Actions-ecosystem/action-remove-labels fails "Resource not accessible by integration"


I am able to trigger a job only when a particular label gets added to the pull request.

As first step I would like to remove the label.

This is the workflows file:

name: Setup with Vagrant on Packet
    types: [labeled]

    if: contains(github.event.pull_request.labels.*.name, 'ci-check/vagrant-setup')
    runs-on: self-hosted
    - uses: actions-ecosystem/action-remove-labels@v1
        github_token: ${{ secrets.github_token }}
        labels: ci-check/vagrant-setup
    - name: Checkout
      uses: actions/checkout@v2
    - name: Vagrant Test
      run: |
        export VAGRANT_DEFAULT_PROVIDER="virtualbox"
        go test -v ./test/_vagrant

And this is the output I get from the actions-ecosystem/action-remove-labels@v1 step:

2020-07-23T13:51:36.8848935Z ##[group]Run actions-ecosystem/action-remove-labels@v1
2020-07-23T13:51:36.8849248Z with:
2020-07-23T13:51:36.8849902Z   github_token: ***
2020-07-23T13:51:36.8850086Z   labels: ci-check/vagrant-setup
2020-07-23T13:51:36.8850285Z   repo: tinkerbell/tink
2020-07-23T13:51:36.8850456Z ##[endgroup]
2020-07-23T13:51:38.0240570Z ##[error]HttpError: Resource not accessible by integration
2020-07-23T13:51:38.0243953Z ##[error]Resource not accessible by integration


The PR comes from a fork and I think the GITHUB_TOKEN only has read permission if workflows comes from a fork.

So I created a new personal access token and I place it as a secret, and I have updated my step:

    - uses: actions-ecosystem/action-remove-labels@v1
        github_token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
        labels: ci-check/vagrant-setup

Now the error I get is:

 Input required and not supplied: github_token

Probably because the secret is empty probably because of this doc

With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository.

Not sure how to get around it :tired_face: This is an open source project, people will mainly contribute via FORK and that’s why we are using a label as a gatekeeper to trigger a particular action


As the docs has mentioned, when a workflow is triggered from a forked repository:

  1. With the exception of GITHUB_TOKEN, secrets are not passed to the runner.

  2. The GITHUB_TOKEN only has β€˜read’ permission. For more information, see β€œPermissions for the GITHUB_TOKEN”.

If you want the action β€˜actions-ecosystem/action-remove-labels@v1’ you are using in your workflow can remove labels from the pull request, the token used to authenticate must have the β€˜write’ permission for pull request in the repository.
However, as mentioned above, due to the workflow is triggered from a forked repository, there is not any available and safe way to pass the token which has the β€˜write’ permission to the runner.

There is a good news is that the appropriate engineering team is planing to add an option β€œSend secrets to pull request workflows from forks” to the settings for Actions permissions.
This option will allow the owners and administrators to decide whether to pass secrets to the runner when the workflow is triggered from a forked repository.
This feature may be released recently. You can follow the GitHub Changelog to view the release of latest features.

1 Like