"Resource not accessible by integration" on github post /repos/{owner}/{repo}/actions/runn-CodePudding

I am making a curl post request from my github workflow (action) to get registration token for a self-hosted runner but I am receiving the following response:

{
  "message": "Resource not accessible by integration",
  "documentation_url": "https://docs.github.com/rest/reference/actions#create-a-registration-token-for-a-repository"
}

Below is stripped version of my github workflow:


name: get-token

"on":
  push: { branches: ["token"] }

jobs:
  
  print-token:
    name: print-token
    environment: dev
    # needs: pre-pkr
    runs-on: ubuntu-latest

    steps:
      - name: Check out code
        uses: actions/checkout@v2

      - name: Get registration token
        id: getRegToken
        run: |
          curl -X POST -H \"Accept: application/vnd.github.v3 json\"  -H 'Authorization: token ${{ secrets.GITHUB_TOKEN }}' https://api.github.com/repos/myprofile/myrepo/actions/runners/registration-token

Eventually I'd wanna pass this token to the ami I am creating with packer build command (next step). I tried above curl request with packer's shell provisioner as well but same response. Unable to figure out if I have to allow some permissions from github ui? Or how else can this be done? Thanks in advance.

CodePudding user response：

Try adding permissions to your job:

name: get-token

"on":
  push: { branches: ["token"] }

jobs:
  
  print-token:
    permissions: write-all
    name: print-token
    environment: dev
    # needs: pre-pkr
    runs-on: ubuntu-latest

    steps:
      - name: Check out code
        uses: actions/checkout@v2

      - name: Get registration token
        id: getRegToken
        run: |
          curl -X POST -H \"Accept: application/vnd.github.v3 json\"  -H 'Authorization: token ${{ secrets.GITHUB_TOKEN }}' https://api.github.com/repos/myprofile/myrepo/actions/runners/registration-token

This should tell you if that's the issue, then you can figure out which permission you were missing and configure them correctly in more details.

As comments and other answers mentioned, there are multiple ways you can configure permissions:

use PAT (Personal Access Token)
override permissions in workflow file itself, as shown in snippet above
configure permissions in Actions settings

The third option can be done on few different levels:

You can find details for default permissions here.

CodePudding user response：

The problem here is related to the GITHUB_TOKEN permission scope that is generated automatically in a Github Actions workflow run.

As frennky shared in his answer, the default permissions of this token can be found here.

Based on this, you have 2 solutions:

The first one is the one suggested by freenky, updating the GITHUB_TOKEN permissions in the workflow run using the permissions field in your job.
The second one is to use a Personal Access Token instead of the default GITHUB_TOKEN, creating it with the specific permissions you need, and then adding it as a repository secret.