search

stefanzweifel / git-auto-commit-action

Automatically commit and push changed files back to GitHub with this GitHub Action for the 80% use case.
MIT License
1.93k stars 224 forks source link

The workflow fails to run #266

Closed fluentmoheshwar closed 1 year ago

fluentmoheshwar commented 1 year ago

git-auto-commit Version

v4.15.4

Machine Type

Ubuntu (eg. ubuntu-latest)

Bug description

The workflow fails to run and logs INPUT_PUSH_OPTIONS: To https://github.com/fluentmoheshwar/fluentmoheshwar-site ! [remote rejected] main -> main (refusing to allow a GitHub App to create or update workflow .github/workflows/codeql.yml without workflows permission) error: failed to push some refs to 'https://github.com/fluentmoheshwar/fluentmoheshwar-site' Error: Invalid status code: 1

Steps to reproduce

Create a workflow like the example. Run it.

Tried solutions

No response

Example Workflow

name: "Prettier"

on:
  push:
    branches: ["main"]
jobs:
  fix:
    name: Fix formatting issues
    runs-on: ubuntu-latest
    permissions:
      actions: write
      contents: write
      security-events: write
    steps:
      - uses: actions/checkout@v2
        with:
          ref: ${{ github.head_ref }}

      - uses: actionsx/prettier@v2
        with:
          # prettier CLI arguments.
          args: --write .

      - uses: stefanzweifel/git-auto-commit-action@v4
        with:
          commit_message: Prettified Code

Relevant log output

Run stefanzweifel/git-auto-commit-action@v4
Started: bash /home/runner/work/_actions/stefanzweifel/git-auto-commit-action/v4/entrypoint.sh
INPUT_REPOSITORY value: .
INPUT_STATUS_OPTIONS: 
INPUT_FILE_PATTERN: .
INPUT_BRANCH value: 
M   .github/workflows/codeql.yml
M   .github/workflows/prettier.yml
M   .prettierrc.yaml
M   .vscode/extensions.json
M   .vscode/settings.json
M   LICENSE.md
M   README.md
M   index.html
M   package.json
M   public/manifest.webmanifest
M   public/service-worker.js
M   src/app.js
M   src/style.css
M   vite.config.js
Your branch is up to date with 'origin/main'.
INPUT_ADD_OPTIONS: 
INPUT_FILE_PATTERN: .
INPUT_COMMIT_OPTIONS: 
INPUT_COMMIT_USER_NAME: github-actions[bot]
INPUT_COMMIT_USER_EMAIL: github-actions[bot]@users.noreply.github.com
INPUT_COMMIT_MESSAGE: Prettified Code
INPUT_COMMIT_AUTHOR: fluentmoheshwar <fluentmoheshwar@users.noreply.github.com>
[main 052cb6d] Prettified Code
 Author: fluentmoheshwar <fluentmoheshwar@users.noreply.github.com>
 14 files changed, 926 insertions(+), 854 deletions(-)
INPUT_TAGGING_MESSAGE: 
No tagging message supplied. No tag will be added.
INPUT_PUSH_OPTIONS: 
To https://github.com/fluentmoheshwar/fluentmoheshwar-site
 ! [remote rejected] main -> main (refusing to allow a GitHub App to create or update workflow `.github/workflows/codeql.yml` without `workflows` permission)
error: failed to push some refs to 'https://github.com/fluentmoheshwar/fluentmoheshwar-site'
Error: Invalid status code: 1
    at ChildProcess.<anonymous> (/home/runner/work/_actions/stefanzweifel/git-auto-commit-action/v4/index.js:17:19)
    at ChildProcess.emit (node:events:390:28)
    at maybeClose (node:internal/child_process:1064:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5) {
  code: 1
}
Error: Invalid status code: 1
    at ChildProcess.<anonymous> (/home/runner/work/_actions/stefanzweifel/git-auto-commit-action/v4/index.js:17:19)
    at ChildProcess.emit (node:events:390:28)
    at maybeClose (node:internal/child_process:1064:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)
stefanzweifel commented 1 year ago

Hi there

The output the Action produces isn't great here. The output is not related to INPUT_PUSH_OPTIONS. The Action just prints nothing if push_options is not set.

As you probably saw, this is the actual error:

To https://github.com/fluentmoheshwar/fluentmoheshwar-site ! [remote rejected] main -> main (refusing to allow a GitHub App to create or update workflow .github/workflows/codeql.yml without workflows permission) error: failed to push some refs to 'https://github.com/fluentmoheshwar/fluentmoheshwar-site'

You use custom permissions in your workflow file. During the run the .github/workflows/codeql.yml file was updated. It's a workflow run. Apparently GitHub adds special protection to those file.

You have 2 options:

Update your workflow to use workflows: write permissions.

name: "Prettier"

on:
  push:
    branches: ["main"]
jobs:
  fix:
    name: Fix formatting issues
    runs-on: ubuntu-latest
    permissions:
      actions: write
      contents: write
      security-events: write
+     workflows: write
    steps:
      - uses: actions/checkout@v2
        with:
          ref: ${{ github.head_ref }}

      - uses: actionsx/prettier@v2
        with:
          # prettier CLI arguments.
          args: --write .

      - uses: stefanzweifel/git-auto-commit-action@v4
        with:
          commit_message: Prettified Code

Update your Prettier settings to not update .github/workflows/*.yml files.

fluentmoheshwar commented 1 year ago

image

fluentmoheshwar commented 1 year ago

@stefanzweifel can you help me with this?

stefanzweifel commented 1 year ago

Silly me thought workflows is a supported permission. Doesn't seem so. (Docs)

A quick internet search for "refusing to allow a GitHub App to create or update workflow" shows results that all point to personal access tokens:

If you really need your workflow to change other workflow files, you need to create a new personl access token, add it as a secret to the repository and then reference it in the actions/checkout step (not in git-auto-commit)

See README for details: https://github.com/stefanzweifel/git-auto-commit-action#commits-made-by-this-action-do-not-trigger-new-workflow-runs

fluentmoheshwar commented 1 year ago

I tried those and didn't work as I expected. So, I took a silly approach but works I added run: echo ".github" > ".prettierignore" then before running auto commit. I added run: rm ".prettierignore" and I prettify the workflow files manually.

Get Outlook for Androidhttps://aka.ms/AAb9ysg

From: Stefan Zweifel @.> Sent: Friday, December 2, 2022 2:35:49 PM To: stefanzweifel/git-auto-commit-action @.> Cc: Moheshwar Amarnath Biswas @.>; Author @.> Subject: Re: [stefanzweifel/git-auto-commit-action] The workflow fails to run (Issue #266)

Silly me thought workflows is a supported permission. Doesn't seem so. (Docshttps://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs)

A quick internet search for "refusing to allow a GitHub App to create or update workflow" shows results that all point to personal access tokens:

If you really need your workflow to change other workflow files, you need to create a new personl access token, add it as a secret to the repository and then reference it in the actions/checkout step (not in git-auto-commit)

See README for details: https://github.com/stefanzweifel/git-auto-commit-action#commits-made-by-this-action-do-not-trigger-new-workflow-runs

— Reply to this email directly, view it on GitHubhttps://github.com/stefanzweifel/git-auto-commit-action/issues/266#issuecomment-1334908632, or unsubscribehttps://github.com/notifications/unsubscribe-auth/APTOM2LRZ2FSVEA2NBOT2ULWLGYGLANCNFSM6AAAAAASP2FJ7M. You are receiving this because you authored the thread.Message ID: @.***>

hudsonm62 commented 7 months ago

for future reference

I fixed this by creating a new PAT, gave it workflow access + repo access (not sure which ones i should of added)- Then copying the token into a GitHub Actions variable named WORKFLOW_TOKEN and assigning it in my actions/checkout:

    steps:
      - name: ⚙️ Checkout Repository
        uses: actions/checkout@v4
        with:
          ref: ${{ github.head_ref }}
          fetch-depth: 0
          token: ${{ secrets.WORKFLOW_TOKEN }}
fluentmoheshwar commented 7 months ago

for future reference

I fixed this by creating a new PAT, gave it workflow access + repo access (not sure which ones i should of added)- Then copying the token into a GitHub Actions variable named WORKFLOW_TOKEN and assigning it in my actions/checkout:

    steps:
      - name: ⚙️ Checkout Repository
        uses: actions/checkout@v4
        with:
          ref: ${{ github.head_ref }}
          fetch-depth: 0
          token: ${{ secrets.WORKFLOW_TOKEN }}

Thank you