search

actions / github-script

Write workflows scripting the GitHub API in JavaScript
MIT License
4.24k stars 424 forks source link

HTTP status 422 when creating a protected branch #455

Closed andy-maier closed 9 months ago

andy-maier commented 9 months ago

Describe the bug

Using github.rest.git.createRef to create a protected branch fails with HTTP status 422:

 with:
    script: github.rest.git.createRef({
    owner: context.repo.owner,
    repo: context.repo.repo,
    ref: "refs/heads/stable_1.14",
    sha: "***",
  })

    github-token: ***
    debug: false
    user-agent: actions/github-script
    result-encoding: json
    retries: 0
    retry-exempt-status-codes: 400,401,403,404,422
  env:
    pythonLocation: /opt/hostedtoolcache/Python/3.10.13/x64
    LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.10.13/x64/lib
    GITHUB_TOKEN: ***
RequestError [HttpError]: Reference update failed
    at /home/runner/work/_actions/actions/github-script/v6/dist/index.js:6842:21
    at processTicksAndRejections (node:internal/process/task_queues:96:5) {
  status: 422,
  response: {
    url: 'https://api.github.com/repos/zhmcclient/python-zhmcclient/git/refs',
    status: 422,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      connection: 'close',
      'content-length': '116',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: 'Sat, 17 Feb 2024 12:09:39 GMT',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'GitHub.com',
      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-accepted-github-permissions': 'contents=write; contents=write,workflows=write',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-api-version-selected': '2022-11-28',
      'x-github-media-type': 'github.v3; format=json',
      'x-github-request-id': '3C22:4C2A:1183F3F:238C1DC:65D0A203',
Error: Unhandled error: HttpError: Reference update failed
      'x-ratelimit-limit': '1000',
      'x-ratelimit-remaining': '995',
      'x-ratelimit-reset': '1708175320',
      'x-ratelimit-resource': 'core',
      'x-ratelimit-used': '5',
      'x-xss-protection': '0'
    },
    data: {
      message: 'Reference update failed',
      documentation_url: 'https://docs.github.com/rest/git/refs#create-a-reference'
    }
  },
  request: {
    method: 'POST',
    url: 'https://api.github.com/repos/zhmcclient/python-zhmcclient/git/refs',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'actions/github-script octokit-core.js/3.6.0 Node.js/16.20.2 (linux; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: '{"ref":"refs/heads/stable_1.14","sha":"5c0450496126d2b24232ae0d750a6454d544f4b8"}',
    request: { agent: [Agent], hook: [Function: bound bound register] }
  }
}

When I do this with an unprotected branch, the branch can be created with the actions plugin.

Creating a protected branch with git commands succeeds.

With an earlier release of this actions plugin, creating protected branches also has worked fine.

Note: With "creating a protected branch" I mean creating a branch that has a name for which a branch protection rule exists that matches the name.

An example of the failure is here: https://github.com/zhmcclient/python-zhmcclient/actions/runs/7941520871

To Reproduce

Steps to reproduce the behavior:

  1. Have a workflow that creates a branch, e.g. the following which is triggered by editing any milestone: 
    name: debug_create_branch
on:
milestone:
types: [edited]
jobs:
debug_create_branch:
name: Create a branch
runs-on: ubuntu-latest
steps:
- name: Create a branch
  uses: actions/github-script@v6
  with:
    script: |
      github.rest.git.createRef({
        owner: context.repo.owner,
        repo: context.repo.repo,
        ref: "refs/heads/stable_1.14",
        sha: "${{ github.sha }}",
      })
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  2. Have a branch protection rule matching "stable_*" that prevents direct pushes to the branch. For more details on the settings, see this example: https://github.com/zhmcclient/python-zhmcclient/settings/branch_protection_rules/1798004
  3. Trigger a workflow run (e.g. in the example workflow, by editing any milestone)
  4. Watch the error in the workflow log

Expected behavior

Protected branches can be created without error.

Screenshots N/A

Desktop (please complete the following information):

Smartphone (please complete the following information): N/A

Additional context N/A

andy-maier commented 9 months ago

Some more info:

When pushing a new protected branch using git commands, it depends on who you are, it seems.

With admin permissions in a local command line, it works with a warning:

$ git push --set-upstream origin stable_debug_git
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0
remote: Bypassed rule violations for refs/heads/stable_debug_git:
remote: 
remote: - 2 of 2 required status checks have not succeeded: 1 expected.
remote: 
remote: 
remote: Create a pull request for 'stable_debug_git' on GitHub by visiting:
remote:      https://github.com/zhmcclient/python-zhmcclient/pull/new/stable_debug_git
remote: 
To github.com:zhmcclient/python-zhmcclient.git
 * [new branch]      stable_debug_git -> stable_debug_git
branch 'stable_debug_git' set up to track 'origin/stable_debug_git'.

When using the same git command in a Github Actions workflow, it fails:


Run git push --set-upstream origin stable_debug_git
  git push --set-upstream origin stable_debug_git
  shell: /usr/bin/bash -e {0}
  env:
    GITHUB_TOKEN: ***
remote: error: GH006: Protected branch update failed for refs/heads/stable_debug_git.        
remote: error: 2 of 2 required status checks have not succeeded: 1 expected. You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information.        
To https://github.com/zhmcclient/python-zhmcclient
 ! [remote rejected] stable_debug_git -> stable_debug_git (protected branch hook declined)
error: failed to push some refs to 'https://github.com/zhmcclient/python-zhmcclient'
Error: Process completed with exit code 1.

The GITHUB_TOKEN used in the workflow is my personal token, so it should resolve to running the command under my userid and thus should have the same permissions as when running this locally.

Can someone explain that?

andy-maier commented 9 months ago

Some more investigation:

It seems that the branch creation works if the "Restrict pushes that create matching branches" checkmark in the branch protection rules for "stable_*" is not set. I had that set in this particular project, and have now turned it off.

I am closing this ticket. The somewhat unclear error message is not the fault of this project - it is the same one that gets displayed when using git in the command line.