Create Pages site failed: Resource not accessible by integration about configure-pages HOT 15 CLOSED

Back on topic, is there any place to track the status of this security bug so I can know when a decision is made one way or another?

There is not, as we keep security vulnerabilities close to the vest until they're fully addressed. However, I had already added a note into our internal issue to post an update here once we proceed. 📝

from configure-pages.

Unfortunately, we needed to disable this functionality -- hopefully just temporarily 🤞🏻 -- due to a security bug bounty. 🛡️

We have a task in our backlog to investigate what it would take to reenable this. If we can't, we will cut a new major version bump of this Action to remove the enablement functionality.

from configure-pages.

Definitely off-topic. 😅 In the future, probably create a new discussion on the community forums: https://github.com/community/community/discussions

The Actions-provided GITHUB_TOKEN is locked down a bit, so even with permissions: write-all, it isn't going to give you anything beyond the allowed categories mentioned here:
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs#overview

You'll notice there is no equivalent to the category you're wanting to modify, e.g. you're wanting something like administration: write|read|none.

You could create your own GitHub App if you want to work with extra APIs like that, otherwise you can always use a Personal Access Token to act as a user instead of using GITHUB_TOKEN. 🤷🏻‍♂️

from configure-pages.

Thanks for the response, could you elaborate more on that? Is the security bug only with this action, or is it something larger? Because I'm also getting this error on github.rest.repos.update and await github.rest.repos.replaceAllTopics.

Is this documented or noted anywhere what systems are limited?

from configure-pages.

Is the security bug only with this action, or is it something larger?

The security bug was specifically about allowing GitHub Apps (including the Actions' GITHUB_TOKEN) to create and delete Pages sites.

As for better understanding the permissions and limitations applied to GitHub Apps for accessing certain REST API resources, this documentation is probably your best bet:
https://docs.github.com/en/rest/overview/permissions-required-for-github-apps

In the Pages section of that page, you can see the REST API endpoints for creating and deleting Pages sites are currently omitted.

from configure-pages.

Thank you for the clarification. I'll keep an eye on this for enabling Pages automatically.

Could you comment on my other issue though? On that permissions page you linked, the "updating a repo" endpoint is still there:

https://docs.github.com/en/rest/overview/permissions-required-for-github-apps#administration

PATCH /repos/:owner/:repo (write)

Which seems to be failing when run from an Action (which have write permissions enabled by default). Are you sure there's not some wider disabling going on here?

Sorry of this is off-topic, but I also don't know where I would even report/ask about something like this. It also seems like it might not be a coincidence and unexpectedly related to this issue.

from configure-pages.

Sorry for being off topic, I should've thought to post in the general discussions. I was very much misunderstanding the distinction between Actions permissions and the API as a whole. I've created a discussion here for anyone interested: community/community#40279

Back on topic, is there any place to track the status of this security bug so I can know when a decision is made one way or another?

from configure-pages.

ℹ️ We were able to partially re-enable REST APIs to create and/or delete a Pages site, but ONLY for user-to-server tokens (e.g. Personal Access Tokens or OAuth tokens). As such, it still won't work with the GITHUB_TOKEN provided by an Actions workflow/job run.

I'll update this Action soon to change the default behavior to NOT attempt to create/enable the Pages site if it's missing.

Update:
PR:

• #48

from configure-pages.

Apologies, slight clarification: you can now also use server-to-server App tokens again as well but ONLY if they have been granted both the administration:write and pages:write permissions for the relevant repository.

The GITHUB_TOKEN provided by Actions is not capable of being granted administration:write, so that will continue to be an invalid option.

from configure-pages.

Should y'all update https://github.com/actions/starter-workflows/blob/main/pages/static.yml to reflect this, seeing as its been ~2 months and this is still an issue?

Not totally clear what the proper way to set this up is at the moment, could y'all maybe provide an example .yml using a classic PAT, as well as which permissions the PAT needs?

from configure-pages.

I created a classic PAT with all permissions, set in as an env secret as PAGES_PAT, and updated my yml to look like the following.

- name: Setup GitHub Pages
        uses: actions/configure-pages@v3
        # https://github.com/actions/configure-pages/issues/40
        with:
          token: ${{ secrets.PAGES_PAT }}

and I'm getting this as output

Warning: Get Pages site failed
Error: Create Pages site failed
Error: AxiosError: Request failed with status code 401

from configure-pages.

Is there a way this step can be skipped / removed?

https://github.com/actions/starter-workflows/blob/main/pages/jekyll.yml doesn't use this action. I take this back, it does, on line 41.

The question still stands, can I manually set up pages and then not need this step?

from configure-pages.

The question still stands, can I manually set up pages and then not need this step?

The short answer is yes, if you go to settings -> pages and change the source drop-down to GitHub actions, this step will pass without needing a custom token / extra changes.

from configure-pages.

@acdoussan Part of what you described was actually a bug that I introduced with enablement in the v3 version of this Action. My apologies, and thanks for pointing it out! 🙇🏻

See #50, v3.0.1, and the latest v3 tag for the fix that will prevent the Action from trying to enable the Pages site (and literally always failing) by default if it doesn't already exist.

from configure-pages.

All good, glad it's fixed! Hopefully, the manual step helps anyone else who comes stumbling along 😃.

from configure-pages.