Resource not accessible by integration

[leonard-henriquez]

Issue workflow progress

Progress of the issue based on the
Contributor Workflow

• 1. The issue provides a reproduction available on GitHub, Stackblitz or CodeSandbox

  Make sure to fork this template and run pnpm generate in the terminal.

  Please make sure the Codegen and plugins version under package.json matches yours.

• 2. A failing test has been provided
• 3. A local solution has been provided
• 4. A pull request is pending review

---

Describe the bug

When we run the github action we get the error: "Resource not accessible by integration"

To Reproduce Steps to reproduce the behavior:

Our .github/workflows/continuous_integration.yml

name: continuous_integration
on:
  push:
    branches:
      - main
      - staging

permissions:
  id-token: write   # This is required for requesting the JWT
  contents: read    # This is required for actions/checkout

jobs:
  breaking_changes_graphql:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          ref: ${{ github.event.pull_request.head.sha }}

      - name: Install dependencies
        uses: ./.github/actions/pnpm-install-action

      - uses: kamilkisiela/graphql-inspector@master
        with:
          schema: 'main:schema.graphql'

Expected behavior

I would expect the github action to finish with a report

Environment:

• OS: ubuntu
• graphql-inspector@master

Additional context

[leonard-henriquez]

@kamilkisiela is this repo still under active maintenance ?

[kamilkisiela]

Yes

[leonard-henriquez]

Awesome !
@kamilkisiela Do you have any idea what this error mean?
I can't find this message in this codebase.
I have no clue how to debug this error...

[leonard-henriquez]

It works when I add all permissions.
Any ideas what are the ones needed ?

[ljukas]

Mine looks like this and gets the same error. I have set check to write as the docs say here:

Will have to go through and enable each one to see which stops this from working

[billdybas]

I think you also need the pull-requests: read permission. I ran into the same issue & traced it back to getAssociatedPullRequest failing.

graphql-inspector/packages/action/src/run.ts

Line 51 in e77738a

const pullRequest = await getAssociatedPullRequest(octokit, commitSha);

It makes an API call to GET /repos/{owner}/{repo}/commits/{commit_sha}/pulls which requires read permissions on pull requests.

[glg-satish-tripathi]

@leonard-henriquez After thorough investigation, I discovered that this is the bare minimum permission required for the action to run.

permissions:
  contents: read 
  pull-requests: write
  checks: write