Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: error in the Comment on PR phase #43

Open
awmleer opened this issue Oct 28, 2021 · 3 comments
Open

bug: error in the Comment on PR phase #43

awmleer opened this issue Oct 28, 2021 · 3 comments

Comments

@awmleer
Copy link

awmleer commented Oct 28, 2021

Bug description

I'm getting this error in this github action:

Error: Resource not accessible by integration
  Warning: HttpError: Resource not accessible by integration
      at /home/runner/work/_actions/pkg-size/action/v1/dist/index.js:2990:27
      at processTicksAndRejections (internal/process/task_queues.js:93:5)
      at async to (/home/runner/work/_actions/pkg-size/action/v1/dist/index.js:4591:9)
      at async /home/runner/work/_actions/pkg-size/action/v1/dist/index.js:7912:9

Reproduction steps

The github action log is here:
https://github.com/ant-design/ant-design-mobile/runs/4029511668?check_suite_focus=true

And the related workflow config is here:
https://github.com/ant-design/ant-design-mobile/blob/master/.github/workflows/bundle-size.yml

Environment

  • pkg-size-action version: v1
  • Operating System: ubuntu-18.04
  • Node version: 14
@privatenumber
Copy link
Member

privatenumber commented Oct 28, 2021
edited
Loading

Thanks for the report and for using pkg-size!

I did some Googling for that error message and they all seem to point at a lack of permissions in the token.

Seems this is happening because it was executed via fork as per this security change: announcement, docs

The permissions for the GITHUB_TOKEN in forked repositories is read-only.

There doesn't seem to be an option to further specify allowing comments.

To work around:

  • You can use a Personal Access Token (PAT) and add that to Secrets. The caveat is that the report will be posted by the account that owns the PAT.
  • I'm reading pull_request_target has read + write permissions so it's possible to use that instead of pull_request, but it seems to run in the base context which I haven't tested yet.

@awmleer
Copy link
Author

awmleer commented Oct 29, 2021

Thanks for replying!

pull_request_target trigger is in the BASE context. If we checkout the HEAD commit, the PR author may inject some malicious code into the "build" script in package.json, which will be executed by this github action. This is dangerous since the PR author can use the GITHUB_TOKEN with write access to run any script. Here is an official guideline: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

As for the Personal Access Token, it seems to have the same security issue.

The guideline above mentioned a recommended solution: split the action into two parts. One for building, collecting package size data and uploading the result (using the pull_request trigger). And the other for downloading the result and commenting it to PR (using the pull_request_target trigger).

@privatenumber
Copy link
Member

This seems like a common problem: https://github.community/t/token-permissions-for-forks-once-again/16468/6

It doesn't seem like there's a workaround to post comments from a fork.

I wonder if workflow_dispatch can be used to manually trigger the action on approved PRs.

(FWIW since you seem to be security conscious, in general, using any 3rd party GitHub Action via tag is insecure.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@privatenumber @awmleer