Throws a "Resource not accessible by integration" error

[raisedadead]

We are seeing a "Resource not accessible by integration" when this is run. Here is our workflow file: https://github.com/freeCodeCamp/freeCodeCamp/actions/runs/2503722663/workflow

Expected Behavior

The workflow should leave a comment on the PR by a first-timer.

Current Behavior

The workflow runs error out.

Possible Solution

Not sure how to approach debugging this better.

Steps To Reproduce

Here is a run with debug logs enabled to help analyze the issue: https://github.com/freeCodeCamp/freeCodeCamp/runs/6906136489?check_suite_focus=true#step:2:31

Error Message & Stack Trace

##[debug]Evaluating condition for step: 'Run wow-actions/welcome@v1'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Run wow-actions/welcome@v1
##[debug]Loading inputs
##[debug]Evaluating: secrets.GITHUB_TOKEN
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'GITHUB_TOKEN'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Loading env
Run wow-actions/welcome@v1
  with:
    GITHUB_TOKEN: ***
    FIRST_PR_MERGED: #### :sparkles: :tada: **AWESOME!** :tada: :sparkles:
  
  Hi @{{ author }},
  
  Thanks for this pull request and for contributing to the code-base for the first time. We are looking forward to more contributions from you in the future.
  
  Cheers & happy contributing!
  
##[debug]event: pull_request
##[debug]action: closed
Error: HttpError: Resource not accessible by integration
Error: Resource not accessible by integration
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Run wow-actions/welcome@v1

Additional Context

We have set up the workflow as recommended in the docs for the workflow.

Your Environment

GitHub Actions on Ubuntu 20.04

[github-actions]

Hi 👋 @raisedadead

Thanks for opening your first issue here! Be sure to follow the issue template!

[rajbos]

Hi folks, I just ran into this one as well. I think this comes from the changes that where made going from pull_request to pull_request_target, with these differences in the new triggers:

pull_request

Runs in the context of the pull_request source, so the repo that has the changes. These incoming changes might have security issues, and therefor have less authorizations: e.g. they are not allowed to write to the PR (that could potentially lead to approving the PR for example :-) ), or write to the .github/worfklows folder.
This also prevents access to any secrets that might be in the repo, as that could lead to secrets being leaked to anyone sending in a PR

pull_request_target

This setup now has full access to the repos, so it can write to PR's, has access to secrets, etc.

Next step

I'm not sure how we can create comments on the PR, without running on pull_request_target (which I do not recommend for all the security reasons above).

[rajbos]

Tagging @bubkoo and @KeisukeYamashita for visibility 😄