept: 'application/vnd.github.-preview+json',      'user-agent': 'actions/github-script octokit-core.js/3.5.1 Node.js/20.19.0 (linux; x64)',      authorization: 'token [REDACTED]',      'content-type': 'application/json; charset=utf-8'    },    body: '{"labels":["David123"]}',    request: { agent: [Agent], hook: [Function: bound bound register] }  }}Error: Unhandled error: HttpError: Resource not accessible by integration

I notice a similar discussion around the PR request
#490

I am not sure whether the write permissions are ignored forpull_request_review as well - as the GITHUB TOKEN being used does not have permission to issue the call.

This is a PR that comes from a fork and is being reviewed.

I can add a label using the equivalent POST mentioned in the error using curl using my PAT. I tried adding my PAT as a secret in the repo and in an environment - but the secret PAT does not seem to be picked up and it says "Input required and not supplied: github-token".

You must be logged in to vote

Replies: 1 comment 5 replies

Comment options

This is a PR that comes from a fork and is being reviewed.

If the pull request is from a fork, the permissions on the ActionsGITHUB_TOKEN. will be read only.

You must be logged in to vote
5 replies
@davidradl
Comment options

@joshmgross thanks for your answer.

A usual way we are working in Apache Flink is that everyone has a fork of Flink then they create a PR that will move the code from their fork to the master branch. I want to be able to add a label at review time of this PR in a github action.

I can see stale github action polling all PRs and adding labels, but this polling and caching seems overkill when I want to do the action at review time. What options do you see for me to do this?

@joshmgross
Comment options

pull_request_target could be an option as it will havewrite access, but you need to need to be very aware of the security risks and be wary of any interactions with the untrusted code from the work.

https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target

@davidradl
Comment options

@joshmgross thanks a lot for the pointer. it looks like pull_request_target only runs on main / master. I think the only option is to run a workflow that is a cron job - similar tohttps://github.com/actions/stale . Do you think I have any other options ?

@joshmgross
Comment options

Is "review time" different from the time when a PR is opened?

@davidradl
Comment options

@joshmgross Yes I believe so, but ideally I would want to be able to list the PRs sorted by review time. I am not sure I can easily do that at the moment, maybe through graphql.

I am thinking that I

  1. run a git action with
on:  pull_request_review:
  1. Checkout
  2. Create a file with the PR number / time. This would be similar to running a build and then caching the results.
  3. Either upload as an artifact or store in a cache.
  4. Then have a second git action with write permission pick up the artifact or cache content and query collaborator roles and add labels for any PR in the list. It may need to cache or store an artifact to track which times have been processed. The second gitaction would be run likeboring-cyborg, but I was thinking of implementing it in bash / github-script if I can get away with it.

WDYT?

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Category
Q&A
Labels
None yet
2 participants
@davidradl@joshmgross
[8]ページ先頭
©2009-2025 Movatter.jp