From 3629d5568b59204f18786372f6d740d649719488 Mon Sep 17 00:00:00 2001 From: HarithaVattikuti <73516759+HarithaVattikuti@users.noreply.github.com> Date: Thu, 16 Jan 2025 08:46:55 -0600 Subject: [PATCH] Document update - permission section (#840) * Update Section * Update warning --- README.md | 8 +++++++- dist/index.js | 2 +- src/labeler.ts | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5284acef8..05bfaea6a 100644 --- a/README.md +++ b/README.md @@ -256,11 +256,17 @@ jobs: # Put your commands for running backend tests here ``` -## Permissions +## Recommended Permissions In order to add labels to pull requests, the GitHub labeler action requires write permissions on the pull-request. However, when the action runs on a pull request from a forked repository, GitHub only grants read access tokens for `pull_request` events, at most. If you encounter an `Error: HttpError: Resource not accessible by integration`, it's likely due to these permission constraints. To resolve this issue, you can modify the `on:` section of your workflow to use [`pull_request_target`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target) instead of `pull_request` (see example [above](#create-workflow)). This change allows the action to have write access, because `pull_request_target` alters the [context of the action](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target) and safely grants additional permissions. Refer to the [GitHub token permissions documentation](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) for more details about access levels and event contexts. +```yml + permissions: + contents: read + pull-requests: write +``` + ## Notes regarding `pull_request_target` event Using the `pull_request_target` event trigger involves several peculiarities related to initial set up of the labeler or updating version of the labeler. diff --git a/dist/index.js b/dist/index.js index 2e4759da5..327f2d23b 100644 --- a/dist/index.js +++ b/dist/index.js @@ -1087,7 +1087,7 @@ function labeler() { error.message !== 'Resource not accessible by integration') { throw error; } - core.warning(`The action requires write permission to add labels to pull requests. For more information please refer to the action documentation: https://github.com/actions/labeler#permissions`, { + core.warning(`The action requires write permission to add labels to pull requests. For more information please refer to the action documentation: https://github.com/actions/labeler#recommended-permissions`, { title: `${process.env['GITHUB_ACTION_REPOSITORY']} running under '${github.context.eventName}' is misconfigured` }); core.setFailed(error.message); diff --git a/src/labeler.ts b/src/labeler.ts index a1f0ab982..816544390 100644 --- a/src/labeler.ts +++ b/src/labeler.ts @@ -72,7 +72,7 @@ async function labeler() { } core.warning( - `The action requires write permission to add labels to pull requests. For more information please refer to the action documentation: https://github.com/actions/labeler#permissions`, + `The action requires write permission to add labels to pull requests. For more information please refer to the action documentation: https://github.com/actions/labeler#recommended-permissions`, { title: `${process.env['GITHUB_ACTION_REPOSITORY']} running under '${github.context.eventName}' is misconfigured` }