🐛 Bug: "Error: Resource not accessible by integration" from PR compliance action

[JoshuaKGoldberg]

Bug Report Checklist

• I have tried restarting my IDE and the issue persists.
• I have pulled the latest main branch of the repository.
• I have searched for related issues and found none that matched my issue.

Expected

This repo uses https://github.com/mtfoley/pr-compliance-action to fail PR builds on issues such as PR titles not matching conventional commits. It should post a message to the PR if there are any failures.

Actual

I keep misconfiguring the action so that it doesn't have permissions to post. Example:

#456 -> https://github.com/JoshuaKGoldberg/template-typescript-node-package/actions/runs/5032810384/jobs/9026669253?pr=456

Error: This PR's title should conform to specification at https://conventionalcommits.org/
Error: Resource not accessible by integration

Additional Info

Sigh this again...

At first I thought I'd probably broken this in #441. But that PR didn't change permissions that I can see...?

[tungbq]

Hi @JoshuaKGoldberg,
After investigation and make some tests, I think the issue happens on PR from forked only, the feature will work fine with PR created from the branches on your origin repository.

This is what I found from GitHub doc:
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs#assigning-permissions-to-a-specific-job
You can use the permissions key to add and remove read permissions for forked repositories, but typically you can't grant write access.

The exception to this behavior is where an admin user has selected the Send write tokens to workflows from pull requests option in the GitHub Actions settings. For more information, see "Managing GitHub Actions settings for a repository."

I think we could resolve the issue by using the admin user and change the configuration as suggested by Github.
Hope this helps!

[JoshuaKGoldberg]

Ah, great investigation - thanks for looking into this & posting such a thorough explanation! ❤️

https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories:

Available to private repositories only,

...alas.

This is another case where I feel comfortable saying GitHub actions aren't currently architected well for this kind of scenario (don't even get me started on the permissions model & error reporting...). I think a next best solution would be to have https://github.com/mtfoley/pr-compliance-action give a friendlier build error than Resource not accessible by integration. mtfoley/pr-compliance-action#368