permission issue while using publish-test-result action

[harshvsingh-eaton]

I am having a matrix run for 3 tests.
We have 3 files.

1. composite action file, that is our pytest composite file, which is calling in the workflow name build-flash-test.yml
2. workflow file build-flash-test.yml contains the steps for building flashing and testing, which is used by our main workflow file name bft-devicename.yml
3. bft-devicename.yml contain the matrix for 3 tests.

question,

1. when using publish-test-result in the composite file ( mentioned in the point 1) having a permission issue, we have given persmisson in the both bft-devicename.yml workflow as well as the build-flash-test.yml workflow. SO we can use publish-test-result in the composite action ?
2. Also when we using publish-test-result Isolating composite action from your workflow , we are getting error of
   \ERROR: Failed building wheel for lxml AND error: Microsoft Visual C++ 14.0 or greater is required.
   tried all the possible solution from internet the error is same.

with:
  root_log_level: DEBUG
  log_level: DEBUG

[EnricoMi]

1. Yes, the required permissions have to be set either on the outermost workflow, the job calling the inner workflow, or the job that contains the publish step.
2. Unfortunately, the composite action has to compile lxml for some operating systems and Python versions. Ideally, you run the job that contains the publish step on a Linux runner. If there is no Linux runner available in your Github setup, let me know which Operating system and Python version you are using?

[harshvsingh-eaton]

I was able to solve the point 2. However stuck in the permission issue.

publish-test-results:
name: "Publish Tests Results"
needs: build_flash_test_job
runs-on: ${{ inputs.board_to_build }} #use the board to find a runner # windows-latest
# the build-and-test job might be skipped, we don't need to run this job then
if: success() || failure()
permissions:
  checks: read #write < The nested job 'Publish Tests Results' is requesting 'checks: write', but is only allowed 'checks: read'. >

  # only needed for private repository
  contents: read

  # only needed for private repository
  issues: read

  # required by download step to access artifacts API
  actions: read
steps:
  
  - name: Download Artifacts
    uses: actions/download-artifact@v3
    with:
      # name: Zephyr Pytest test_report=${{ inputs.artifact_name }}; JobAttempt=${{ github.run_attempt }}
      path: "${{ env.WORKSPACE }}/a/"

  - name: Setup Python
    uses: actions/setup-python@v4
    with:
      python-version: 3.8

  - name: Publish Test Results
    uses: EnricoMi/publish-unit-test-result-action/composite@v2
    with:
      files: "${{ env.WORKSPACE }}/a/Pytest test_report=${{ inputs.artifact_name }}; JobAttempt=${{ github.run_attempt }}/*.xml"

Even after that Getting following error :
Warning: Request POST /repos/github-workflows/check-runs failed with 403: Forbidden

[EnricoMi]

What does the GITHUB_TOKEN Permissions section of the first step in the job say? It should looks like

GITHUB_TOKEN Permissions
  Checks: write
  Metadata: read
  PullRequests: write

https://github.com/EnricoMi/publish-unit-test-result-action/actions/runs/5043152652/jobs/9044584428#step:1:16

[EnricoMi]

In your example it says:

permissions:
  checks: read #write < The nested job 'Publish Tests Results' is requesting 'checks: write', but is only allowed 'checks: read'. >

Clearly it needs write permissions for POST /repos/github-workflows/check-runs to work.

[harshvsingh-eaton]

Thankyou for the help @EnricoMi
It is working now :)

[harshvsingh-eaton]

publish-test-result is working but getting this new error.

Warning: Request GET /repos/workflows/commits/5983f82a408cf90d40dbdbd2f8ad911ea345bd78/pulls?per_page=100 failed with 403: Forbidden

[EnricoMi]

As per #448 (comment), what are the permissions reported by the first step of the job that contains the publish step?

[harshvsingh-eaton]

It's
GITHUB_TOKEN Permissions
Actions: read
Checks: write
Contents: read
Issues: read
Metadata: read

[EnricoMi]

Try adding

pull-requests: write

or at least

pull-requests: read

[harshvsingh-eaton]

your suggestion solved the problem.
but here is the next one
Warning: Request POST /repos/etn-ccis/edge-rtos-github-workflows/issues/44/comments failed with 403: Forbidden
can't figure out about the "comment" one now,

[EnricoMi]

That one requires

pull-requests: write

[harshvsingh-eaton]

Can we rename "Test Results" to something meaningful as we are publishing multiple test result in our workflow ?

[EnricoMi]

Sure: https://github.com/EnricoMi/publish-unit-test-result-action#configuration

with:
  check_name: "Test Results ${{ matrix.flavour }}"

[harshvsingh-eaton]

I tried .
with:
check_name: "Test Results ${{ matrix.flavour }}"

and it worked, but it removed the below tab.

[harshvsingh-eaton]

hey, I guess this is a bug !
we have 3 workflows , A , B, C and one composite , in composite we have that publish-test-result which is used by all those 3 workflow.
The problem here is the "test result" tab is getting adding in the workflow A only, but test is publishing in the all the A B C workflow normally but that test tab is adding in the workflow A only.

[EnricoMi]

This is a long-standing bug in the Github API, which Github is not willing to fix:
#12, https://github.com/orgs/community/discussions/24616

[EnricoMi]

Looks like this is fixed.