Closed nodesocket closed 1 year ago
Hi @nodesocket, that case is currently not yet supported, but I've already fixed that bug (not yet merged). If you want to try it out, you can switch the used version to ad-m/github-push-action@74d8e0b6f0b86b61232a9b3a28b45bf8a5593532
. It would be nice to give me feedback about the functionality and everything works as expected.
@ZPascal awesome will try it. Do I need to set force: true
?
@ZPascal no luck using this commit hash, but I did not specify force: true
. Is that required?
remote: error: GH006: Protected branch update failed for refs/heads/dev.
remote: error: At least 1 approving review is required by reviewers with write access. You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information.
- name: Push
uses: ad-m/github-push-action@74d8e0b6f0b86b61232a9b3a28b45bf8a5593532
with:
github_token: ${{ secrets. MACHINE_USER_PERSONAL_ACCESS_TOKEN }}
force: false
@ZPascal no luck using this commit hash, but I did not specify force: true. Is that required?
Hi @nodesocket, from my understanding, that should not be required. I'll set up a test system and debug it.
@ZPascal thanks. Let me know what you find
@ZPascal were you able to find anything? Still failing for us. The machine user simply has a legacy personal access token with no expiration.
Then in the GitHub action doing:
- name: Push
uses: ad-m/github-push-action@74d8e0b6f0b86b61232a9b3a28b45bf8a5593532
with:
github_token: ${{ secrets. MACHINE_USER_PERSONAL_ACCESS_TOKEN }}
force: false
Run ad-m/github-push-action@74d8e0b6f0b86b61232a9b3a28b45bf8a5593532
with:
github_token: ***
force: false
github_url: https://github.com
directory: .
env:
HSM_IP: ***
HSM_CUSTOMER_CA: ***
HSM_SIGNING_CERT: ***
DOCKER_CONFIG: /home/runner/work/_temp/docker_login_168[2](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:2)456295[3](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:3)26
DOCKER_IMAGE_TAG: dev-277c5c[4](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:4).u9e8u
Push to branch dev
Pushing to https://github.com/Acme/App.git
POST git-receive-pack (130[5](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:5) bytes)
remote: Resolving deltas: 0% (0/6)
remote: Resolving deltas: 16% (1/6)
remote: Resolving deltas: 33% (2/6)
remote: Resolving deltas: 50% (3/6)
remote: Resolving deltas: 66% (4/6)
remote: Resolving deltas: 83% (5/6)
remote: Resolving deltas: 100% (6/6)
remote: Resolving deltas: 100% (6/6), completed with 6 local objects.
remote: error: GH006: Protected branch update failed for refs/heads/dev.
remote: error: At least 1 approving review is required by reviewers with write access. You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information.
To https://github.com//Acme/App.git
! [remote rejected] HEAD -> dev (protected branch hook declined)
error: failed to push some refs to 'https://github.com/Acme/App.git'
Error: Invalid exit code: 1
at ChildProcess.<anonymous> (/home/runner/work/_actions/ad-m/github-push-action/74d8e0b[6](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:6)f0b86b61232a9b3a28b45bf8a5593532/start.js:29:21)
at ChildProcess.emit (node:events:52[7](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:7):2[8](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:8))
at maybeClose (node:internal/child_process:10[9](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:9)2:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5) {
code: 1
}
Error: Invalid exit code: 1
at ChildProcess.<anonymous> (/home/runner/work/_actions/ad-m/github-push-action/74d8e0b6f0b86b61232a9b3a28b45bf8a5593532/start.js:29:21)
at ChildProcess.emit (node:events:527:28)
at maybeClose (node:internal/child_process:[10](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:10)92:[16](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:17))
at Process.ChildProcess._handle.onexit (node:internal/child_process:[30](https://github.com/Acme/App/actions/runs/4802115121/jobs/8545195558#step:6:31)2:5)
Hi @nodesocket, I've reproduced the case in a GitHub Enterprise instance and found a solution. Could you please share the checkout step and add the token to the checkout functionality?
Be aware, please use token
as the key for the checkout action and not github_token
.
@ZPascal amazing!!! Thanks 🙇🏻 so much. Adding token
to the checkout step worked. Let me know when this is merged in so I can use master
again instead of 74d8e0b6f0b86b61232a9b3a28b45bf8a5593532
.
Once again, appreciate it....
@nodesocket Sure, I'll update you.
@ZPascal is this live by chance? Also, any workaround you can think of when we have multiple actions running that do a push to the repo? The issue is that the checkout happens before the other action pushes thus getting:
hint: Updates were rejected because a pushed branch tip is behind its remote
hint: counterpart. Check out this branch and integrate the remote changes
Is there a way to say pull
before doing:
- name: Push
uses: ad-m/github-push-action@74d8e0b6f0b86b61232a9b3a28b45bf8a5593532
with:
github_token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
force: false
Hi @nodesocket,
is this live by chance?
Unfortunately, not yet. I'll ping a few reviewers and hope we can merge it asap.
Also, any workaround you can think of when we have multiple actions running that do a push to the repo? The issue is that the checkout happens before the other action pushes thus getting:
Normally the push action uses the --atomic
parameter (It's necessary to use Git >= 2.4.0). Theoretically, it's also possible to execute beforehand a manual pull like the following example.
- name: Run git pull beforehand
run: git pull
Could you please share the debug output of the action? That would help the further analyse the case.
So the GH action does a flow like:
- name: Docker login
uses: azure/docker-login@v1
- name: Checkout
uses: actions/checkout@v3
with:
token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
- name: Dockerbuild
run: ./dockerbuild.sh
- name: Update Helm image tags
run: ./updateimagetags.sh api ${{ env.DOCKER_IMAGE_TAG }}
- name: Push
uses: ad-m/github-push-action@74d8e0b6f0b86b61232a9b3a28b45bf8a5593532
with:
github_token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
force: false
The problem (I think) is that multiple GitHub actions can get triggered simultaneously each independently calling checkout and then at different times trying to push later on when another action may have already committed and pushed.
Note that the bash script updateimagetags.sh
does the following at the very end, so it should be pulling in changes.
git config --local user.name "machine-user"
git config --local user.email "engineering@acme.org"
git add --all
git commit -am "[gh-action] image tag for $APPLICATIONS to $IMAGE_TAG"
git pull --rebase
@ZPascal actually I think I see it. When it's trying to push, it's not pushing the branch it checked out I think it is defaulting to dev
.
# from updateimagetags.sh
Current branch production is up to date.
But then this GitHub action is trying to push to dev
branch:
Run ad-m/github-push-action@74d8e0b6f0b86b61232a9b3a28b45bf8a5593532
Push to branch dev
Pushing to https://github.com/Acme/App.git
To https://github.com/Acme/App.git
! [rejected] HEAD -> dev (non-fast-forward)
error: failed to push some refs to 'https://github.com/Acme/App.git'
hint: Updates were rejected because a pushed branch tip is behind its remote
hint: counterpart. Check out this branch and integrate the remote changes
hint: (e.g. 'git pull ...') before pushing again.
hint: See the 'Note about fast-forwards' in 'git push --help' for details.
Error: Invalid exit code: 1
How can I specify it should push the branch that is checked out?
@nodesocket Is your default branch dev
? This explains the case, because the default branch for the checkout action is the default repository branch.
You can specify the branch by adding the branch
parameter input to the action. For example, it is possible to specify the appropriate branch by adding ${{ github.ref }}
or, if you are using the action within a PR, with ${{ github.head_ref }}
. In general, I recommend setting up the appropriate branch within the checkout action.
Update: ~You can also use now the master branch. I've merged the PR. I've reverted the change, because it results in issues. It's necessary to further analyze it.~ I've opened a PR to deliver a bug fix. I think you can use again the master version.
@nodesocket Can we close this issue?
@ZPascal is the required change now in master? I think you mentioned you had to revert it
Hi @nodesocket, I reverted the original change a few days ago. In the meantime, I have already placed and merged a new fix that includes the original change and the corresponding bug fix. You can switch to the master version.
I am using personal access token from a machine user
sa-machine-user
. Then I specify:Finally in the repo I have allowed this user:
But still getting:
Any ideas?