Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Trying to test add a label in a github action on an approve review, fails to add the label due to permissions#598

Unanswered
davidradl asked this question inQ&A
Discussion options

I am using

on:  pull_request_review:jobs:  PR-auto-approve:    runs-on: ubuntu-latest    permissions: write-all    #environment: mine    steps:      - uses: actions/github-script@v5        with:            #github-token: ${{ secrets.MY_PAT }}            script: |                           if ( context.payload.review.state == 'approved') {                     github.rest.issues.addLabels({                          issue_number: context.issue.number,                          owner: context.repo.owner,                          repo: context.repo.repo,                          labels: ['David123']                        });

I see error:

RequestError [HttpError]: Resource not accessible by integration    at /home/runner/work/_actions/actions/github-script/v5/dist/index.js:4560:21    at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {  status: 403,  response: {    url: 'https://api.github.com/repos/davidradl/Git-action-test/issues/7/labels',    status: 403,    headers: {      'access-control-allow-origin': '*',      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',      'content-encoding': 'gzip',      'content-security-policy': "default-src 'none'",      'content-type': 'application/json; charset=utf-8',      date: 'Fri, 09 May 2025 16:06:48 GMT',      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',      server: 'github.com',      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',      'transfer-encoding': 'chunked',      vary: 'Accept-Encoding, Accept, X-Requested-With',      'x-accepted-github-permissions': 'issues=write; pull_requests=write',      'x-content-type-options': 'nosniff',      'x-frame-options': 'deny',      'x-github-api-version-selected': '2022-11-28',      'x-github-media-type': 'github.v3',      'x-github-request-id': '1C41:2AB6EE:1B3096:366C6F:681E2818',      'x-ratelimit-limit': '5000',      'x-ratelimit-remaining': '4996',      'x-ratelimit-reset': '17[46](https://github.com/davidradl/Git-action-test/actions/runs/14933010089/job/41953775189#step:2:47)807651',      'x-ratelimit-resource': 'core',      'x-ratelimit-used': '4',      'x-xss-protection': '0'    },    data: {      message: 'Resource not accessible by integration',      documentation_url: 'https://docs.github.com/rest/issues/labels#add-labels-to-an-issue',      status: '403'    }  },  request: {    method: 'POST',    url: 'https://api.github.com/repos/davidradl/Git-action-test/issues/7/labels',    headers: {      accept: 'application/vnd.github.-preview+json',      'user-agent': 'actions/github-script octokit-core.js/3.5.1 Node.js/20.19.0 (linux; x64)',      authorization: 'token [REDACTED]',      'content-type': 'application/json; charset=utf-8'    },    body: '{"labels":["David123"]}',    request: { agent: [Agent], hook: [Function: bound bound register] }  }}Error: Unhandled error: HttpError: Resource not accessible by integration

I notice a similar discussion around the PR request
#490

I am not sure whether the write permissions are ignored forpull_request_review as well - as the GITHUB TOKEN being used does not have permission to issue the call.

This is a PR that comes from a fork and is being reviewed.

I can add a label using the equivalent POST mentioned in the error using curl using my PAT. I tried adding my PAT as a secret in the repo and in an environment - but the secret PAT does not seem to be picked up and it says "Input required and not supplied: github-token".

You must be logged in to vote

Replies: 1 comment 8 replies

Comment options

This is a PR that comes from a fork and is being reviewed.

If the pull request is from a fork, the permissions on the ActionsGITHUB_TOKEN. will be read only.

You must be logged in to vote
8 replies
@joshmgross
Comment options

Is "review time" different from the time when a PR is opened?

@davidradl
Comment options

@joshmgross Yes I believe so, but ideally I would want to be able to list the PRs sorted by review time. I am not sure I can easily do that at the moment, maybe through graphql.

I am thinking that I

  1. run a git action with
on:  pull_request_review:
  1. Checkout
  2. Create a file with the PR number / time. This would be similar to running a build and then caching the results.
  3. Either upload as an artifact or store in a cache.
  4. Then have a second git action with write permission pick up the artifact or cache content and query collaborator roles and add labels for any PR in the list. It may need to cache or store an artifact to track which times have been processed. The second gitaction would be run likeboring-cyborg, but I was thinking of implementing it in bash / github-script if I can get away with it.

WDYT?

@joshmgross
Comment options

That definitely sounds feasible, let me know how it goes!

@davidradl
Comment options

Hi@joshmgross , unfortunately the cache in the above case gets written to refs/pull/7/merge. So is not in a branch, as such the cron github action does not have access to it!

I think the only way I can do this is to write a cron job that does a graphql for all open prs with reviews, we have less than 200 - as we use the stalebot to keep the numbers down. Then look into each PR and see whether a recent review has been done (within the cron period ish) and then process those to add the label.

I really wanted to use a trigger in some way to limit what we need to process, but it seems there is no way to do this currently with forked repos. If I am missing something, that would allow me to run with a triggered approach - that would be great to hear.

@davidradl
Comment options

I am going to see if artefacts have the same restrictions as the cache as well.

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Category
Q&A
Labels
None yet
2 participants
@davidradl@joshmgross
[8]ページ先頭
©2009-2025 Movatter.jp