search

actions / runner

The Runner for GitHub Actions :rocket:
https://github.com/features/actions
MIT License
4.86k stars 954 forks source link

Permission error on an unreferenced workflow #2696

Closed GeoffreyHayward closed 2 months ago

GeoffreyHayward commented 1 year ago

I am suddenly getting a permission error in two workflows that used to work. The error message states a permission error for another workflow, but this workflow is not imported/called/referenced by either of the workflows. The message/reason appears to be erroneous.

The only change to these workflows is they have been renamed. However, after the rename, one of the two continued to work (finish successfully), before this sudden issue began. As you can see here.

Before the rename, the two workflows have been in service successfully for several months.

Here is the error message:

! [remote rejected] prd -> prd (refusing to allow a GitHub App to create or update workflow .github/workflows/master-to-uat-workflow.yml without workflows permission)

But, it is important to understand that master-to-uat-workflow.yml is not included or a part of the workflows that are getting given this error.

The two workflows are:

The expected behaviour was to continue running git push --force --no-verify origin tag prd via a Make command. This command moves the git tags to reflect what's in production.

Runner Version and Platform

They are both using Ubuntu latest.

What's not working?

A permission error is given. However, the permission error looks to be an erroneous message/reason.

But just in case, I have checked that the GITHUB_TOKEN has full permission on the Repo and the Org, and we do not have an Enterprise account (so no policies). I have also tried giving the workflows inline full read-write permission.

Further, I have tried this on a fork and cannot reproduce the issue. The fork finishes successfully.

Job Log Output

Run make git.update-environment-tag ENV=prd VERSION=rc make git.update-environment-tag ENV=prd VERSION=rc make git.update-environment-tag ENV=rc VERSION=uat shell: /usr/bin/bash -e {0} env: SLACK_CHANNEL: ****XNJ GITHUB_TOKEN: touch env.mk make -C ci-cd/ git.update-environment-tag make[1]: Entering directory '/home/runner/work/hippo/hippo/ci-cd' git tag --force prd rc Updated tag 'prd' (was 7c76b77f0) git push --force --no-verify origin tag prd To https://github.com/NHS-digital-website/hippo ! [remote rejected] prd -> prd (refusing to allow a GitHub App to create or update workflow .github/workflows/master-to-uat-workflow.yml without workflows permission) error: failed to push some refs to 'https://github.com/NHS-digital-website/hippo' make[1]: [Makefile:101: git.update-environment-tag] Error 1 make: *** [Makefile:81: git.update-environment-tag] Error 2 make[1]: Leaving directory '/home/runner/work/hippo/hippo/ci-cd' Error: Process completed with exit code 2.

Runner and Worker's Diagnostic Logs

logs_13326.zip

Other

I have tried duplicating the files to see if new (not renamed) files worked. They did not work and got the same error message.

GeoffreyHayward commented 1 year ago

The issue was that a tagged commit contained a change to another workflow, so while this workflow was not making a change (i.e. in the yml file), the command git push --force --no-verify origin tag prd was enough to trigger a permission issue.

By running the command locally, where permission is not an issue, the tags moved along and allowed the subsequent workflow run to continue.

The error message didn't have enough information in it to make it clear that the tagged commit had the issue (i.e. what it was doing), as opposed to the workflow itself (i.e. how it was doing it).

github-actions[bot] commented 3 months ago

This issue is stale because it has been open 365 days with no activity. Remove stale label or comment or this will be closed in 15 days.

github-actions[bot] commented 2 months ago

This issue was closed because it has been stalled for 15 days with no activity.