repo-token: ***, Error: Forbidden

[arhadnane]

Hi,
Why this:

Thank you in advance.

[MatthewRyanRead]

I'm seeing this also. I thought it might be the permissions on the default GITHUB_TOKEN, but adding permissions: write-all to my workflow did not help.

[febuiles]

@arhadnane @MatthewRyanRead Thanks for reporting this, and apologies for the error! Some questions:

1. Are you passing a custom token to the Action?
2. Do you have a public repo you can link to where we can check the output?
3. If this is for private repos, do you have Dependency Graph enabled? Are you a GitHub Advanced Security customer?

[MatthewRyanRead]

@febuiles

1. I have tried with and without a custom token.
2. It's a private repo, sorry! The output is unfortunately very sparse, and the same with or without a token:

   2022-05-23T17:58:43.6618742Z ##[group]Run actions/dependency-review-action@v1
   2022-05-23T17:58:43.6619135Z with:
   2022-05-23T17:58:43.6620072Z   repo-token: ***
   2022-05-23T17:58:43.6621664Z ##[endgroup]
   2022-05-23T17:58:44.0172748Z ##[error]Forbidden
   

3. The Dependency Graph is enabled, and we are a new GitHub Advanced Security customer!

[febuiles]

@MatthewRyanRead I just pushed a new version (1.0.2) with some fixes for the error messages. Do you see any changes from your side if you re-run the Action?

[MatthewRyanRead]

@febuiles

A different error is logged:

2022-05-23T19:51:25.2852623Z ##[group]Run actions/[email protected]
2022-05-23T19:51:25.2852989Z with:
2022-05-23T19:51:25.2853414Z   repo-token: ***
2022-05-23T19:51:25.2854689Z ##[endgroup]
2022-05-23T19:51:25.6248260Z ##[error]Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled, see https://github.com/<org>/<repo>/settings/security_analysis

However, all of the options on that page (including the graph) are enabled!

[febuiles]

@MatthewRyanRead Thanks for the extra details, let us look into this and we'll report back as soon as we know what's happening.

[stephenfuqua]

I was encountering the same error. Updated v1.0.2 resolved the issue for my repo, thank you.

[febuiles]

@MatthewRyanRead & co. we ran into another bug today when @v1 Action runs were pointing to the v1 branch (now gone) instead of the v1 tag. Would you mind testing this again and seeing if it's still an issue?

[MatthewRyanRead]

@febuiles Same error unfortunately. I have pointed to @v1.0.2 since last time, for what it's worth.

[febuiles]

@MatthewRyanRead We just released v2. If upgrading doesn't solve the issue I'm happy to look at this specific case (you can share private org/repo names to my username at github.com).

[MatthewRyanRead]

No change here so I will send you a message, thanks @febuiles!

[febuiles]

I've been able to confirm with the help of @MatthewRyanRead that this is not a bug, but lack of good error messaging. The error should ask the user to first sign up for GHAS before trying to run this on a private repo. Closing this as it's not a bug.