How to push to a protected branch support

[nodesocket]

I am using personal access token from a machine user sa-machine-user. Then I specify:

 - name: Push
    uses: ad-m/github-push-action@master
    with:
      github_token: ${{ secrets.MACHINE_USER_PERSONAL_ACCESS_TOKEN }}
      force: false

Finally in the repo I have allowed this user:

But still getting:

remote: error: GH006: Protected branch update failed for refs/heads/dev.        
remote: error: At least 1 approving review is required by reviewers with write access. You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information.   

Any ideas?

[ZPascal]

Hi @nodesocket, that case is currently not yet supported, but I've already fixed that bug (not yet merged). If you want to try it out, you can switch the used version to ad-m/github-push-action@74d8e0b6f0b86b61232a9b3a28b45bf8a5593532. It would be nice to give me feedback about the functionality and everything works as expected.

[nodesocket]

@ZPascal awesome will try it. Do I need to set force: true?

[nodesocket]

@ZPascal no luck using this commit hash, but I did not specify force: true. Is that required?

remote: error: GH006: Protected branch update failed for refs/heads/dev.        
remote: error: At least 1 approving review is required by reviewers with write access. You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information.      

    - name: Push
      uses: ad-m/github-push-action@74d8e0b6f0b86b61232a9b3a28b45bf8a5593532
      with:
        github_token: ${{ secrets. MACHINE_USER_PERSONAL_ACCESS_TOKEN }}
        force: false

[ZPascal]

@ZPascal no luck using this commit hash, but I did not specify force: true. Is that required?

Hi @nodesocket, from my understanding, that should not be required. I'll set up a test system and debug it.

[nodesocket]

@ZPascal thanks. Let me know what you find

[nodesocket]

@ZPascal were you able to find anything? Still failing for us. The machine user simply has a legacy personal access token with no expiration.

Then in the GitHub action doing:

- name: Push
   uses: ad-m/github-push-action@74d8e0b6f0b86b61232a9b3a28b45bf8a5593532
   with:
     github_token: ${{ secrets. MACHINE_USER_PERSONAL_ACCESS_TOKEN }}
     force: false

Run ad-m/github-push-action@74d8e0b6f0b86b61232a9b3a28b45bf8a5593532
  with:
    github_token: ***
    force: false
    github_url: https://github.com
    directory: .
  env:
    HSM_IP: ***
    HSM_CUSTOMER_CA: ***
    HSM_SIGNING_CERT: ***
    DOCKER_CONFIG: /home/runner/work/_temp/docker_login_168[2](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:2)456295[3](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:3)26
    DOCKER_IMAGE_TAG: dev-277c5c[4](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:4).u9e8u
Push to branch dev
Pushing to https://github.com/Acme/App.git
POST git-receive-pack (130[5](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:5) bytes)
remote: Resolving deltas:   0% (0/6)        
remote: Resolving deltas:  16% (1/6)        
remote: Resolving deltas:  33% (2/6)        
remote: Resolving deltas:  50% (3/6)        
remote: Resolving deltas:  66% (4/6)        
remote: Resolving deltas:  83% (5/6)        
remote: Resolving deltas: 100% (6/6)        
remote: Resolving deltas: 100% (6/6), completed with 6 local objects.        
remote: error: GH006: Protected branch update failed for refs/heads/dev.        
remote: error: At least 1 approving review is required by reviewers with write access. You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information.        
To https://github.com//Acme/App.git
 ! [remote rejected] HEAD -> dev (protected branch hook declined)
error: failed to push some refs to 'https://github.com/Acme/App.git'
Error: Invalid exit code: 1
    at ChildProcess.<anonymous> (/home/runner/work/_actions/ad-m/github-push-action/74d8e0b[6](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:6)f0b86b61232a9b3a28b45bf8a5593532/start.js:29:21)
    at ChildProcess.emit (node:events:52[7](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:7):2[8](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:8))
    at maybeClose (node:internal/child_process:10[9](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:9)2:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5) {
  code: 1
}
Error: Invalid exit code: 1
    at ChildProcess.<anonymous> (/home/runner/work/_actions/ad-m/github-push-action/74d8e0b6f0b86b61232a9b3a28b45bf8a5593532/start.js:29:21)
    at ChildProcess.emit (node:events:527:28)
    at maybeClose (node:internal/child_process:[10](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:10)92:[16](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:17))
    at Process.ChildProcess._handle.onexit (node:internal/child_process:[30](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:31)2:5)

[ZPascal]

Hi @nodesocket, I've reproduced the case in a GitHub Enterprise instance and found a solution. Could you please share the checkout step and add the token to the checkout functionality?

Be aware, please use token as the key for the checkout action and not github_token.

[nodesocket]

@ZPascal amazing!!! Thanks 🙇🏻 so much. Adding token to the checkout step worked. Let me know when this is merged in so I can use master again instead of 74d8e0b6f0b86b61232a9b3a28b45bf8a5593532.

Once again, appreciate it....

[ZPascal]

@nodesocket Sure, I'll update you.

[nodesocket]

@ZPascal is this live by chance? Also, any workaround you can think of when we have multiple actions running that do a push to the repo? The issue is that the checkout happens before the other action pushes thus getting:

hint: Updates were rejected because a pushed branch tip is behind its remote
hint: counterpart. Check out this branch and integrate the remote changes

Is there a way to say pull before doing:

    - name: Push
      uses: ad-m/github-push-action@74d8e0b6f0b86b61232a9b3a28b45bf8a5593532
      with:
        github_token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
        force: false

[ZPascal]

Hi @nodesocket,

is this live by chance?

Unfortunately, not yet. I'll ping a few reviewers and hope we can merge it asap.

Also, any workaround you can think of when we have multiple actions running that do a push to the repo? The issue is that the checkout happens before the other action pushes thus getting:

Normally the push action uses the --atomic parameter (It's necessary to use Git >= 2.4.0). Theoretically, it's also possible to execute beforehand a manual pull like the following example.

  - name: Run git pull beforehand
     run: git pull

Could you please share the debug output of the action? That would help the further analyse the case.

[nodesocket]

So the GH action does a flow like:

- name: Docker login
      uses: azure/docker-login@v1
- name: Checkout
      uses: actions/checkout@v3
      with:
        token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
- name: Dockerbuild
      run: ./dockerbuild.sh
- name: Update Helm image tags
      run: ./updateimagetags.sh api ${{ env.DOCKER_IMAGE_TAG }}
 - name: Push
      uses: ad-m/github-push-action@74d8e0b6f0b86b61232a9b3a28b45bf8a5593532
      with:
        github_token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
        force: false

The problem (I think) is that multiple GitHub actions can get triggered simultaneously each independently calling checkout and then at different times trying to push later on when another action may have already committed and pushed.

Note that the bash script updateimagetags.sh does the following at the very end, so it should be pulling in changes.

git config --local user.name "machine-user"
git config --local user.email "engineering@acme.org"
git add --all
git commit -am "[gh-action] image tag for $APPLICATIONS to $IMAGE_TAG"
git pull --rebase

[nodesocket]

@ZPascal actually I think I see it. When it's trying to push, it's not pushing the branch it checked out I think it is defaulting to dev.

# from updateimagetags.sh
Current branch production is up to date.

But then this GitHub action is trying to push to dev branch:

Run ad-m/github-push-action@74d8e0b6f0b86b61232a9b3a28b45bf8a5593532
Push to branch dev
Pushing to https://github.com/Acme/App.git
To https://github.com/Acme/App.git
 ! [rejected]        HEAD -> dev (non-fast-forward)
error: failed to push some refs to 'https://github.com/Acme/App.git'
hint: Updates were rejected because a pushed branch tip is behind its remote
hint: counterpart. Check out this branch and integrate the remote changes
hint: (e.g. 'git pull ...') before pushing again.
hint: See the 'Note about fast-forwards' in 'git push --help' for details.
Error: Invalid exit code: 1

How can I specify it should push the branch that is checked out?

[ZPascal]

@nodesocket Is your default branch dev? This explains the case, because the default branch for the checkout action is the default repository branch.

You can specify the branch by adding the branch parameter input to the action. For example, it is possible to specify the appropriate branch by adding ${{ github.ref }} or, if you are using the action within a PR, with ${{ github.head_ref }}. In general, I recommend setting up the appropriate branch within the checkout action.

Update: ~You can also use now the master branch. I've merged the PR. I've reverted the change, because it results in issues. It's necessary to further analyze it.~ I've opened a PR to deliver a bug fix. I think you can use again the master version.

[ZPascal]

@nodesocket Can we close this issue?

[nodesocket]

@ZPascal is the required change now in master? I think you mentioned you had to revert it

[ZPascal]

Hi @nodesocket, I reverted the original change a few days ago. In the meantime, I have already placed and merged a new fix that includes the original change and the corresponding bug fix. You can switch to the master version.