About this error
403: Resource not accessible by integration
You may see this error when using Dependabot.
Dependabot is considered untrusted when it triggers a workflow run, if the workflow will run with read-only scopes.
Confirming the cause of the error
If you're using Dependabot in your code scanning workflow, investigate the scope it's using.
Uploading code scanning results for a branch usually requires the security_events: write scope. However, code scanning always allows the uploading of results when the pull_request event triggers the action run. This is why, for Dependabot branches, we recommend you use the pull_request event instead of the push event.
Fixing the problem
You can run on pushes to the default branch and any other important long-running branches, as well as pull requests opened against this set of branches:
on:
push:
branches:
- main
pull_request:
branches:
- main
Alternatively, you can run on all pushes except for Dependabot branches:
on:
push:
branches-ignore:
- 'dependabot/**'
pull_request:
For more information about editing the CodeQL workflow file, see "Customizing your advanced setup for code scanning."
Analysis still failing on the default branch
If the CodeQL analysis workflow still fails on a commit made on the default branch, you need to check:
- whether Dependabot authored the commit
- whether the pull request that includes the commit has been merged using
@dependabot squash and merge
This type of merge commit is authored by Dependabot and therefore, any workflows running on the commit will have read-only permissions. If you enabled code scanning and Dependabot security updates or version updates on your repository, we recommend you avoid using the Dependabot @dependabot squash and merge command. Instead, you can enable auto-merge for your repository. This means that pull requests will be automatically merged when all required reviews are met and status checks have passed. For more information about enabling auto-merge, see "Automatically merging a pull request."