Create Pages site failed: Resource not accessible by integration

[vincerubinetti]

Related: actions/starter-workflows#332

The repo's actions permissions are already set to read and write by default. Also tried setting permissions: write-all on the job. Also tried triggering on push, which I could've sworn was working yesterday. Nothing is working today.

name: Perform first-time setup of repo

on: create

jobs:
  setup:
    runs-on: ubuntu-latest
    steps:
      - name: Enable GitHub Pages
        uses: actions/configure-pages@v2

Run actions/configure-pages@v2
  with:
    token: ***
    enablement: true
  
Warning: Get Pages site failed
Error: Create Pages site failed
Error: AxiosError: Request failed with status code 40[3]

I also tried enabling Pages more directly with the GitHub API, and still got an error:

name: Perform first-time setup of repo

on: create

jobs:
  setup:
    runs-on: ubuntu-latest
    steps:
      - name: Enable GitHub Pages
        id: url
        uses: actions/github-script@v6
        with:
          script: |
            return (await github.rest.repos.createPagesSite({
              owner: context.repo.owner,
              repo: context.repo.repo,
            })).html_url;

with:
    script: return (await github.rest.repos.createPagesSite({
    owner: context.repo.owner,
    repo: context.repo.repo,
    build_type: "legacy",
  })).html_url;
  
    github-token: ***
    debug: false
    user-agent: actions/github-script
    result-encoding: json
    retries: 0
    retry-exempt-status-codes: 400,401,40[3](/~https://github.com/vincerubinetti/lab-website-template/actions/runs/3528824640/jobs/5919310323#step:2:3),[4](/~https://github.com/vincerubinetti/lab-website-template/actions/runs/3528824640/jobs/5919310323#step:2:4)04,422
RequestError [HttpError]: Resource not accessible by integration
    at /home/runner/work/_actions/actions/github-script/v6/dist/index.js:6172:21
Error: Unhandled error: HttpError: Resource not accessible by integration
    at processTicksAndRejections (node:internal/process/task_queues:96:[5](/~https://github.com/vincerubinetti/lab-website-template/actions/runs/3528824640/jobs/5919310323#step:2:5))
    at async eval (eval at callAsyncFunction (/home/runner/work/_actions/actions/github-script/v[6](/~https://github.com/vincerubinetti/lab-website-template/actions/runs/3528824640/jobs/5919310323#step:2:6)/dist/index.js:13356:16), <anonymous>:3:9)
    at async main (/home/runner/work/_actions/actions/github-script/v6/dist/index.js:13452:20) {
  status: 403,
  response: {
    url: 'https://api.github.com/repos/vincerubinetti/lab-website-template/pages',
    status: 403,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      connection: 'close',
      'content-encoding': 'gzip',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: 'Wed, 23 Nov 2022 02:55:23 GMT',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'GitHub.com',
      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
      'transfer-encoding': 'chunked',
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-media-type': 'github.v3',
      'x-github-request-id': '0402:0C51:2[7](/~https://github.com/vincerubinetti/lab-website-template/actions/runs/3528824640/jobs/5919310323#step:2:7)629CE:507BEC5:637D[8](/~https://github.com/vincerubinetti/lab-website-template/actions/runs/3528824640/jobs/5919310323#step:2:8)B[9](/~https://github.com/vincerubinetti/lab-website-template/actions/runs/3528824640/jobs/5919310323#step:2:9)B',
      'x-ratelimit-limit': '[10](/~https://github.com/vincerubinetti/lab-website-template/actions/runs/3528824640/jobs/5919310323#step:2:10)00',
      'x-ratelimit-remaining': '999',
      'x-ratelimit-reset': '1669175723',
      'x-ratelimit-resource': 'core',
      'x-ratelimit-used': '1',
      'x-xss-protection': '0'
    },
    data: {
      message: 'Resource not accessible by integration',
      documentation_url: 'https://docs.github.com/rest/pages#create-a-github-pages-site'
    }
  },
  request: {
    method: 'POST',
    url: 'https://api.github.com/repos/vincerubinetti/lab-website-template/pages',
    headers: {
      accept: 'application/vnd.github.-preview+json',
      'user-agent': 'actions/github-script octokit-core.js/3.6.0 Node.js/16.[13](/~https://github.com/vincerubinetti/lab-website-template/actions/runs/3528824640/jobs/5919310323#step:2:13).0 (linux; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: '{"build_type":"legacy"}',
    request: { agent: [Agent], hook: [Function: bound bound register] }
  }
}

[JamesMGreene]

Unfortunately, we needed to disable this functionality -- hopefully just temporarily 🤞🏻 -- due to a security bug bounty. 🛡️

We have a task in our backlog to investigate what it would take to reenable this. If we can't, we will cut a new major version bump of this Action to remove the enablement functionality.

[vincerubinetti]

Thanks for the response, could you elaborate more on that? Is the security bug only with this action, or is it something larger? Because I'm also getting this error on github.rest.repos.update and await github.rest.repos.replaceAllTopics.

Is this documented or noted anywhere what systems are limited?

[JamesMGreene]

Is the security bug only with this action, or is it something larger?

The security bug was specifically about allowing GitHub Apps (including the Actions' GITHUB_TOKEN) to create and delete Pages sites.

As for better understanding the permissions and limitations applied to GitHub Apps for accessing certain REST API resources, this documentation is probably your best bet:
https://docs.github.com/en/rest/overview/permissions-required-for-github-apps

In the Pages section of that page, you can see the REST API endpoints for creating and deleting Pages sites are currently omitted.

[vincerubinetti]

Thank you for the clarification. I'll keep an eye on this for enabling Pages automatically.

Could you comment on my other issue though? On that permissions page you linked, the "updating a repo" endpoint is still there:

https://docs.github.com/en/rest/overview/permissions-required-for-github-apps#administration

PATCH /repos/:owner/:repo (write)

Which seems to be failing when run from an Action (which have write permissions enabled by default). Are you sure there's not some wider disabling going on here?

Sorry of this is off-topic, but I also don't know where I would even report/ask about something like this. It also seems like it might not be a coincidence and unexpectedly related to this issue.

[JamesMGreene]

Definitely off-topic. 😅 In the future, probably create a new discussion on the community forums: /~https://github.com/community/community/discussions

---

The Actions-provided GITHUB_TOKEN is locked down a bit, so even with permissions: write-all, it isn't going to give you anything beyond the allowed categories mentioned here:
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs#overview

You'll notice there is no equivalent to the category you're wanting to modify, e.g. you're wanting something like administration: write|read|none.

You could create your own GitHub App if you want to work with extra APIs like that, otherwise you can always use a Personal Access Token to act as a user instead of using GITHUB_TOKEN. 🤷🏻‍♂️

[vincerubinetti]

Sorry for being off topic, I should've thought to post in the general discussions. I was very much misunderstanding the distinction between Actions permissions and the API as a whole. I've created a discussion here for anyone interested: community/community#40279

---

Back on topic, is there any place to track the status of this security bug so I can know when a decision is made one way or another?

[JamesMGreene]

Back on topic, is there any place to track the status of this security bug so I can know when a decision is made one way or another?

There is not, as we keep security vulnerabilities close to the vest until they're fully addressed. However, I had already added a note into our internal issue to post an update here once we proceed. 📝

[JamesMGreene]

ℹ️ We were able to partially re-enable REST APIs to create and/or delete a Pages site, but ONLY for user-to-server tokens (e.g. Personal Access Tokens or OAuth tokens). As such, it still won't work with the GITHUB_TOKEN provided by an Actions workflow/job run.

I'll update this Action soon to change the default behavior to NOT attempt to create/enable the Pages site if it's missing.

---

Update:
PR:

• Update default behavior to NOT attempt to create/enable the Pages site #48

[JamesMGreene]

Apologies, slight clarification: you can now also use server-to-server App tokens again as well but ONLY if they have been granted both the administration:write and pages:write permissions for the relevant repository.

The GITHUB_TOKEN provided by Actions is not capable of being granted administration:write, so that will continue to be an invalid option.

[acdoussan]

Should y'all update /~https://github.com/actions/starter-workflows/blob/main/pages/static.yml to reflect this, seeing as its been ~2 months and this is still an issue?

Not totally clear what the proper way to set this up is at the moment, could y'all maybe provide an example .yml using a classic PAT, as well as which permissions the PAT needs?

[acdoussan]

I created a classic PAT with all permissions, set in as an env secret as PAGES_PAT, and updated my yml to look like the following.

- name: Setup GitHub Pages
        uses: actions/configure-pages@v3
        # /~https://github.com/actions/configure-pages/issues/40
        with:
          token: ${{ secrets.PAGES_PAT }}

and I'm getting this as output

Warning: Get Pages site failed
Error: Create Pages site failed
Error: AxiosError: Request failed with status code 401

[acdoussan]

Is there a way this step can be skipped / removed?

/~https://github.com/actions/starter-workflows/blob/main/pages/jekyll.yml doesn't use this action. I take this back, it does, on line 41.

The question still stands, can I manually set up pages and then not need this step?

[acdoussan]

The question still stands, can I manually set up pages and then not need this step?

The short answer is yes, if you go to settings -> pages and change the source drop-down to GitHub actions, this step will pass without needing a custom token / extra changes.

[JamesMGreene]

@acdoussan Part of what you described was actually a bug that I introduced with enablement in the v3 version of this Action. My apologies, and thanks for pointing it out! 🙇🏻

See #50, v3.0.1, and the latest v3 tag for the fix that will prevent the Action from trying to enable the Pages site (and literally always failing) by default if it doesn't already exist.

[acdoussan]

All good, glad it's fixed! Hopefully, the manual step helps anyone else who comes stumbling along 😃.