How to craft a Github Token?

[heitorPB]

Hello!

I'm trying to setup this action but I'm getting an error after shellcheck runs:

❌ Failed to upload the SARIF report to GitHub

But the Set up job step of the CI shows this about the token I have:

GITHUB_TOKEN Permissions
  Actions: read
  Contents: read
  Metadata: read
  SecurityEvents: write

This is the workflow file I setup:

name: Differential ShellCheck
on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

permissions:
  contents: read

jobs:
  lint:
    runs-on: ubuntu-latest

    permissions:
      # required for all workflows
      security-events: write

      # only required for workflows in private repositories
      actions: read
      contents: read

    steps:
      - name: Repository checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - id: ShellCheck
        name: Differential ShellCheck
        uses: redhat-plumbers-in-action/differential-shellcheck@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

      - if: ${{ always() }}
        name: Upload artifact with ShellCheck defects in SARIF format
        uses: actions/upload-artifact@v4
        with:
          name: Differential ShellCheck SARIF
          path: ${{ steps.ShellCheck.outputs.sarif }}

I crafted the token (classic one, not fine-grained that is in beta) with repo:security_events checked, per the readme#token.

What am I missing?

[jamacku]

Hello @heitorPB,

Your workflow and GITHUB_TOKEN permissions seem correct.

Are you running this workflow in the private repository? If so, please see - Using with Private repositories in README.

Also, you can try enabling debug when re-running the differential-shellcheck job and seeing the exact HTTP status code, which could help us identify the precise issue.