Resource not accessible by integration when using Github App token

[mike-pisman]

Select Topic Area

Bug

Body

Hi,

I am trying to create a repository_dispatch event using GitHub App token for organization. The idea is to run a workflow which will trigger a workflow in another repository. Both repos are public and located in the same organization. The GitHub app has access to all public repositories. Worth menthioning, that I use a self hosted action runner controller(arc-runner-k8s), which is authenticated with the same app credentials. According to this article, I have set app permissions to allow repository dispatch requests. In repository permissions: contents: read and write, actions: read and write , metadata: read only.

When running the workflow I get the error Resource not accessible by integration. The workflow works with PAT token, but not with token generated using the app credentials

---

Permission screenshot

App settings page

Workflow file

name: Update docs

on:
  workflow_dispatch:
  gollum:

jobs:
  docs: 
    runs-on: arc-runner-k8s
    permissions:
      contents: write
    steps:
      - name: Generate a token
        id: generate_token
        uses: actions/create-github-app-token@v1
        with:
          app_id: ${{ secrets.APP_ID }}
          private_key: ${{ secrets.APP_PEM }}
      - name: Install curl
        run: |
          sudo apt update
          sudo apt install curl -y
      - name: Trigger the action
        run: |
          curl -L \
          -X POST \
          -H "Accept: application/vnd.github+json" \
          -H "Authorization: Bearer ${{ steps.generate_token.outputs.token }}" \
          -H "X-GitHub-Api-Version: 2022-11-28" \
          https://api.github.com/repos/unipoll/gollum-test/dispatches \
          -d '{"event_type":"update_submodules"}'

[glauccoslima]

The error message "Resource not accessible by integration" typically occurs when the GitHub App token does not have the necessary permissions to access the requested resource. In your case, you are trying to create a repository_dispatch event using a GitHub App token for an organization. The error suggests that the token does not have the required permissions to access the repository or perform the requested action.

To resolve this issue, you need to ensure that the GitHub App has the appropriate permissions and access to the repository. Here are a few steps you can follow:

Verify GitHub App permissions:
Make sure that the GitHub App has the necessary permissions to perform repository dispatch requests. In your case, you mentioned that you have already set the app permissions to allow repository dispatch requests. Double-check the app permissions to ensure they are correctly configured.
Check repository permissions:
Ensure that the GitHub App has the required permissions for the repository where you want to trigger the workflow. In your case, the repository should have the following permissions:
contents: read and write
actions: read and write
metadata: read only
Verify that these permissions are set correctly for the repository.
Confirm organization access:
Ensure that the GitHub App has access to the organization that contains both repositories. You mentioned that the GitHub App has access to all public repositories, but double-check that it also has access to the organization.
Review your workflow file:
Check your workflow file to ensure that the necessary permissions are specified correctly. In your provided workflow file, you have set the contents permission to write, which should allow the workflow to write to the repository. Ensure that this permission is appropriate for your use case.
If you have followed these steps and the issue persists, you may need to further troubleshoot by examining the GitHub App configuration and permissions in more detail. You can refer to the GitHub documentation[0] for more information on GitHub App permissions and troubleshooting common issues.

Additionally, the error message you received suggests that the resource you are trying to access is not found. Make sure to double-check the repository name and API endpoint in your curl command. The https://api.github.com/repos/unipoll/gollum-test/dispatches endpoint you provided should be valid if the repository exists, but it's worth confirming the repository name and organization.

[mike-pisman]

Hi, @glauccoslima, thank you for the reply

Ensure that the GitHub App has the required permissions for the repository where you want to trigger the workflow. In your case, the repository should have the following permissions:

As you can see from the screenshots, I have the correct permissions.

Permission screenshot

App settings page

• contents: read and write
• actions: read and write
• metadata: read only

Verify that these permissions are set correctly for the repository.

As the permissions are set for all repositories(as you can see in the screenshot, this should also apply)

---

Ensure that the GitHub App has access to the organization that contains both repositories. You mentioned that the GitHub App has access to all public repositories, but double-check that it also has access to the organization.

I am not sure about this one. Can you please elaborate? How can I check if it has access to the organization?

I have the application installed in the organization(please see the screenshot bellow)

Organization Apps page

Per this documentation, I only need to set repository permissions. Do I also need to add some organization permissions?

---

One thing I am also confused is the clients secretes(please see the screenshot bellow).

In the documentation they say that I need an authentication token to make request(which is what I do in the workflow), but as you can see on the screenshot, it says

You need a client secret to authenticate as the application to the API.

So, do I also need a client secrete?

---

Lastly,

Additionally, the error message you received suggests that the resource you are trying to access is not found.

This would result in 404 error, which I've already experienced when I misspelled repository name in the URI of the HTTP request. I get error 403 now, which implies lack of some sort of permissions.

Thank you anyway, just trying to put it all together.

[mike-pisman]

Okay, I figured it out. I tried manually generating a JWT token and then using it to generate app installation token, and managed to trigger a repository. (Guess this is a good way to check the app permissions)

As always, I missed a small detail which caused all the trouble. The actions/create-github-app-token by default only generates a token for the current repository. To generate a token for all repositories it's important to specify owner, i.e. owner: ${{ github.repository_owner }}

    steps:
      - name: Generate a token
        id: generate_token
        uses: actions/create-github-app-token@v1
        with:
          app_id: ${{ secrets.APP_ID }}
          private_key: ${{ secrets.APP_PEM }}
          # Set the owner, so the token can be used in all repositories
          owner: ${{ github.repository_owner }}

@glauccoslima, thank you for the help, your reply might be useful for other people !

[hkonala]

@mike-pisman I was using terraform to create a github repository using the github appauth. Although I'm passing the values for App_id, installtion_ID and possibly correct PEM file content to "pem_file" variable. I'm getting Resource not accessible by integration error.
Any idea on saving the PEM file downloaded from github, in github secrets?

[mike-pisman]

@hkonala, there is nothing special to storing PEM as a secret. Please refer to the documentation, step 3:

Generate a private key for your app. Store the contents of the resulting file as a secret. (Store the entire contents of the file, including -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----.) For more information, see "Managing private keys for GitHub Apps." For more information about storing secrets, see "Using secrets in GitHub Actions."

Basically, once you generate the app key, create a secrete and copy the certificate, everything beetween Begin RSA and End RSA including those lines as well. i.e.

-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----

---

As to "Resource not accessible by integration error", it's related to permissions. Make sure your app has appropriate permissions in the organization/repository.

[SAIKARTHIKGOTURI]

@mike-pisman
Is there any solution found for this issue ?
I'm also facing the similar issue

[abhi-iac]

I am also not sure if the GH app defined at enterprise level and installed on two of its orgs will be able to generate the token for the enterprise.

I was trying to create a token in the workflow by defining the owner as enterprise app I am encountering issues like "Failed to create token for "xxx" (attempt 1): Not Found - https://docs.github.com/rest/apps/apps#get-a-user-installation-for-the-authenticated-app"

[mike-pisman]

@SAIKARTHIKGOTURI, sorry I didn't see your message and it's been awhile. Have you resolved your problem?

Looks like I ended up switching to peter-evans/repository-dispatch action. Here is a workflow to trigger and workflow in another repository.

This workflow(Update docs) runs in the project repo. When I update github wiki pages(gollum trigger), it will generate token for authentication/authorization and, using peter-evans/repository-dispatch@v2, it will trigger another workflow(Update submodules) in the docs repo.

name: Update docs

on:
  workflow_dispatch:
  gollum:
  workflow_run:
    workflows: ["Update API Changelog"]
    branches: [main]
    types:
      - completed

jobs:
  docs: 
    runs-on: arc-runner-k8s
    permissions: write-all
    steps:
      - name: Generate a token
        id: generate_token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.APP_PEM }}
          owner: ${{ github.repository_owner }}
      - name: Repository Dispatch
        uses: peter-evans/repository-dispatch@v2
        with:
          token: ${{ steps.generate_token.outputs.token }}
          repository: unipoll/docs
          event-type: update_submodules

This one is triggered by previous workflow and checks out main repo wiki pages as sub-module.

name: Update submodules

on:
  workflow_dispatch:
  repository_dispatch:
    types: [update_submodules]
  
jobs:
  update_submodules:
    # runs-on: ubuntu-latest
    runs-on: arc-runner-k8s
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Force update git
        run: |
          sudo apt-get update
          sudo apt-get install -y software-properties-common
          sudo add-apt-repository -y ppa:git-core/ppa
          sudo apt-get update
          sudo apt-get install -y git
      - uses: actions/checkout@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          submodules: true
      - name: Git Sumbodule Update
        run: |
          git pull --recurse-submodules
          git submodule update --remote --recursive
      - name: Commit update
        run: |
          git config --global user.name 'Bot'
          git config --global user.email '[email protected]'
          git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}
          git commit -am "Auto updated submodule references" && git push || echo "No changes to commit"

I hope this helps, let me know if you have any other questions. This and other code lives in https://github.com/unipoll, feel free to check out other workflows