Unable to push to GitHub if commits creates or changes GitHub workflows.

[thomthom]

Which Version of GCM are you using ? Git Credential Manager for Windows version 1.20.0

Which service are you trying to connect to

• [ ] Azure DevOps
• [ ] Azure DevOps Server (TFS/on-prem)
• [x] GitHub
• [ ] GitHub Enterprise
• [ ] Bitbucket
• [ ] Other? - please describe;

Expected behavior To be able to push my local changes to GitHub, including changes to GitHub Workflow.

Actual behavior I'm getting an error saying it's rejected because OAuth apps without workflow scope:

 ! [remote rejected]   master -> master (refusing to allow an OAuth App to create or update workflow `.github/workflows/ci.yml` without `workflow` scope)

I'm running into this issue with my own projects where I have GitHub Actions set up, I'm not able to push any edits to my workflow.

I'm also running into this when I contribute to third party repos that changes their workflow. I would be pulling upstream repo to my machine, then try to push back to my fork to sync - but that is then rejected.

I'm not sure(unfamiliar with the source), but I wonder if TokenScope.cs needs to be updated to request a this scope? https://github.com/microsoft/Git-Credential-Manager-for-Windows/blob/0db46efb0ae51053b4e442081c5cffcb964f6736/GitHub.Authentication/Src/TokenScope.cs

[dscho]

For the record: I can push with the GCM-provided PAT just fine. See e.g. https://github.com/git/git/pull/743, where I was perfectly able to push this, but the GitHub App "GitGitGadget" was not (i.e. the latter reflects the behavior you described, but the former disagrees).

[thomthom]

@dscho - so you used git from the command line with your normal GitHub password and that worked?

I normally use GitFork, which uses GCM and I initially raised the issue there. The response was that they relied on GCM. That prompted me to try git directly from the command line and I found it also didn't work there for my case.

I did try to usehttppath and then provide a PAT I had generated myself with workflow token, but I have a lot of repos I use regularly, several with their own sub-repos and it was quckly became a pain to try to enter credentials for each repo individually.

I also use two different github accounts, one for work and one for personal projects, so I cannot simply set a single personal PAT password for my machine. I also have some BitBucket repos so that also prevents me from using a global github PAT.

[thomthom]

That being said, for GitKraken, I had to log out and then log in again for Kraken to be able to push workflow changes. Could there be something similar here? I need to force GCM to forget my credentials and enter them again to refresh the token?

[dscho]

That being said, for GitKraken, I had to log out and then log in again for Kraken to be able to push workflow changes. Could there be something similar here? I need to force GCM to forget my credentials and enter them again to refresh the token?

I imagine that to be the case.

[thomthom]

I went to Control Panel > User Accounts > Credential Manager and nuked any github related credentials.

I then made a change to a workflow file in a repo I had and pushed, entered my username and password (Not PAT) and then it worked fine.

I then tried GitFork, and it worked fine there as well.

I also got an email that a personal access token had been added to my account. But what puzzles me is that the token that got added only had git, repo tokens. So I don't fully understand why that works without workflow token. Never the less, I appear to be unblocked. :)

[dscho]

It is possible that that token was generated by an older GCM version that asked for a tighter scope.

[thomthom]

Very likely to have been quite an older version. I tried on a newer laptop I had and it "just worked".

However, TokenScope.cs doesn't seem to request Workflow scope ... or am I reading it wrong?

[dscho]

I'm unfamiliar with the source code. Maybe @mjcheetham has context?

[mjcheetham]

From the GitHub docs on OAuth scopes:

workflow Grants the ability to add and update GitHub Actions workflow files. Workflow files can be committed without this scope if the same file (with both the same path and contents) exists on another branch in the same repository.

It's likely that the reason sometime pushes are working is because the file was already created in the master branch. Really the workflow scope should be included by default here. The workaround would be to manually create the PAT, or create the file in master branch via the web UI first.

It's also possible that if you're using the GitHub Visual Studio extension, that it has generated a PAT with the workflow scope and pre-filled the credential store, and GCM for Windows is just using that PAT with the correct scope.

[thomthom]

On the machine where it didn't work I nuked anything github related in the credential store, then I used the command line to push a change to a workflow - it then prompted me for username and password. (At least I think I got all of it... I do use VSCode and Visual Studio, I've had/have GitHub extensions for each.)

Prior to that it refused to push changes.

I have not tested with creating a new workflow and pushing that. Didn't occur to me that it could be handled differently.