Unable to update status at url via Github App

[pomcho555]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

Overview of the Issue

I set up an Atlantis bot with GitHub App. The bot does comments on my PR, but it can't update commit statuses. I allowed necessary permissions defined in the document. I think it's enough to update status.

Do I miss something?

Reproduction Steps

I deployed atlantis via the official Fargate module

module "atlantis" {
  source  = "terraform-aws-modules/atlantis/aws"
  version = "~> 3.0"

  name = "atlantis"

  # VPC
  cidr            = "10.20.0.0/16"
  azs             = ["us-west-2a", "us-west-2b", "us-west-2c"]
  private_subnets = ["10.20.1.0/24", "10.20.2.0/24", "10.20.3.0/24"]
  public_subnets  = ["10.20.101.0/24", "10.20.102.0/24", "10.20.103.0/24"]

  # DNS (without trailing dot)
  route53_zone_name = "atlantis.example.com"

  # Atlantis
  atlantis_github_app_id  = "xxxxxx"
  atlantis_github_app_key = data.local_file.secret_key.content
  atlantis_repo_allowlist = ["github.com/omajinaiHouse/*"]

  atlantis_github_webhook_secret = "xxxxxxx"
}

Added permissions for my Github App

• Administration: Read-only
• Checks: Read and Write
• Commit statuses: Read and Write
• Contents: Read and Write
• Issues: Read and Write
• Metadata: Read-only
• Pull requests: Read and Write
• Webhooks: Read and Write
• Members: Read-only

Logs

Logs

{
    "level": "error",
    "ts": "2023-03-31T05:26:24.851Z",
    "caller": "vcs/instrumented_client.go:210",
    "msg": "Unable to update status at url: , error: POST https://api.github.com/repos/omajinaiHouse/test-atlantis/statuses/xxxxxxxxx: 403 Resource not accessible by integration []",
    "json": {
        "repository": "omajinaiHouse/test-atlantis",
        "pull-num": "1"
 }

Environment details

As I mentioned above, I used default configuration in the module.

Additional Context

I also have the same issue going through roll my own using EC2 and systemd. I think this issue isn't inside the terraform module.

Furthermore, I made test bench for the investigation as public repository, you can see actual behavior of that bot with you browsing the pr.

omajinaiHouse/test-atlantis#1

[ovceev]

I have the same situation

I noticed that when Atlantis is trying to update statuses, it tries to hit https://api.github.com/repos/org/repo/statuses/master, I assume it wants to update commit statuses here, so it has read write permissions on it, but I'm still getting 403 Resource not accessible by integration, does not sound like a lack of permissions

github api docs say that /repos/{owner}/{repo}/statuses/{sha} is the endpoint for updating statuses, but atlantis is trying to hit /repos/{owner}/{repo}/statuses/{branch} maybe that's the root cause of this?

I opened a thread in the community about this issue, JFYI

[nitrocode]

This is where the github function updates the status which uses the pull.HeadCommit as the ref.

atlantis/server/events/vcs/github_client.go

Lines 556 to 575 in 67686e7

	func (g *GithubClient) UpdateStatus(repo models.Repo, pull models.PullRequest, state models.CommitStatus, src string, description string, url string) error {
	ghState := "error"
	switch state {
	case models.PendingCommitStatus:
	ghState = "pending"
	case models.SuccessCommitStatus:
	ghState = "success"
	case models.FailedCommitStatus:
	ghState = "failure"
	}
	status := &github.RepoStatus{
	State: github.String(ghState),
	Description: github.String(description),
	Context: github.String(src),
	TargetURL: &url,
	}
	_, _, err := g.client.Repositories.CreateStatus(g.ctx, repo.Owner, repo.Name, pull.HeadCommit, status)
	return err
	}

Here is the client.Repositories.CreateStatus function header in the upstream library

https://github.com/google/go-github/blob/c96ba417f7b022bee92bc04d831e89fd9fc70edc/github/repos_statuses.go#L74-L88

If we need to use the branch

atlantis/server/events/models/models.go

Lines 155 to 168 in 67686e7

	type PullRequest struct {
	// Num is the pull request number or ID.
	Num int
	// HeadCommit is a sha256 that points to the head of the branch that is being
	// pull requested into the base. If the pull request is from Bitbucket Cloud
	// the string will only be 12 characters long because Bitbucket Cloud
	// truncates its commit IDs.
	HeadCommit string
	// URL is the url of the pull request.
	// ex. "https://github.com/runatlantis/atlantis/pull/1"
	URL string
	// HeadBranch is the name of the head branch (the branch that is getting
	// merged into the base).
	HeadBranch string

We can use pull.HeadBranch instead. Perhaps we need logic to check if its a non github app and use the HeadCommit and if its using the github app use the HeadBranch? Or perhaps the latter works for both?

It would be ideal to have a pull request with adequate unit tests and a validation from the author (and/or others) who has checked in both scenarios end to end test.

[GenPage]

@pomcho555 @ovceev Are you still having issues with the latest release? We reverted a feature in #3321 that was causing errors like 403 Resource not accessible by integration []

[pomcho555]

@GenPage
Thanks for the fix. I upgraded Atlantis up to 0.24.2. However, I still got this error.

[pomcho555]

Apart from this bug, I suggest this function has a feature which print a debug log of the github api request so that we could easily debug the actual request payload unless it shows up sensitive info.

[ovceev]

0.25.0 the issue still persists :(

403 Resource not accessible by integration []

[jamengual]

has anyone added Org read access and try it ?

…

On Thu, Sept 14, 2023, 6:14 a.m. Ilia Kovalev ***@***.***> wrote: 0.25.0 the issue still persists :( 403 Resource not accessible by integration [] — Reply to this email directly, view it on GitHub <#3285 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAQ3ERFNTBF5WBUQUB74T6DX2L7K5ANCNFSM6AAAAAAWOHDJAQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[ovceev]

set these permissions and still got the error :(

[ovceev]

Update: after one day we see some progress here
Looks like enabling org read access fixes the issue
Will continue monitoring

[ovceev]

• pre-workflow hooks are working (we were prevented from using them because of the error)
• 0 update status PR errors
  the issue is gone for me, thank you so much guys

[jamengual]

now does this match the docs ?

…

On Tue, Sept 19, 2023, 4:50 p.m. Ilia Kovalev ***@***.***> wrote: - pre-workflow hooks are working (we were prevented from using them because of the error) - 0 update status PR errors the issue is gone for me, thank you so much guys — Reply to this email directly, view it on GitHub <#3285 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAQ3ERAGOUU3ZFZBKKGOGHTX3IVUJANCNFSM6AAAAAAWOHDJAQ> . You are receiving this because you commented.Message ID: ***@***.***>

[ovceev]

Not really, the org permissions above are not listed here
https://www.runatlantis.io/docs/access-credentials.html#github-app