search

stefanzweifel / git-auto-commit-action

Automatically commit and push changed files back to GitHub with this GitHub Action for the 80% use case.
MIT License
1.92k stars 224 forks source link

Permission denied despite having fine-grained PAT #318

Closed kjy5 closed 5 months ago

kjy5 commented 5 months ago

git-auto-commit Version

v5.0.0

Machine Type

Ubuntu (eg. ubuntu-latest)

Bug description

The action was denied remote permissions (to push) and failed.

Steps to reproduce

See this workflow run.

Tried solutions

Example Workflow

name: Autoformat and Lint

on:
  pull_request:
  push:
    branches:
      - main
  merge_group:

jobs:
  autoformat-and-lint:
    name: Autoformat and Lint
    if: github.actor != 'dependabot[bot]'
    runs-on: ubuntu-latest
    permissions:
      contents: write

    steps:
      - name: πŸ›Ž Checkout
        uses: actions/checkout@v4
        with:
          ref: ${{ github.head_ref }}
          token: ${{ secrets.WORKFLOW_COMMIT }}

      - name: 🐍 Setup Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.12'
          cache: 'pip'

      - name: πŸ“¦ Install Hatch
        run: pip install hatch

      - name: πŸ“ Format Code
        run: hatch fmt -f

      - name: βœ… Commit code format changes
        uses: stefanzweifel/git-auto-commit-action@v5
        with:
          commit_message: "Autoformat code"
          skip_fetch: true
          skip_checkout: true

      - name: πŸ” Lint
        run: hatch fmt --check

Relevant log output

Run stefanzweifel/git-auto-commit-action@v5
Started: bash /home/runner/work/_actions/stefanzweifel/git-auto-commit-action/v5/entrypoint.sh
INPUT_REPOSITORY value: .
INPUT_STATUS_OPTIONS: 
INPUT_FILE_PATTERN: .
INPUT_BRANCH value: 306-fix-auto-commit-not-working
INPUT_ADD_OPTIONS: 
INPUT_FILE_PATTERN: .
INPUT_COMMIT_OPTIONS: 
INPUT_COMMIT_USER_NAME: github-actions[bot]
INPUT_COMMIT_USER_EMAIL: 41898282+github-actions[bot]@users.noreply.github.com
INPUT_COMMIT_MESSAGE: Autoformat code
INPUT_COMMIT_AUTHOR: kjy5 <kjy5@users.noreply.github.com>
[306-fix-auto-commit-not-working 6693a76] Autoformat code
 Author: kjy5 <kjy5@users.noreply.github.com>
 1 file changed, 1 insertion(+), 1 deletion(-)
INPUT_TAGGING_MESSAGE: 
No tagging message supplied. No tag will be added.
INPUT_PUSH_OPTIONS: 
remote: Permission to VirtualBrainLab/ephys-link.git denied to kjy5.
fatal: unable to access 'https://github.com/VirtualBrainLab/ephys-link/': The requested URL returned error: 403
Error: Invalid status code: 128
    at ChildProcess.<anonymous> (/home/runner/work/_actions/stefanzweifel/git-auto-commit-action/v5/index.js:17:19)
    at ChildProcess.emit (node:events:514:28)
    at maybeClose (node:internal/child_process:1105:16)
    at ChildProcess._handle.onexit (node:internal/child_process:305:5) {
  code: 128
}
Error: Invalid status code: 128
    at ChildProcess.<anonymous> (/home/runner/work/_actions/stefanzweifel/git-auto-commit-action/v5/index.js:17:19)
    at ChildProcess.emit (node:events:514:28)
    at maybeClose (node:internal/child_process:1105:16)
    at ChildProcess._handle.onexit (node:internal/child_process:305:5)
kjy5 commented 5 months ago

Turns out you need to set the PAT's resource owner to the organization... This didn't seem to be a thing before but this solved it for me.

stefanzweifel commented 5 months ago

Thanks for sharing the solution here @kjy5.

Zamiell commented 4 months ago

Turns out you need to set the PAT's resource owner to the organization... This didn't seem to be a thing before but this solved it for me.

@kjy5 I'm having the same issue as the OP. I assume PAT stands for personal access token, but can you please go into a bit more detail on how to accomplish this?

stefanzweifel commented 4 months ago

@Zamiell Yes, PAT stands for personal access token. When you create a new fine-grained personal access token you can define the resource owner.

In my case I can select my personal account or one of the organisations I'm part of. (Funny though, that I currently can only select an organisation I only rarely participate in, but not my primary work org)

Zamiell commented 4 months ago

Thanks @stefanzweifel . However, I'm a bit confused. Why do I have to create a fine-grained personal access token? Why can't I use the automatic one that is created for use in GitHub actions (and is recommended in this repository's README.md file)?

stefanzweifel commented 4 months ago

@Zamiell You definitely don't need to create and use a fine-grained personal access token to use this Action, if your requirements are relatively simple. (I pesonally never had the need to use PAT in any of my personal or work projects)

A PAT is required, if you want that a commit made by this Action should trigger other workflows or when you've set up branch protection in your repository.

That these scenarios don't work with the default GITHUB_TOKEN is due to how GitHub designed GitHub Actions and the security model around it. That's not something I can change.

kjy5 commented 4 months ago

As mentioned, fine-grained tokens are not required. I've just been using them because they're the new method. They honestly work the same.