Note
This troubleshooting article is only relevant if you're seeing this error with Dependabot. If you see this error with other GitHub products and have difficulty troubleshooting it, you can contact GitHub Support. For more information, see "Contacting GitHub Support."
About this error
403: Resource not accessible by integration
Dependabot is considered untrusted when it triggers a workflow run, if the workflow will run with read-only scopes.
Confirming the cause of the error
If you're using Dependabot in your code scanning workflow, investigate the scope it's using.
Uploading code scanning results for a branch usually requires the security-events: write
scope. However, code scanning always allows the uploading of results when the pull_request
event triggers the action run. This is why, for Dependabot branches, we recommend you use the pull_request
event instead of the push
event.
Fixing the problem
You can run on pushes to the default branch and any other important long-running branches, as well as pull requests opened against this set of branches:
on:
push:
branches:
- main
pull_request:
branches:
- main
Alternatively, you can run on all pushes except for Dependabot branches:
on:
push:
branches-ignore:
- 'dependabot/**'
pull_request:
For more information about editing the CodeQL workflow file, see "Customizing your advanced setup for code scanning."
Analysis still failing on the default branch
If the CodeQL analysis workflow still fails on a commit made on the default branch, you need to check:
- whether Dependabot authored the commit
- whether the pull request that includes the commit has been merged using
@dependabot squash and merge
This type of merge commit is authored by Dependabot and therefore, any workflows running on the commit will have read-only permissions. If you enabled code scanning and Dependabot security updates or version updates on your repository, we recommend you avoid using the Dependabot @dependabot squash and merge
command. Instead, you can enable auto-merge for your repository. This means that pull requests will be automatically merged when all required reviews are met and status checks have passed. For more information about enabling auto-merge, see "Automatically merging a pull request."