Github Actions + CLI -> Error: Resource not accessible by integration (organization.teams)

[mbenedykconfigit]

Select Topic Area

Question

Body

I'm preparing a workflow which will assign a reviewer to dependabot PRs, using Github CLI.

/*...*/
env:
  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  
permissions: write-all

/*...*/
 - name: Update `dependabot` PRs
        run: |
          /*...*/
          gh pr edit $pr_number --add-reviewer $next_person --remove-reviewer $reviewer_login

Whenever action will get to the point of gh pr edit $pr_number --add-reviewer $next_person --remove-reviewer $reviewer_login it fails with:

error fetching organization teams: GraphQL: Resource not accessible by integration (organization.teams)
Error: Process completed with exit code 1.

reviewers are individual users - within organization, not teams

If I change permissions to:

permissions:
  pull-requests: write
  contents: read
  statuses: read
  checks: read

it fails with

GraphQL: Resource not accessible by integration (repository.pullRequest.projectCards.nodes)
Error: Process completed with exit code 1.

On the repository actions configuration level:

• Actions permissions: Allow all actions and reusable workflows
• Workflow permissions:
  • Read and write permissions
  • Allow GitHub Actions to create and approve pull requests

Is it a bug? What else I need to make it work if permissions: write-all is not enough?

[mbenedykconfigit]

I think the issue is that gh pr edit $pr_number --add-reviewer $next_person --remove-reviewer $reviewer_login requires permission to organization.teams which cannot be granted to GITHUB_TOKEN within github actions scope. Why this kind of permission would be required at all when I'm pointing to a specific user by it's login?

[kmccoan]

I also just came across this trying to do the same thing, although I am trying to tag a team not an individual. Have you come across any workarounds or fixes?

[omoumniabdou]

Is there any workaround solution?

[kmccoan]

I ended up doing a direct API call using this helper for authentication

name: Dependabot auto-assign
on:
  pull_request:
    types: [ opened ]

jobs:
  dependabot_review_tagger:
    runs-on: ubuntu-latest
    if: github.actor == 'dependabot[bot]'
    steps:
      - name: Generate a github token
        id: generate-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ vars.DEPENDABOT_REVIEW_TAGGER_APP_ID }}
          private-key: ${{ secrets.DEPENDABOT_REVIEW_TAGGER_APP_SECRET }}
      - name: Auto-tag engineering-team to dependabot pull requests
        run: |
          curl -L \
            --request POST \
            --header  "Accept: application/vnd.github+json" \
            --header  "Authorization: Bearer ${{steps.generate-token.outputs.token}}" \
            --url https://api.github.com/repos/<org-slug>/<repo>/pulls/${{ github.event.pull_request.number }}/requested_reviewers \
            --data '{"team_reviewers":["engineering-team"]}'

[geoL86]

Ufff, the same issue with scopes

[tobias-tengler]

Running into this issue as well

[davidkominekhypixelstudios]

You can use https://github.com/actions/create-github-app-token/tree/v1/ Action to create token with necessary rights and do something like this

- uses: actions/create-github-app-token@v1
    id: app-token
    with:
      app-id: ${{ vars.PR_MANAGEMENT_APP_ID }}
      private-key: ${{ secrets.PR_MANAGEMENT_PRIVATE_KEY }}
- name: Create PR review request
    env:
      GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
      url: ${{ github.event.pull_request.html_url }}
    run: |
      gh pr edit "$url" --add-reviewer yourorg/core