Unable to upload a release artifact as part of a release action on a private github repo

[chris-j-major]

I've recently started seeing faliures of uploading the artifact to a release:

Run anchore/[email protected]
------------------------------ Running SBOM Action -----------------------------
/usr/bin/sh /home/runner/work/_temp/86c14a62-acb2-4ebd-9824-486a58c461dc -d -b /home/runner/work/_temp/86c14a62-acb2-4ebd-9824-486a58c461dc_syft v1.4.1
[debug] checking github for release tag='v1.4.1' 
[debug] http_download(url=https://github.com/anchore/syft/releases/v1.4.1) 
[info] fetching release script for tag='v1.4.1' 
[debug] http_download(url=https://raw.githubusercontent.com/anchore/syft/v1.4.1/install.sh) 
[debug] checking github for release tag='v1.4.1' 
[debug] http_download(url=https://github.com/anchore/syft/releases/v1.4.1) 
[info] using release tag='v1.4.1' version='1.4.1' os='linux' arch='amd64' 
[debug] downloading files into /tmp/tmp.fgZr8JGzEF 
[debug] http_download(url=https://github.com/anchore/syft/releases/download/v1.4.1/syft_1.4.1_checksums.txt) 
[debug] http_download(url=https://github.com/anchore/syft/releases/download/v1.4.1/syft_1.4.1_linux_amd64.tar.gz) 
[info] installed /home/runner/work/_temp/86c14a62-acb2-4ebd-9824-486a58c[46](https://github.com/cosimmetry/sketch/actions/runs/9181218908/job/25247435631#step:6:47)1dc_syft/syft 
/opt/hostedtoolcache/syft/1.4.1/x64/syft scan ghcr.io/cosimmetry/sketch -o spdx-json
Executing Syft...
SBOM scan completed in: 217.16s
------------------------- Uploading workflow artifacts -------------------------
/tmp/sbom-action-gzIbTJ/cosimmetry-sketch.spdx.json
Found 1 artifact(s)
------------------- Attaching SBOMs to release: 'v0.4.6.-rc2' ------------------
Error: Resource not accessible by integration

Originally posted by @chris-j-major in #467 (comment)

With the extra debug logging:

##[debug][Response] - 200
##[debug]Headers: {
##[debug]  "content-length": "558",
##[debug]  "content-type": "application/json",
##[debug]  "date": "Wed, 22 May 2024 16:37:57 GMT",
##[debug]  "x-github-backend": "Kubernetes",
##[debug]  "x-github-request-id": "DC40:3AC60B:418057:51F6DD:664E1F65"
##[debug]}
##[debug]Body: {
##[debug]  "artifacts": [
##[debug]    {
##[debug]      "workflow_run_backend_id": "6719f581-f068-4aa1-bd67-db9370d02c8e",
##[debug]      "workflow_job_run_backend_id": "cbb13c67-6d24-5e25-ba4a-b1084b56aecc",
##[debug]      "database_id": "1527818680",
##[debug]      "name": "b3c863a4f1f3aa01ff7832396bedba4d99097d85",
##[debug]      "size": "2564668",
##[debug]      "created_at": "2024-05-22T16:29:34Z"
##[debug]    },
##[debug]    {
##[debug]      "workflow_run_backend_id": "acb33220-17f5-469d-8d20-f6713fef0460",
##[debug]      "workflow_job_run_backend_id": "cbb13c67-6d24-5e25-ba4a-b1084b56aecc",
##[debug]      "database_id": "1527846997",
##[debug]      "name": "b3c863a4f1f3aa01ff7832396bedba4d99097d85",
##[debug]      "size": "2564662",
##[debug]      "created_at": "2024-05-22T16:37:57Z"
##[debug]    }
##[debug]  ]
##[debug]}
Found 2 artifact(s)
::group::listCurrentWorkflowArtifacts response:
listCurrentWorkflowArtifacts response:
  ##[debug]{
  ##[debug]  "artifacts": [
  ##[debug]    {
  ##[debug]      "name": "b3c863a4f1f3aa01ff7832396bedba4d99097d85",
  ##[debug]      "id": 1527818680,
  ##[debug]      "size": 2564668,
  ##[debug]      "createdAt": "2024-05-22T16:29:34.000Z"
  ##[debug]    },
  ##[debug]    {
  ##[debug]      "name": "b3c863a4f1f3aa01ff7832396bedba4d99097d85",
  ##[debug]      "id": 1527846997,
  ##[debug]      "size": 2564662,
  ##[debug]      "createdAt": "2024-05-22T16:37:57.000Z"
  ##[debug]    }
  ##[debug]  ]
  ##[debug]}
  ::endgroup::
##[debug]Found artifact: b3c863a4f1f3aa01ff7832396bedba4d99097d85
##[debug]Found artifact: b3c863a4f1f3aa01ff7832396bedba4d99097d85
------------------- Attaching SBOMs to release: 'v0.4.7-rc1' -------------------
Error: Resource not accessible by integration
##[debug]Node Action run completed with exit code 1
##[debug]ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT='b3c863a4f1f3aa01ff7832396bedba4d99097d85'
##[debug]Finishing: Generate SBOM

I don't beleive this is related to permissions, as other steps in the same workflow are sucessfully uploading relese artifacts.

Thanks in advance :)

[chris-j-major]

For context - the workflow job has write permissions:

jobs:
  build-and-push-image:
    runs-on: ubuntu-latest
    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
    permissions:
      contents: write # need write to update the generated SBOM
      packages: write # need access to write docker package

We first observed this on 21/05/2024 and it worked sucesfully a week earlier.

[kzantow]

Hi @chris-j-major -- it looks like this is failing to attach a release asset rather than a workflow artifact, is that accurate?

There was just recently a change (prompted from this issue) published which is almost assuredly responsible for this, but I'm trying to figure out exactly why. I just tested this again on my test repo, and set the permissions as you've described since they were missing. But this worked as expected to both a) attach workflow artifacts and b) attach release assets.

Is there a public repo that I could look at your complete workflow? Alternately, is there some minimal workflow that reproduces this issue?

[kzantow]

I should also note in a Github actions toolkit readme it mentions the actions:read permission for reading from other repos; maybe that's missing due to some global permissions you have set?

[chris-j-major]

Thanks for the quick replies. You're entirly correct that the faliure is a release asset. I'll update the title to make it clearer.

I've created a minimal test case, and interestingly it worked properly as a public repo, but failed if it was private to the organisation. Hopefully you should be able to see it at https://github.com/cosimmetry/release-testing/actions (I've now made it public again).

The two releases are both from the same commit - AFAIK the only difference is the repo's visibility in github.

[kzantow]

Hi @chris-j-major -- thanks for getting an example set up! I was able to reproduce it and you hit the nail on the head: this fails for private repos, but not public. It needs the actions: read permission to download the SBOM! I'm pretty sure the reason is the public repo works is it just makes those available publicly readable. I'm surprised this worked before for you, but looks like the artifact library update enforces it more appropriately now. Let me know if that doesn't work for you!

Assuming this works for you, I'll be sure to get the docs updated to reflect this!

[chris-j-major]

@kzantow, thanks for the pointer, I can confirm that your suggestion works.

I've now got:

    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
    permissions:
      contents: write # need write to update the generated SBOM
      packages: write # need access to write docker package
      actions: read   # required for a private repo to read the SBOM once it's generated so it can upload.

and it sucesfully builds on release of my private test respostiory.