Fail gracefully if GITHUB_TOKEN is set with non-working permissions

[MikeMcC399]

What would you like?

If GITHUB_TOKEN is passed to the action when recording to Cypress Cloud and permissions are restricted, the workflow may fail with an error such as:

Unable to fetch related PR data for commit: '46a72ff9cd29aeaa59f536eee6c008e3ffbcf56d': RequestError [HttpError]: Resource not accessible by integration

Make the error message more user friendly, including suggestions on how to remedy.

Possibly also allow the workflow to continue with reduced functionality.

Why is this needed?

As documented in the README Automatic PR number and URL detection, if the GITHUB_TOKEN is set when recording to Cypress Cloud, PR information is extracted.

Restrictive permissions for the GITHUB_TOKEN can however have been set in the enterprise, organization, repository or workflow which prevent this working.

Users are sometimes confronted with this error and do not know what to do.

Other

Related issues

• Auto-Detect PR error on Workflow dispatch, resource not accessible #1208

[MikeMcC399]

This is a topic for the Cypress Cloud team.

[VolodymyrSmahliuk]

I'm not sure where to publish my findings, but this issue seems to be related.

When working with Cypress Test in Parallel mode, we faced the permissions issue. I'm going to list the error and appropriate permissions to fix

(FYI, we have the next GitHub Repository Workflow permissions)

---

The basic GitHub Actions permissions were:

permissions:
  id-token: write # This is required for requesting the JWT (OIDC with AWS)
  contents: read # This is required for actions/checkout

We get the Resource not accessible by integration ERROR with additional context:

Unable to fetch related PR data for commit: 'xxx':  RequestError [HttpError]: Resource not accessible by integration
    at /home/runner/work/_actions/cypress-io/github-action/v6/dist/index.js:41021:21
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async detectPrNumber (/home/runner/work/_actions/cypress-io/github-action/v6/dist/index.js:98218:22)
    at async runTests (/home/runner/work/_actions/cypress-io/github-action/v6/dist/index.js:98489:3) {
  status: 403,

headers: {
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-accepted-github-permissions': 'pull_requests=read',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
}

According to the GitHub headers (which are extremely informative) the fix was adding the pull-requests: read permission:

permissions:
  id-token: write # This is required for requesting the JWT (OIDC with AWS)
  contents: read # This is required for actions/checkout
  pull-requests: read # This is required for Cypress run

After that, the same ERROR, but no context in the logs anymore

After some investigation by updating the permissions, I found the required one (actions: write):

permissions:
  id-token: write # This is required for requesting the JWT (OIDC with AWS)
  contents: read # This is required for actions/checkout
  pull-requests: read # This is required for Cypress run
  actions: write # This is required for Cypress run

Now I have the job result

I hope it will help to anyone 🎉

PS: let's like the #1273 Issue to provide documentation update!

[MikeMcC399]

@VolodymyrSmahliuk

I'm not sure where to publish my findings, but this issue seems to be related.

• Thank you for your detailed description. Would you like to move (or copy) your post to Document GITHUB_TOKEN settings - Cypress Cloud recording #1273?