the GITHUB_TOKEN does not have write permission when running lint.yml workflow

[tchaikov]

see https://github.com/fmtlib/fmt/actions/runs/9616362150/job/26526654984

that's why it failed later

RequestError [HttpError]: Resource not accessible by integration
    at /home/runner/work/_actions/actions/github-script/e69ef5462fd455e02edcaf4dd7708eda96b9eda0/dist/index.js:9537:21
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async eval (eval at callAsyncFunction (/home/runner/work/_actions/actions/github-script/e69ef5462fd455e02edcaf4dd7708eda96b9eda0/dist/index.js:35424:16), <anonymous>:17:1)
    at async main (/home/runner/work/_actions/actions/github-script/e69ef5462fd455e02edcaf4dd7708eda96b9eda0/dist/index.js:35518:20) {
  status: 403,
  response: {
    url: 'https://api.github.com/repos/fmtlib/fmt/issues/4032/comments',
    status: 403,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      'content-encoding': 'gzip',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: 'Fri, 21 Jun 2024 16:17:00 GMT',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'GitHub.com',
      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
      'transfer-encoding': 'chunked',
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-accepted-github-permissions': 'issues=write; pull_requests=write',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-api-version-selected': '2022-11-28',
      'x-github-media-type': 'github.v3; format=json',
      'x-github-request-id': '2400:258E93:41503D0:41DD9FA:6675A77C',
      'x-ratelimit-limit': '5000',
      'x-ratelimit-remaining': '4999',
      'x-ratelimit-reset': '1718990220',
      'x-ratelimit-resource': 'core',
      'x-ratelimit-used': '1',
      'x-xss-protection': '0'
    },
    data: {
      message: 'Resource not accessible by integration',
      documentation_url: 'https://docs.github.com/rest/issues/comments#create-an-issue-comment',
      status: '403'
    }
  },
  request: {
    method: 'POST',
    url: 'https://api.github.com/repos/fmtlib/fmt/issues/4032/comments',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'actions/github-script octokit-core.js/5.0.1 Node.js/20.13.1 (linux; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: '{"body":"clang-format 17.0.5 found issues in the formatting in your code:\\n<details>\\n<summary>\\nView the diff from clang-format:\\n</summary>\\n\\n```diff\\ndiff --git a/include/fmt/format.h b/include/fmt/format.h\\nindex 8f69037..440945d 100644\\n--- a/include/fmt/format.h\\n+++ b/include/fmt/format.h\\n@@ -3918,7 +3918,8 @@ class format_int {\\n   mutable char buffer_[buffer_size];\\n   char* str_;\\n \\n-  template <typename UInt> FMT_CONSTEXPR auto format_unsigned(UInt value) -> char* {\\n+  template <typename UInt>\\n+  FMT_CONSTEXPR auto format_unsigned(UInt value) -> char* {\\n     auto n = static_cast<detail::uint32_or_64_or_128_t<UInt>>(value);\\n     return detail::format_decimal(buffer_, n, buffer_size - 1).begin;\\n   }\\n@@ -3935,9 +3936,12 @@ class format_int {\\n  public:\\n   explicit FMT_CONSTEXPR format_int(int value) : str_(format_signed(value)) {}\\n   explicit FMT_CONSTEXPR format_int(long value) : str_(format_signed(value)) {}\\n-  explicit FMT_CONSTEXPR format_int(long long value) : str_(format_signed(value)) {}\\n-  explicit FMT_CONSTEXPR format_int(unsigned value) : str_(format_unsigned(value)) {}\\n-  explicit FMT_CONSTEXPR format_int(unsigned long value) : str_(format_unsigned(value)) {}\\n+  explicit FMT_CONSTEXPR format_int(long long value)\\n+      : str_(format_signed(value)) {}\\n+  explicit FMT_CONSTEXPR format_int(unsigned value)\\n+      : str_(format_unsigned(value)) {}\\n+  explicit FMT_CONSTEXPR format_int(unsigned long value)\\n+      : str_(format_unsigned(value)) {}\\n   explicit FMT_CONSTEXPR format_int(unsigned long long value)\\n       : str_(format_unsigned(value)) {}\\n \\n@@ -3958,7 +3962,9 @@ class format_int {\\n   }\\n \\n   /// Returns the content of the output buffer as an `std::string`.\\n-  FMT_CONSTEXPR auto str() const -> std::string { return std::string(str_, size()); }\\n+  FMT_CONSTEXPR auto str() const -> std::string {\\n+    return std::string(str_, size());\\n+  }\\n };\\n \\n template <typename T, typename Char>\\n\\n```\\n\\n</details>\\n"}',
    request: {
      agent: [Agent],
      fetch: [Function: proxyFetch],
      hook: [Function: bound bound register]
    }
  }
}
Error: Unhandled error: HttpError: Resource not accessible by integration

let's compare it with another run with the proper permission, see https://github.com/tchaikov/fmt/actions/runs/9339573823/job/25704121447

so the comment was posted. when the format was wrong.

because, per https://docs.github.com/en/rest/issues/comments?apiVersion=2022-11-28#create-an-issue-comment

The fine-grained token must have at least one of the following permission sets:

• "Issues" repository permissions (write)
• "Pull requests" repository permissions (write)

so we might want to allow workflow to write to an pull request in https://github.com/fmtlib/fmt/settings/actions:

[vitaut]

Workflows already have read and write permissions:

so I'm not sure why they are reported as read-only in the log.

[vitaut]

I could create a custom token although it's weird that the default one is not working.

[tchaikov]

i see. that's indeed weird. i am also using a default token.

[vitaut]

I tried using a different token in ccea338. Could you check if it helped?

[tchaikov]

@vitaut thanks. i am testing it at https://github.com/fmtlib/fmt/actions/runs/9847874756/job/27188716238?pr=4062#step:5:30 with a PR at #4062 . the error looks like

Error: Input required and not supplied: github-token
    at Object.getInput (/home/runner/work/_actions/actions/github-script/60a0d83039c74a4aee543508d2ffcb1c3799cdea/dist/index.js:212:15)
    at main (/home/runner/work/_actions/actions/github-script/60a0d83039c74a4aee543508d2ffcb1c3799cdea/dist/index.js:35499:24)
    at /home/runner/work/_actions/actions/github-script/60a0d83039c74a4aee543508d2ffcb1c3799cdea/dist/index.js:35497:1
    at /home/runner/work/_actions/actions/github-script/60a0d83039c74a4aee543508d2ffcb1c3799cdea/dist/index.js:35553:3
    at Object.<anonymous> (/home/runner/work/_actions/actions/github-script/60a0d83039c74a4aee543508d2ffcb1c3799cdea/dist/index.js:35556:12)
    at Module._compile (node:internal/modules/cjs/loader:1358:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1416:10)
    at Module.load (node:internal/modules/cjs/loader:1208:32)
    at Module._load (node:internal/modules/cjs/loader:1024:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:174:12)

[vitaut]

Thanks for testing. Here's a relevant thread that found but didn't have a chance to look in detail yet: actions/checkout#298.

[tchaikov]

i tested the same setting in my repo. it works though. see https://github.com/tchaikov/fmt/actions/runs/9848013835/job/27189145141?pr=3#step:5:3

following https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository, the secret in question was created for the repository .

and it was reported used: