403: Resource not accessible by integration
You may see this error when using Dependabot.
Dependabot is considered untrusted when it triggers a workflow run, if the workflow will run with read-only scopes.
If you're using Dependabot in your code scanning workflow, investigate the scope it's using.
Uploading code scanning results for a branch usually requires the
security_events: write scope. However, code scanning always allows the uploading of results when the
pull_request event triggers the action run. This is why, for Dependabot branches, we recommend you use the
pull_request event instead of the
You can run on pushes to the default branch and any other important long-running branches, as well as pull requests opened against this set of branches:
on: push: branches: - main pull_request: branches: - main
Alternatively, you can run on all pushes except for Dependabot branches:
on: push: branches-ignore: - 'dependabot/**' pull_request:
For more information about editing the CodeQL workflow file, see "Customizing your advanced setup for code scanning."
If the CodeQL analysis workflow still fails on a commit made on the default branch, you need to check:
- whether Dependabot authored the commit
- whether the pull request that includes the commit has been merged using
@dependabot squash and merge
This type of merge commit is authored by Dependabot and therefore, any workflows running on the commit will have read-only permissions. If you enabled code scanning and Dependabot security updates or version updates on your repository, we recommend you avoid using the Dependabot
@dependabot squash and merge command. Instead, you can enable auto-merge for your repository. This means that pull requests will be automatically merged when all required reviews are met and status checks have passed. For more information about enabling auto-merge, see "Automatically merging a pull request."