From 3414e143d4599bd420e2ac71b60eaf952ca8e65c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 22 May 2025 13:24:43 +0000 Subject: [PATCH 1/3] Initial plan for issue From 49670d171730df8764862fada55b8665a6495ad1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 22 May 2025 13:27:27 +0000 Subject: [PATCH 2/3] Update workflow permissions and add detailed documentation Co-authored-by: DonnieBLT <128622481+DonnieBLT@users.noreply.github.com> --- .github/README.md | 55 +++++++++++++++++++ .github/workflows/add-files-changed-label.yml | 15 ++++- 2 files changed, 68 insertions(+), 2 deletions(-) create mode 100644 .github/README.md diff --git a/.github/README.md b/.github/README.md new file mode 100644 index 0000000000..c5ff53d7bf --- /dev/null +++ b/.github/README.md @@ -0,0 +1,55 @@ +# GitHub Actions Configuration + +This directory contains GitHub Actions workflows used for automating various tasks in the BLT project. + +## Setting Up Custom GitHub Token + +For some workflows like adding labels to issues and pull requests, you may need to set up a custom GitHub token with elevated permissions. + +### Why Custom Token? + +The default `GITHUB_TOKEN` provided by GitHub Actions has certain permission limitations. For operations like creating labels or adding labels to issues and PRs, we recommend using a Personal Access Token (PAT) with appropriate permissions. + +### Creating a Custom GitHub Token + +1. Go to your GitHub account settings +2. Navigate to Developer settings > Personal Access Tokens > Fine-grained tokens +3. Click "Generate new token" +4. Provide a suitable name like "BLT Workflow Token" +5. Set the expiration as needed +6. For repository access, select "Only select repositories" and choose the BLT repository +7. Under permissions, grant the following: + - Repository permissions: + - Issues: Read and write + - Pull requests: Read and write + - Contents: Read and write + - Metadata: Read-only (automatically selected) + +8. Click "Generate token" and copy the token value + +### Adding the Token to GitHub Secrets + +1. Go to the BLT repository on GitHub +2. Navigate to Settings > Secrets and variables > Actions +3. Click "New repository secret" +4. Name it `CUSTOM_GITHUB_TOKEN` +5. Paste the token value and click "Add secret" + +### Using the Custom Token + +The workflows are configured to use `CUSTOM_GITHUB_TOKEN` if available, falling back to the default `GITHUB_TOKEN` if not. + +Example usage in workflow: +```yaml +env: + GITHUB_TOKEN: ${{ secrets.CUSTOM_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} +``` + +## Troubleshooting + +If you encounter permission errors like `Resource not accessible by integration`, it's likely that: +1. The token doesn't have the necessary permissions +2. The token has expired +3. The workflow permissions at the top of the .yml file need to be adjusted + +Review the permissions in both your custom token and at the workflow level to resolve such issues. \ No newline at end of file diff --git a/.github/workflows/add-files-changed-label.yml b/.github/workflows/add-files-changed-label.yml index 165b37d850..d9fce33e56 100644 --- a/.github/workflows/add-files-changed-label.yml +++ b/.github/workflows/add-files-changed-label.yml @@ -11,6 +11,7 @@ permissions: pull-requests: write contents: read issues: write + repository-projects: write jobs: add_files_changed_label: @@ -88,6 +89,12 @@ jobs: # Check if label creation was successful if [[ "$CREATE_LABEL_RESPONSE" == *"message"* ]]; then echo "Warning: There might be an issue creating the label. Response: $CREATE_LABEL_RESPONSE" + + # Provide more detailed guidance for permission errors + if [[ "$CREATE_LABEL_RESPONSE" == *"Resource not accessible by integration"* ]]; then + echo "This appears to be a permissions issue with creating labels." + echo "Please check the .github/README.md file for instructions on setting up a CUSTOM_GITHUB_TOKEN with proper permissions." + fi else echo "Label '$LABEL' created successfully." fi @@ -144,8 +151,12 @@ jobs: # Check if it's a permissions issue and suggest using a custom token if [[ "$ADD_LABEL_RESPONSE" == *"Resource not accessible by integration"* ]]; then - echo "This appears to be a permissions issue. Please configure a CUSTOM_GITHUB_TOKEN secret with higher permissions." - echo "See the .github/README.md file for instructions on setting up the token." + echo "This appears to be a permissions issue. Please follow these steps:" + echo "1. Create a Personal Access Token (PAT) with 'repo' scope" + echo "2. Add the token to your repository secrets as CUSTOM_GITHUB_TOKEN" + echo "3. See the .github/README.md file for detailed instructions on setting up the token" + echo "" + echo "Note: The workflow is configured to use CUSTOM_GITHUB_TOKEN if available, falling back to GITHUB_TOKEN" fi exit 1 From 9e303ca0f77ea54ccb339718480ee80d77ae685b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 22 May 2025 13:28:57 +0000 Subject: [PATCH 3/3] Finalize documentation with additional permission details Co-authored-by: DonnieBLT <128622481+DonnieBLT@users.noreply.github.com> --- .github/README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/README.md b/.github/README.md index c5ff53d7bf..dcb204182f 100644 --- a/.github/README.md +++ b/.github/README.md @@ -23,6 +23,7 @@ The default `GITHUB_TOKEN` provided by GitHub Actions has certain permission lim - Issues: Read and write - Pull requests: Read and write - Contents: Read and write + - Administration: Read and write (needed for label management) - Metadata: Read-only (automatically selected) 8. Click "Generate token" and copy the token value @@ -52,4 +53,8 @@ If you encounter permission errors like `Resource not accessible by integration` 2. The token has expired 3. The workflow permissions at the top of the .yml file need to be adjusted +For label-related operations specifically: +1. Ensure your CUSTOM_GITHUB_TOKEN has "Administration: Read and write" permissions +2. Make sure the workflow has `repository-projects: write` permission as well as other necessary permissions + Review the permissions in both your custom token and at the workflow level to resolve such issues. \ No newline at end of file