search

OCA / oca-github-bot

The GitHub Bot of the Odoo Community Association (OCA)
MIT License
40 stars 57 forks source link

Missing workflow PAT scope #173

Closed yajo closed 2 years ago

yajo commented 2 years ago

Describe the bug

While updating github actions, bot fails to merge with:

! [remote rejected] 14.0-ocabot-merge-pr-134-by-DarioLodeiros-bump-minor -> 14.0-ocabot-merge-pr-134-by-DarioLodeiros-bump-minor (refusing to allow a Personal Access Token to create or update workflow .github/workflows/pre-commit.yml without workflow scope)

To Reproduce

Steps to reproduce the behavior:

  1. Call merge action where a GH workflow is being updated.

Expected behavior Merge.

Additional context See failure in real world in https://github.com/OCA/pms/pull/134#issuecomment-1079250796.

yajo commented 2 years ago

Another case: https://github.com/OCA/server-brand/pull/50#issuecomment-1084161246

sbidoul commented 2 years ago

I'm slightly hesitating to re-add this permission to the token due to the security implications.

In theory the bot can do no harm as it checking that only maintainers and people with push permission on the repo can ocabot merge.

sbidoul commented 2 years ago

I've changed the token permissions to let the bot merge github workflows changes.