Closed atodorov closed 3 months ago
Hi @atodorov,
As far as I know, the default token used by GitHub Actions can't have workflows: write
permission.
Probably another security measure by GitHub, to prevent bad actions from stealing secrets from your repository.
(I can't find documentation about this, but I ran into a similar issues years ago)
The easiest solution might be to create a personal access token (PAT) and add it to your workflow. https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
Will add a warning to the README to warn users, that the action can't modify workflow files.
(I can't find documentation about this, but I ran into a similar issues years ago)
Sadly I wasn't able to find documentation either and trying to set
permissions:
workflows: write
is invalid syntax.
I also assume that the error message "refusing to allow a GitHub App to create or update workflow .github/workflows/main.yml
without workflows
permission" is just a UX error.
GitHub probably assumes that the push comes from a GitHub App, but GitHub Actions is not the same as a GitHub App. Maybe we can forward this to a feedback repo somewhere. 🤔
GitHub probably assumes that the push comes from a GitHub App, but GitHub Actions is not the same as a GitHub App.
FTR I think in this case GitHub is correct. My commit (after I excluded the conflicting files) looks like this:
atodorov authored and github-actions[bot] committed
Where https://github.com/apps/github-actions redirects to https://github.com/features/actions. Internally github-actions
is just another app for which you are automatically authenticated!
@atodorov This seems like a reasonable explanation. 👍
Back to your original issue, have you tried the approach with a personal access token? I'm fairly certain that this will resolve your issue. Can try to reproduce this on my end in the coming days/weeks.
See https://github.com/stefanzweifel/git-auto-commit-action/issues/266#issuecomment-1859556587 for detail on creating and scoping a PAT for this.
Also https://github.com/stefanzweifel/git-auto-commit-action/issues/87#issuecomment-1939138661 for the nuclear option. They discuss setting up your own GitHub App to reliably commit to protected branches, but this "create an entire app and jump through lots of auth hurdles" approach would also apply to permitting a bot to do workflow editing. Maybe only worth it at scale across repos in a GitHub Org where PATs are forbidden.
I've updated the troubleshoot section in the README with a section that discussions this problem. We suggest using a PAT or the nuclear option of creating a GitHub app.
git-auto-commit Version
v5
Machine Type
Ubuntu (eg. ubuntu-latest)
Bug description
I have configured
permission: write-all
and still get a failure because part of the commit is modifying GitHub actions files.Steps to reproduce
https://github.com/kiwitcms/gitops/actions/runs/8056214742/job/22004837145?pr=5
Tried solutions
No response
Example Workflow
extracted from https://github.com/kiwitcms/gitops/pull/5/files