Error: Resource not accessible by integration when tagging old commit

[petetaxi-test]

I have an action which is triggered through the GitHub UI, which takes a commit_id as a parameter.

If I specify the latest commit in the repo, the action runs fine.

However, if I specify the commit before (or any previous commit) the tag step fails with an error "Resource not accessible by integration". I understand this is normally a permission problem, but my workflow has full write permissions (and also, what is the different with older commits?).

The behaviour is the same for both lightweight and annotated tags.

on:
  workflow_dispatch:
    inputs:
      commit_id:
        description: The id of the commit to create a release from
        required: true
      custom_version:
        description: The version number tag. Omit to bump from the previous version.

name: Create Release
permissions: write-all

jobs:
  create_release:
    name: Create Release
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Bump version and push tag
        id: tag_version
        uses: mathieudutour/github-tag-action@v6.0
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          custom_tag: ${{ github.event.inputs.custom_version }}
          commit_sha: ${{ github.event.inputs.commit_id }}
          create_annotated_tag: true

Output from the action is as follows.

Run mathieudutour/github-tag-action@v6.0
  with:
    github_token: ***
    commit_sha: f52348cda805f90c7baa6ae6c25ffd641f7a88bb
    create_annotated_tag: true
    default_bump: patch
    default_prerelease_bump: prerelease
    tag_prefix: v
    release_branches: master,main
    fetch_all_tags: false
    dry_run: false
Previous tag was v0.1.1, previous version was 0.1.1.
Analysis of 0 commits complete: no release
New version is 0.1.2.
New tag after applying prefix is v0.1.2.
Changelog is ### REDACTED
.
Error: Resource not accessible by integration

Debug logging shows the following (some parts omitted).

...
::set-output name=new_tag::v0.1.2
##[debug]steps.tag_version.outputs.new_tag='v0.1.2'
Changelog is ### *** REDACTED
##[debug]
##[debug]'
##[debug]Creating annotated tag.
##[debug]Pushing new tag to the repo.
Error: Resource not accessible by integration
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Bump version and push tag

[petetaxi-test]

Update: the action completes successfully if the specified commit is the HEAD of any branch, and fails if it is not. That is unclear, as the branch isn't mentioned in the parameters to the action, or the error message.

[lsalehar]

We have the same issue.

[robbienohra]

I'm experiencing the same issue

Looks like it actually worked for me when using a PAT as opposed to the baked in GITHUB_TOKEN secret 🤔

[jrgoldfinemiddleton]

One brute-force approach you can use is to ensure the default GITHUB_TOKEN has "read and write" access in your repo.

[JMaio]

following the approach on this docs page with the permissions statement fixed this issue for me
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#example-2-calling-the-rest-api

...
jobs:
  build:
    permissions:
      contents: write
...

Failed run: https://github.com/JMaio/actions-playground/actions/runs/4153264354
After updating: https://github.com/JMaio/actions-playground/actions/runs/4153296606