Permissions failing despite correct config #610
Description
I'm getting a permissions error despite copying the permissions from your docs. What am I doing wrong here? Is my submodules config the problem?
Error:
Run py-cov-action/python-coverage-comment-action@91aaf3b39c7e2331c6bc77767ce017f5160c5f11
/usr/bin/docker run --name e9b9989b1b58f92314aa2b10871d5f9f8aad6_64220e --label 4e9b99 --workdir /github/workspace --rm -e "database_url" -e "tms_adapter_base_url" -e "clerk_app_secret_key" -e "allowed_origins" -e "openai_api_key" -e "google_api_key" -e "debug" -e "slack_users" -e "slack_webhook_url" -e "allowed_hosts" -e "bypass_auth_creds" -e "browserbase_api_key" -e "hyperbrowser_api_key" -e "browserbase_project_id" -e "api_key_signing_key" -e "hubflow_api_url" -e "screenshots_bucket_name" -e "pythonLocation" -e "PKG_CONFIG_PATH" -e "Python_ROOT_DIR" -e "Python2_ROOT_DIR" -e "Python3_ROOT_DIR" -e "LD_LIBRARY_PATH" -e "PGSERVICEFILE" -e "INPUT_GITHUB_TOKEN" -e "INPUT_GITHUB_BASE_URL" -e "INPUT_GITHUB_PR_RUN_ID" -e "INPUT_COMMENT_TEMPLATE" -e "INPUT_COVERAGE_DATA_BRANCH" -e "INPUT_COVERAGE_PATH" -e "INPUT_COMMENT_ARTIFACT_NAME" -e "INPUT_COMMENT_FILENAME" -e "INPUT_SUBPROJECT_ID" -e "INPUT_MINIMUM_GREEN" -e "INPUT_MINIMUM_ORANGE" -e "INPUT_MAX_FILES_IN_COMMENT" -e "INPUT_MERGE_COVERAGE_FILES" -e "INPUT_ANNOTATE_MISSING_LINES" -e "INPUT_ANNOTATION_TYPE" -e "INPUT_USE_GH_PAGES_HTML_URL" -e "INPUT_VERBOSE" -e "GITHUB_BASE_URL" -e "GITHUB_TOKEN" -e "GITHUB_PR_RUN_ID" -e "COMMENT_TEMPLATE" -e "COVERAGE_DATA_BRANCH" -e "COVERAGE_PATH" -e "COMMENT_ARTIFACT_NAME" -e "COMMENT_FILENAME" -e "SUBPROJECT_ID" -e "MINIMUM_GREEN" -e "MINIMUM_ORANGE" -e "MERGE_COVERAGE_FILES" -e "ANNOTATE_MISSING_LINES" -e "ANNOTATION_TYPE" -e "VERBOSE" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/hubflow-api/hubflow-api":"/github/workspace" 4e9b99:89b1b58f92314aa2b10871d5f9f8aad6
Notice: Starting action
Notice: HTTP Request: GET https://api.github.com/repos/hubflowai/hubflow-api "HTTP/1.1 200 OK"
Notice: Computing coverage files & badge
Notice: HTTP Request: GET https://img.shields.io/static/v1?label=Coverage&message=78%25&color=orange "HTTP/1.1 200 OK"
Notice: Saving coverage files
Error: Critical error. This error possibly occurred because the permissions of the workflow are set incorrectly. You can see the correct setting of permissions here: https://github.com/py-cov-action/python-coverage-comment-action#basic-usage
Otherwise please look for open issues or open one in https://github.com/py-cov-action/python-coverage-comment-action/
Traceback (most recent call last):
File "/workdir/coverage_comment/subprocess.py", line 22, in run
return subprocess.run(
^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/subprocess.py", line 571, in run
raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '('git', 'push', 'origin', 'python-coverage-comment-action-data')' returned non-zero exit status 128.
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/workdir/coverage_comment/subprocess.py", line 65, in _git
return run(
^^^^
File "/workdir/coverage_comment/subprocess.py", line 36, in run
raise SubProcessError("\n".join([exc.stderr, exc.stdout])) from exc
coverage_comment.subprocess.SubProcessError: remote: Write access to repository not granted.
fatal: unable to access 'https://github.com/hubflowai/hubflow-api/': The requested URL returned error: 403
Config:
test:
runs-on: ubuntu-latest
permissions:
# Gives the action the necessary permissions for publishing new
# comments in pull requests.
pull-requests: write
# Gives the action the necessary permissions for pushing data to the
# python-coverage-comment-action branch, and for editing existing
# comments (to avoid publishing multiple comments in the same PR)
contents: write
steps:
- name: Checkout code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
with:
token: ${{ secrets.PULL_TOKEN }}
submodules: true
[...]
- name: Run pytest
run: pytest -n 2 -v --exitfirst
- name: Coverage comment
uses: py-cov-action/python-coverage-comment-action@91aaf3b39c7e2331c6bc77767ce017f5160c5f11 # v3
with:
GITHUB_TOKEN: ${{ github.token }}