63

I am making a curl post request from my github workflow (action) to get registration token for a self-hosted runner but I am receiving the following response:

{
  "message": "Resource not accessible by integration",
  "documentation_url": "https://docs.github.com/rest/reference/actions#create-a-registration-token-for-a-repository"
}

Below is stripped version of my github workflow:


name: get-token

"on":
  push: { branches: ["token"] }

jobs:
  
  print-token:
    name: print-token
    environment: dev
    # needs: pre-pkr
    runs-on: ubuntu-latest

    steps:
      - name: Check out code
        uses: actions/checkout@v2

      - name: Get registration token
        id: getRegToken
        run: |
          curl -X POST -H \"Accept: application/vnd.github.v3+json\"  -H 'Authorization: token ${{ secrets.GITHUB_TOKEN }}' https://api.github.com/repos/myprofile/myrepo/actions/runners/registration-token

Eventually I'd wanna pass this token to the ami I am creating with packer build command (next step). I tried above curl request with packer's shell provisioner as well but same response. Unable to figure out if I have to allow some permissions from github ui? Or how else can this be done? Thanks in advance.

nu_popli
  • 920
  • 1
  • 7
  • 12
  • 1
    Hi, did you try using a Personal Access Token (PAT) in your curl instead of the GITHUB_TOKEN? – GuiFalourd Dec 21 '21 at 14:45
  • Hello. Sorry for the delayed reply. Yes, I have and that works for me. I was leaning towards GITHUB_TOKEN since it is a temp token. Also, one less step (no need to create a PAT with relevant persmissions and store it in secrets). Only looking for explanation why the GITHUB_TOKEN doesn't work. Thanks. – nu_popli Dec 22 '21 at 07:03
  • Most of the time, when an operation works with the PAT and not with the GITHUB_TOKEN, it's a scope issue. The GHA token only has a specific scope, when the Github API needs a wider ones to perform some operations. Here, creating a registration token is something that probably needs admin permissions, and they are not contained on the GHA token. I'll add an official answer with more details – GuiFalourd Dec 22 '21 at 10:36
  • Did you find a different solution than using PAT for this? I am having the same problem and would like to get rid of the additional input in my `workflow_dispatch` inputs – andre Feb 16 '23 at 17:43
  • As far as I can remember, it was not possible to achieve this with GH Token and I ended up going with PAT. – nu_popli Feb 17 '23 at 17:04

5 Answers5

75

Try adding permissions to your job:

name: get-token

"on":
  push: { branches: ["token"] }

jobs:
  
  print-token:
    permissions: write-all
    name: print-token
    environment: dev
    # needs: pre-pkr
    runs-on: ubuntu-latest

    steps:
      - name: Check out code
        uses: actions/checkout@v2

      - name: Get registration token
        id: getRegToken
        run: |
          curl -X POST -H \"Accept: application/vnd.github.v3+json\"  -H 'Authorization: token ${{ secrets.GITHUB_TOKEN }}' https://api.github.com/repos/myprofile/myrepo/actions/runners/registration-token

This should tell you if that's the issue, then you can figure out which permission you were missing and configure them correctly in more details.

As comments and other answers mentioned, there are multiple ways you can configure permissions:

  • use PAT (Personal Access Token)
  • override permissions in workflow file itself, as shown in snippet above
  • configure permissions in Actions settings

The third option can be done on few different levels:

You can find details for default permissions here.

Liam
  • 27,717
  • 28
  • 128
  • 190
frennky
  • 12,581
  • 10
  • 47
  • 63
  • 1
    Hello. Thanks for the answer. I took the advice and as far as I understand, this can't be done directly in the workflow. I explicitly assigned allowed all permissions in the workflow but it still doesn't work. Permissions for GH Token are also set to read/write. PAT needs repo permissions to generate registration token but those conditions can't be assigned in the workflow. – nu_popli Dec 23 '21 at 17:13
  • I've just tried setting `permissions: write-all` in my workflow yml and it works now (can't comment on if it worked when you commented) – ScottishTapWater Mar 13 '23 at 03:02
  • 4
    thtis is the best answer you may find on internet about this question, even better than chatGPT. – Wassim AZIRAR May 01 '23 at 15:36
  • 1
    On GitHub Enterprise v3.8 I just tried setting the job's `permissions: write-all` and then, in my ci/cd pipeline, calling the `gh cli` to set an environment level secret, I get the `Resource not accessible by integration` error using the `GH_ENTERPRISE_TOKEN: ${{ secrets.GITHUB_TOKEN }}` in the `env` context. However, if I instead change that out to use a PAT from my admin's svc account, then everything works fine. – Al Dass May 04 '23 at 02:05
50

go to https://github.com/OWNER/REPO/settings/actions and in Workflow Permissions section give actions Read and Write permissions. That provides your token with rights to modify your repo and solves your problem.

Oscar
  • 759
  • 7
  • 6
  • 6
    Has the default value for this permission changed recently? In my older repos, I didn't have to enable this manually. – Paul Razvan Berg Mar 02 '23 at 13:41
  • 2
    This actually helped. That was annoying to see that a path filter needed write access... :-/ – Andreas Lundgren Mar 23 '23 at 11:25
  • 1
    I found myself to manually do this for the first time, as the default GitHub behaviour changed: https://github.blog/changelog/2023-02-02-github-actions-updating-the-default-github_token-permissions-to-read-only/ – Eduardo Pignatelli Jun 13 '23 at 15:45
  • After switching from a free plan to Github Enterprise Cloud plan, I found myself need to confirm this settings to have ci work again. – tinystone Aug 22 '23 at 04:32
11

The problem here is related to the GITHUB_TOKEN permission scope that is generated automatically in a Github Actions workflow run.

As frennky shared in his answer, the default permissions of this token can be found here.

Based on this, you have 2 solutions:

  • The first one is the one suggested by freenky, updating the GITHUB_TOKEN permissions in the workflow run using the permissions field in your job.

  • The second one is to use a Personal Access Token instead of the default GITHUB_TOKEN, creating it with the specific permissions you need, and then adding it as a repository secret.

GuiFalourd
  • 15,523
  • 8
  • 44
  • 71
  • Thanks for the answer. As far as I understand, the route with PAT is the only way to go (which I have tested, is working). Correct me if I am wrong but I believe the registration-token API can't be used directly with GITHUB_TOKEN in actions workflow. – nu_popli Dec 23 '21 at 17:16
  • The API can't be used with the **default** `GITHUB_TOKEN` permissions. But it may be possible updating the `GITHUB_TOKEN` permission scope using the [`permission field`](https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#permissions) (I didn't try it so I can't tell for sure). – GuiFalourd Dec 23 '21 at 18:06
  • 2
    I did try this. As far as I understand, it can't be done. – nu_popli Dec 25 '21 at 18:55
  • Where can I find, which permission the PAT has to be set? Is there anywhere a reference for? I want actions bot to add comments. It's working fine, unless the pull request isn't forked. Using gh cli – Ismoh Sep 28 '22 at 08:48
  • I believe the full `repo` scope is enough for what you want Ismoh. [reference](https://docs.github.com/en/enterprise-server@3.4/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) – GuiFalourd Sep 28 '22 at 10:02
  • @nu_popli - I've just tried setting `permissions: write-all` in my workflow yml and it works now (can't comment on if it worked when you commented) – ScottishTapWater Mar 13 '23 at 03:02
  • 1
    @ScottishTapWater That is good to know. I am sure it didn't work back then. I am not sure but I think there is a working API call too to generate a temporary token. You might want to try that too but don't take my word for it. – nu_popli Apr 13 '23 at 07:43
1
  1. Go to repository "Settings".
  2. After that it will show you a left pane where you will find "Actions"
  3. Expand "Actions" tab
  4. Click on "General" under options tab.
  5. Now on new page scroll down and you will fine "Workflow Permissions"
  6. Select "Read and Write" under "Workflow Permissions".

Rest of your settings seems fine as no more bug reported by you. If problem persists let me know I will fix it.

Mudassar Hashmi
  • 2,639
  • 1
  • 17
  • 25
1

Add this permissions line below your OS mentioned like this

    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
      repository-projects: write
Debojyoti Singha
  • 59
  • 2
  • 4