git-auto-commit-action: Not working on a protected branch

Version of the Action v4.4.0

Describe the bug Not working with a protected branch despite the project enabling force-pushes.

Screenshots

Used Workflow https://github.com/daos-stack/pipeline-lib/blob/master/.github/workflows/update_pipeline_lib_branch.yml

The failed action: https://github.com/daos-stack/pipeline-lib/runs/900246701?check_suite_focus=true

I was able to push from the CLI:

$ git push origin HEAD:master
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 8 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 380 bytes | 380.00 KiB/s, done.
Total 3 (delta 2), reused 0 (delta 0)
remote: Resolving deltas: 100% (2/2), completed with 2 local objects.
To github.com:daos-stack/pipeline-lib.git
   a1bf9ea..fb2658d  HEAD -> master

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 23 (12 by maintainers)

Commits related to this issue

Have Autorevision create a PR instead of trying to push Direct pushes to master are forbidden by branch protection rules. Have the automation create a PR instead, so we can approve it and enable auto... — committed to lmoureaux/freeciv21 by lmoureaux 2 years ago
Have Autorevision create a PR instead of trying to push Direct pushes to master are forbidden by branch protection rules. Have the automation create a PR instead, so we can approve it and enable auto... — committed to longturn/freeciv21 by lmoureaux 2 years ago

Most upvoted comments

We may use GitHub Apps - Consistently allow GitHub Apps as exceptions to branch protection rules.

Authenticating as a GitHub App in a GitHub Actions workflow.

- name: Create Token
  id: create_token
  uses: tibdex/github-app-token@v2
  with:
    app_id: ${{ secrets.APP_ID }}
    private_key: ${{ secrets.APP_PRIVATE_KEY }}

- uses: actions/checkout@v4
  with:
    token: ${{ steps.create_token.outputs.token }}

air3ijai on Feb 12, 2024

@dimitarspassov Using this Action with a PAT shouldn’t cause recursive workflows runs automatically. It all depends on what your workflow is changing.

For example, if your workflow is storing the current time and date in a text file (date > current-date.txt), and you commit and push the file to the remote repository with a PAT, it will definitely cause endless recursive workflow runs.

If your workflow does something similar and everytime it runs would commit something, I think you should be able to prevent the endless workflows runs by using if conditions on the job. (Docs about if conditions)

The above example could look like this: The workflow clones the repo, writes the current time in a txt-file and commits the changes pack to the repo by using a PAT. Howerver, the job itself is protected by a if-clause and will only run, if the user who started the workflow run is not org-bot.

name: My Workflow

on: push

jobs:
  my-workflow:

    # ↓ This condition is important
    if: github.actor != 'org-bot' 

    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
      with:
        token: ${{ secrets.PAT }}
        ref: ${{ github.head_ref }}

    # ...

    run: date > current-date.txt

    - uses: stefanzweifel/git-auto-commit-action@v4
      with:
        commit_message: My Commit Message
        branch: ${{ github.head_ref }}
        commit_user_name: org-bot

But please note: I’m not 100% sure this actually works. I’m not sure if commit_user_name and github.actor are the same values or if you would have to use the actual GitHub username of your bot account here.

stefanzweifel on Sep 11, 2020

Thank you @stefanzweifel.

Could you please clarify which scopes are needed for the Personal Access Token to work? The full list with descriptions is here: https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps

I’m guessing something like repo:status but maybe full repo is needed?

Additionally GitHub just released a “new version” of Personal Access Tokens - https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/ - do you think it’s possible to use those instead? Will it work without any code change in the action?

Thanks in advance 😃

edit: if you will be able to assist me understanding these i’d be happy to contribute - either to README to clarify or to code if some code change would be needed.

zmilonas on Nov 2, 2022

Thank you for your reply! We set it up with a PAT and made that user Admin in this repo and it worked without push_options: --force

antonmos on Apr 20, 2021

@stefanzweifel Yep, I agree with your conclusion. I will have to reconsider the general approach. Thanks for the quick answer again!

dimitarspassov on Sep 14, 2020

Just a quick update: I’ve updated the README with a note on protected branches. In addition to the --force-option which has to be passed to the Action, I’ve also added a note on the need of a PAT.

https://github.com/stefanzweifel/git-auto-commit-action#push-to-protected-branches

I’m closing this issue for now. If you think your issue is not resolved or have any other question, feel free to reopen or create a new issue.

stefanzweifel on Jul 26, 2020

@brianjmurrell

As @stefanzweifel said: I have created @ergebnis-bot and use its personal access token in repositories I control.

Similarly, in other organizations we have also created bot accounts. Secrets can be easily shared using organization secrets.

localheinz on Jul 23, 2020

Another user recently mentioned this problem in an already closed issue (https://github.com/stefanzweifel/git-auto-commit-action/issues/71#issuecomment-660470689).

I didn’t have the time yet to test it myself, but could you try creating a Personal Access Token (PAT) and use that token instead of the normal secrets.GITHUB_TOKEN?

https://github.com/stefanzweifel/git-auto-commit-action#commits-of-this-action-do-not-trigger-new-workflow-runs

Will update the README accordingly when we’ve found the solution that works for everybody.

stefanzweifel on Jul 23, 2020