Workflow permission required when there are updates in github workflows

[aurelien-reeves]

Refs. https://github.com/cucumber/cucumber-ruby-wire/runs/3440750908?check_suite_focus=true

If there are some updates in the github workflows as part of the changes about to be released, the action fails because of lacking some permissions:

To https://github.com/cucumber/cucumber-ruby-wire
 ! [remote rejected] release/v6.1.1 -> release/v6.1.1 (refusing to allow a GitHub App to create or update workflow `.github/workflows/release.yaml` without `workflows` permission)
error: failed to push some refs to 'https://github.com/cucumber/cucumber-ruby-wire'

[mattwynne]

What a pain. I think I'dd seen this a few times myself but sort of ignored it in the noise of everything else I was doing, and it went away once the workflow files had stabilised. We do need to tackle it though.

From what I've read, we'd need to run this workflow/action using a PAT to work around this. I'm not sure of the security implications of that. I guess we could create a specific bot account with limited permissions. @runkalicious I'd like your advice on this one, if you can get your head around it.

[aurelien-reeves]

From what I've read, we'd need to run this workflow/action using a PAT to work around this. I'm not sure of the security implications of that.

That is also what I found after investigating. Maybe that would not be required if the action was part of the cucumber organization itself? Or within the repo where it is triggered? Not sure.

I guess we could create a specific bot account with limited permissions. @runkalicious I'd like your advice on this one, if you can get your head around it.

We already have cuke-bot for that purpose I guess?

[runkalicious]

This error occurs when the action does something (e.g., push a new branch) that would cause another automated workflow to start (in this case, the actions defined in release.yml). The special workflow scope is needed for that, which is unavailable on the GITHUB_TOKEN, so a PAT is required (as the most common option).

This is discussed in detail (and really helped me), along with some other strategies, in docs associated with a popular PR action: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs

[mattwynne]

This error occurs when the action does something (e.g., push a new branch) that would cause another automated workflow to start

Huh. So that's a good thing, because we wouldn't want to run the release workflow until this PR is merged.

Right now, we force push to the release/vX.Y.Z branch to point to the previous release tag each time this action runs. In reality this commit is unlikely to move, so we could change the action to only do that once. Even so, I guess even that initial creation of the release branch might trigger the release workflow as things stand.

So maybe we need to trigger the release workflow a bit differently, like on the PR merge or something.

[mattwynne]

This also happens if the commit to be added to the release branch contains changes to workflow files. I think we need to just present the user with an error message showing them how to create the branches / PR by hand.

[aurelien-reeves]

This also happens if the commit to be added to the release branch contains changes to workflow files.

Well, that was the initial report actually

I think we need to just present the user with an error message showing them how to create the branches / PR by hand.

👍