trigger gh webserver from gh-pages with default gh action GITHUB_TOKEN, not bespoke PAT

[maxheld83]

from gh:

Currently, using an installation token to make a server-to-server request won't kick off a page build, whether it's creating a commit or explicitly requesting a page build.

However, I'd like to mention that the requesting a page build endpoint is enabled for integrations via a user access token. More specifically, you can create a personal access token and use that instead of the installation token to push a commit or request a page build:

https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line

my response / latest experience:

I did just build a github action for vanilla (= no static site building included) gh pages deployment: https://github.com/maxheld83/ghaction-ghpages

It took me a while to understand what you had already warned about; that GITHUB_TOKEN wouldn't trigger a page build.

I now got this to work with a normal Github PAT, just like we used to do it in the old Travis days :/.

I was initially confused because I never really needed GitHub to start a (Jekyll) build, but just serve whatever was up on my gh-pages branch. But I guess for the GitHub webserver to kick in and update, the same conditions have to be met.

It'd be great if you guys could lift this limitation of the GITHUB_TOKEN soon, or provide some other way to seamlessly deploy to GitHub pages.

Not having to deal with this kind of manual auth via PATs was a big draw for me to use gh actions in the first place, and having GITHUB_TOKEN auth a git push to gh-pages branch, but not triggering the downstream update of the gh webserver is really counterintuitive.

I'll write something up on my action tomorrow to prevent others from stumbling into this issue as well.

cheers: Max

[maxheld83]

@Helaili @bryanschuetz @shalzz you guys also seemed to have implemented deploying assets to github pages from within GitHub actions (in fact, I stole your git incantations).

I noticed that you guys also used GITHUB_TOKEN as a secret, though I now understand that the default GITHUB_TOKEN that comes with github actions does not suffice to trigger an update to the github webserver, even though it does suffice to push to the gh-pages branch. I only got it to work once I provisioned a bespoke GitHub PAT for this purpose, and passed that as a secret.

Did I get this right? Did you face the same limitation as well?

[helaili]

👋 @maxheld83 - there is indeed a difference of behavior when using Personal Access Tokens and OAuth Tokens, which the GITHUB_TOKEN is. In my experience, the difference actually only happen on public repos. Pages publishing works fine on private repos, which is ironic as the Pages site is always public anyway.

I'm planning on investigating this deeper but I'm afraid this is not on top of todo list.

[shalzz]

@maxheld83 Yes that's correct. In fact this is what I explicitly mention in the README. I'm not sure if this behaviour is different for private repos but I'd probably say it isn't.

For posterity this is the complete explanation I got from the Github Staff:

I see that you're using the GITHUB_TOKEN environment variable to authenticate. That variable is a GitHub App installation token (also known as a server-to-server installation token).

After speaking with the team about this, they let me know that server-to-server requests won't kick off a page build, whether it's creating a commit or explicitly requesting a page build:

• https://developer.github.com/v3/repos/pages/#request-a-page-build

I see how it would be useful to open this functionality to GitHub Actions, so I've let the team know about this internally.

However, I'd like to mention that the requesting a page build endpoint is enabled for integrations via a user access token. In other words, you can make a user-to-server request to request a page build:

• https://developer.github.com/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps/#user-to-server-requests

Alternatively, you can create a personal access token and use that to request a page build:

• https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line

[joshuarubin]

We’ve found that using a repository deployment key and using an ssh remote also works and is safer since it’s scoped to the repo only.

[BryanSchuetz]

As @helaili mentions—using GITHUB_TOKEN to kick off a pages build seems to work fine in private repositories—at least it has for me. I haven't really dug into the documentation much, but I wonder if the problem you're seeing might simply be a function of the currently limited beta?

GitHub Actions is limited to private repositories and push events in public repositories during the limited public beta.

[alex-page]

@maxheld83 Thanks for documenting this I spent a ton of time trying to figure out why my environment was not building!

[gr2m]

Did you try https://x-access-token:<GITHUB_TOKEN>@github.com/owner/repo.git? I’ve heard that worked for others to push updates to the repository from an action, but didn’t use it myself yet.

See https://developer.github.com/apps/building-github-apps/authenticating-with-github-apps/#http-based-git-access-by-an-installation - I know this is for installations, but I think actions are sharing some implementation logic or something

[alex-page]

@gr2m I didn't get to give that a go. I will definitely give that a go in the next few weeks!

[gr2m]

I just tested it and it works: https://github.com/gr2m/ghpages/tree/gh-pages

Pull request incoming

[alex-page]

~Thanks @gr2m this works great!~

~https://github.com/alex-page/alex-page/blob/f17cca0ac31dca924737045d152a25384c350bf9/scripts/deploy.js#L16~

This appears to work but the environment does not build on deployment, you can read more here: https://github.com/maxheld83/ghpages/pull/18

[a-recknagel]

What kind of permissions does the PAT need in order to be able to push? There is no checkbox there that says "push_rights".

[wei]

repo

[maxheld83]

closing this in favor of #18