remote: Permission to git denied to github-actions[bot].

[Shaquu]

Hi, I am trying to push changes but like you will see it fails due to some errors.

Test run is here: https://github.com/NRCHKB/node-red-contrib-homekit-docker/runs/3194895671?check_suite_focus=true

Error

Run ad-m/github-push-action@master
  with:
    github_token: ***
    branch: refs/pull/42/merge
    directory: .
Push to branch refs/pull/42/merge
remote: Permission to NRCHKB/node-red-contrib-homekit-docker.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/NRCHKB/node-red-contrib-homekit-docker.git/': The requested URL returned error: 403
Error: Invalid exit code: 128
    at ChildProcess.<anonymous> (/home/runner/work/_actions/ad-m/github-push-action/master/start.js:29:21)
    at ChildProcess.emit (events.js:210:5)
    at maybeClose (internal/child_process.js:1021:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:283:5) {
  code: 128
}
Error: Invalid exit code: 128
    at ChildProcess.<anonymous> (/home/runner/work/_actions/ad-m/github-push-action/master/start.js:29:21)
    at ChildProcess.emit (events.js:210:5)
    at maybeClose (internal/child_process.js:1021:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:283:5)

Part of the gh action:

  dependabot:
    #needs: [build]
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - uses: actions/setup-node@v2
        with:
          node-version: '14'
      - uses: actions/checkout@v2
        with:
          persist-credentials: false
          fetch-depth: 0
      - run: |
          git config user.name github-actions[bot]
          git config user.email github-actions[bot]@users.noreply.github.com
          npm version patch -m "[RELEASE] %s"
      - name: Push changes
        uses: ad-m/github-push-action@master
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          branch: ${{ github.ref }}
      - uses: fastify/github-action-merge-dependabot@v2.1.1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

[ad-m]

Do you have organisation restriction? Is that branch protected?

[Shaquu]

I am trying to push to dependapot pr branch. There should be no limits on that. Maybe I am passing branch incorrectly. I will check and get back.

[ad-m]

Looks mention:

GITHUB_TOKEN Permissions
  Actions: read
  Checks: read
  Contents: read
  Deployments: read
  Discussions: read
  Issues: read
  Metadata: read
  Packages: read
  PullRequests: read
  RepositoryProjects: read
  SecurityEvents: read
  Statuses: read

Default is:

GITHUB_TOKEN Permissions
  Actions: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

See https://github.com/ad-m/cbosa/runs/3197304980?check_suite_focus=true .

Something is restricting permission.

What do you have at https://github.com/NRCHKB/node-red-contrib-homekit-docker/settings/actions in "Workflow permissions" section?

[Shaquu]

@ad-m here it is, says read and write

In your reference (cbosa run), you were pushing to master, I am trying to push to PR branch.

[Shaquu]

Okay, I see the issue. Dependabot is pushing from fork. It is why permissions are limited. Dependabot is creating branch on my repo.

[Shaquu]

@ad-m update. I have used custom token:

        with:
          github_token: ${{ secrets.DEPENDABOT_TOKEN }}

It is defined on repo level

I receive new error from your action: Missing input "github_token: ${{ secrets.GITHUB_TOKEN }}".

UPDATE. Another hint found: Secrets are not passed to workflows that are triggered by a pull request from a fork Except it is branch on my repo.

[ad-m]

Note: With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository.

See Using encrypted secrets in a workflow

Something is restricting permission.

See "Maximum access by forked repos" in Permissions for the GITHUB_TOKEN

I suggest - in your scenario – using the "push" event instead of "pull_request" and using GITHUB_TOKEN. Then the "push" event will be executed in the context of the source repository (repository that is fork), so it will be a local operation and will be a full write to the local repository.

[Shaquu]

Just to clarify. I am merging between branches on the same repo.

Solution might be to extend permissions for GitHub token per job: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions

[ad-m]

Thank for you clarification. It makes a big different.

I don't understand why extends of permission for GitHub token is required in your scenario. In my experience, the token should have the necessary "read / write" permissions currently. I already shared information permission of one of my job on personal repository.

Setting up permission in a workflow can potentially solve the problem, but it's worth understanding why it is required in this case.Setting up permission in a workflow can potentially solve the problem, but it's worth understanding why it is required in your case.

GitHub documentation mention:

People with admin permissions to an enterprise, organization, or repository can set the default permissions to be either permissive or restricted.

Could you verify that in your organisation?

[noxxious]

@Shaquu ran into the same issue here and it seems it is a limitation of the way dependabot works and there's a note in Github docs

Note: Workflow runs triggered by Dependabot pull requests run as if they are from a forked repository, and therefore use a read-only GITHUB_TOKEN. These workflow runs cannot access any secrets. See "Keeping your GitHub Actions and workflows secure: Preventing pwn requests" for strategies to keep these workflows secure. https://docs.github.com/en/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token

[noxxious]

It seems also you can manage this behavior in your organization action settings "Fork pull request workflows in private repositories" -> "Send secrets to workflows from fork pull requests."

[albjeremias]

so im trying to create a branch.. called dist.. where dist folder is generated...

should I push it with dependabot? or is there a better strategy?

[lixuguang]

I have the same problem

[ZPascal]

Hi @lixuguang, do you have checked the access rights of the token?

[siegfault]

I ran into this issue while trying to solve the same problem. In case it's helpful, I found some good examples that helped me resolve it. What @noxxious said, that dependabot by default has a readonly token, is true, but it looks like adding a top-level entry allows us to change that:

permissions:
  pull-requests: write
  issues: write
  repository-projects: write

See:

• https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#changing-github_token-permissions
• https://github.com/dependabot/fetch-metadata#usage-instructions

[SamYuan1990]

permissions:
  pull-requests: write
  contents: write
  repository-projects: write

Hi team,

I tried permissions above but it won't work. is there any guidance to set up / check the permissions? for example if the branch protected or workflow permissions?

[ZPascal]

Hi @SamYuan1990,

as far as I know, it should work with the corresponding rules. Could you please describe your setup and post the corresponding error message?

[SamYuan1990]

Hi @SamYuan1990,

as far as I know, it should work with the corresponding rules. Could you please describe your setup and post the corresponding error message?

Hi @ZPascal , we find a bot account to avoid this issue.

We once have a rule for commit on default branch should have a pr back.

and then, the issue appears as push back without a pr.

[ZPascal]

Hi @SamYuan1990, could you please share the scopes of the token and the used GitHub Action configuration to reproduce the error?

[ghost]

@ad-m here it is, says read and write

In your reference (cbosa run), you were pushing to master, I am trying to push to PR branch.

For anyone else getting a Permission denied error: This fixed it for me.

[smallyunet]

Why I can't select the above option? It's disabled.

[dacanizares]

You can enable that option under ORGANIZATION settings not REPO settings.

[allefzy]

After practically 1 hour trying solve "remote: Permission to (...) denied to github-actions[bot]." I went to Settings > Actions > General, and voala. The option "Read repository contents permission" was selected insteed of "Read and write permissions". If the "Read and write permissions" is the default settings, why was mine in just "Read"? 🤔

Anyway, if someone come across the same problem, I hope that my comment helps.

[Ecupse]

i have similar issues. I am the owner of the repo. I have set workflow permission to read and write. the branch is not protected. i have added pull-requests: write, issues: write, repository-projects: write GHA error Run ad-m/github-push-action@master Push to branch main remote: Write access to repository not granted. Edit: this error message is gone after i change the repo from private to public but the rest of the error still persist as per origin poster. is there a link where i can check all the permissions i must set?

[ZPascal]

@Ecupse You want to push inside the same repository or a different as on the executed action?

[ZPascal]

@Ecupse You're aware that you're not pushing inside the feature branch and try to push to the main branch directly, right? Do you have checked if there are any restrictions like protected branch to push directly to the main branch?

[Ecupse]

@Ecupse You want to push inside the same repository or a different as on the executed action? @Ecupse You're aware that you're not pushing inside the feature branch and try to push to the main branch directly, right? Do you have checked if there are any restriction like protected branch to push directly to the main branch?

I managed to trouble shoot my issue after changing my repo from private to public and adding the whole list of permission below. Thank you so much for your help :)

permissions: id-token: write contents: write actions: write checks: write
deployments: write discussions: write issues: write pages: read packages: write pull-requests: write repository-projects: write security-events: write statuses: write

[ZPascal]

@Ecupse Great to hear that. I think, it should be theoretically also be possible to push to a private repository.

[Ecupse]

@Ecupse Great to hear that. I think, it should be theoretically also be possible to push to a private repository.

Edit: You are right. The public and private repo doesnt affect the GHA. It was just the permissions. Thank you for your advice.

[IEvangelist]

All you should need is:

permissions:
  contents: write
  issues: write
  pull-requests: write

[officialbishowb]

Hi, I had the same problem and the solution to this problem should be by using your personal access token. Generate a personal access token under developer settings. Then in your source repo (where your action file is located), add the personal access token under Settings > Secrets and Variables > Actions and click on the "New Repo... secret" button at the top and add the token with something like PA_TOKEN. Then replace the GITHUB_TOKEN in the action file with PA_TOKEN. It should then work. I also tried with setting the permissions & co but the fix was the personal access token for me.

[DanielAlexssander]

@ad-m here it is, says read and write

In your reference (cbosa run), you were pushing to master, I am trying to push to PR branch.

where is this?

[ZPascal]

@DanielAlexssander You can find the location of the settings inside the repository settings -> Actions -> General -> Workflow permissions.

[fqw000]

@DanielAlexssander You can find the location of the settings inside the repository settings -> Actions -> General -> Workflow permissions.

it works !

[MRSlouzk]

I have the same problem. What I want to do is pushing to another repository in the same organization. The branch I want to push is not under protect, workflow permission of org and two repositories are 'Read and write permissions' . I had tried to use my personal serects and GITHUB_TOKEN, but it continuously run into "permission denied" actions.yml

permissions: write-all

[ZPascal]

Hi @MRSlouzk, it's necessary that you handle it with a personal access token. The GITHUB_TOKEN is restricted, and it's only possible to interact with the repository which triggers the GH action.

[kuldeep-bhimani]

@ad-m here it is, says read and write In your reference (cbosa run), you were pushing to master, I am trying to push to PR branch.

For anyone else getting a Permission denied error: This fixed it for me.

This worked for me as well.

[kuldeep-bhimani]

@ad-m here it is, says read and write In your reference (cbosa run), you were pushing to master, I am trying to push to PR branch.

where is this?

You will find it under the repo setting and then click on action

[lightlessdays]

Hi. Here is a simple trick to solve this issue:

1. Open GitHub Repository where the problem is occurring.
2. Go to Settings.
3. Go to Actions.
4. Go to General.
5. Scroll down to Workflow permissions.
6. Make sure the following settings are enabled and click "Save"

[danielo515]

Can someone explain me why this wonderful action works without problems with the default settings (just Read repository contents and packages permissions) when running in pushes to the main branch, but when it runs as part of a pull request (ie tries to push back to the PR) I need to setup the workflow permissions as instructed above (https://github.com/ad-m/github-push-action/issues/96#issuecomment-1647904286)? Not saying it is a big problem, but my brain needs to understand. Thanks

[ShlomiRex]

Hi. Here is a simple trick to solve this issue:

1. Open GitHub Repository where the problem is occurring.
2. Go to Settings.
3. Go to Actions.
4. Go to General.
5. Scroll down to Workflow permissions.
6. Make sure the following settings are enabled and click "Save"

Still doesn't work (JamesIves/github-pages-deploy-action@v4.4.3)

I get:

remote: Permission to ShlomiRex/pathfinding-algorithms-visualization.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/ShlomiRex/pathfinding-algorithms-visualization.git/': The requested URL returned error: 403

EDIT: Never mind, because I'm using webpack/babel and generate files (generating static HTML, JS, CSS files from react project), I added this write premission and now it works:

permissions:
  contents: write # We generate static HTML, JS, CSS so we need write access to the repo
  pages: write
  id-token: write

[adpit]

@DanielAlexssander You can find the location of the settings inside the repository settings -> Actions -> General -> Workflow permissions.

Thank Youu

[panienkaczuprynienka]

@ad-m here it is, says read and write In your reference (cbosa run), you were pushing to master, I am trying to push to PR branch.

where is this?

You will find it under the repo setting and then click on action

Worked for me too! Thanks!

[Olalexy1]

Hi. Here is a simple trick to solve this issue:

1. Open GitHub Repository where the problem is occurring.
2. Go to Settings.
3. Go to Actions.
4. Go to General.
5. Scroll down to Workflow permissions.
6. Make sure the following settings are enabled and click "Save"

Thanks alot for this

[marknoble]

Hi. Here is a simple trick to solve this issue:

1. Open GitHub Repository where the problem is occurring.
2. Go to Settings.
3. Go to Actions.
4. Go to General.
5. Scroll down to Workflow permissions.
6. Make sure the following settings are enabled and click "Save"

Thanks alot for this

The images look broken here... it's hard to tell what settings you suggest enabling without them. 🤔

[ZPascal]

@marknoble You can also follow this recommendation to handle access rights.

[marknoble]

@marknoble You can also follow this recommendation to handle access rights.

I was able to confirm that permissions are set to read and write, but I'm still seeing this error:

remote: Permission to {repo name}.git denied to github-actions[bot].

So, I'm still researching solutions.

[ZPascal]

@marknoble Could you please explain your use case? Maybe you need a PAT.

[marknoble]

@marknoble Could you please explain your use case? Maybe you need a PAT.

Fortunately/unfortunately I nuked my repo and did a fork on the project I was trying to emulate. For whatever reason, that solved the issue for me.

I had initially manually created the folder structure and files.

I wish I knew what I was doing wrong, but forking from the working project resolved the issue for me. 🤷‍♂️

[ZPascal]

I wish I knew what I was doing wrong, but forking from the working project resolved the issue for me.

@marknoble That sounds great. Maybe you've specified the wrong reference or it's necessary to use the force option for the initial commit.