Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fails to push tags to protected main branch #387

Open
parnavh opened this issue Aug 11, 2024 · 8 comments
Open

Fails to push tags to protected main branch #387

parnavh opened this issue Aug 11, 2024 · 8 comments

Comments

@parnavh
Copy link

parnavh commented Aug 11, 2024

The github action is configured using this workflow file:

name: Release

on:
  push:
    branches:
      - main

concurrency: ${{ github.workflow }}-${{ github.ref }}

jobs:
  release:
    name: Release
    runs-on: ubuntu-latest

    steps:
      - name: Checkout Repo
        uses: actions/checkout@v4

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 9

      - name: Setup Node.js 20
        uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: "pnpm"

      - name: Install Dependencies
        run: pnpm install

      - name: Create Github Release
        uses: changesets/action@v1
        with:
          commit: "chore(release): 📦 version packages"
          title: "chore(release): 📦  version packages"
          publish: pnpm changeset tag
        env:
          GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}

I am not publishing to npm, so just running changeset tag so that the github release is created.

The tags gets generated but fail to push to the main citing git error 128 insufficient permissions.

The log for the action:

Run changesets/action@v1
  with:
    commit: chore(release): 📦 version packages
    title: chore(release): 📦  version packages
    publish: pnpm changeset tag
    setupGitUser: true
    createGithubReleases: true
  env:
    PNPM_HOME: /home/runner/setup-pnpm/node_modules/.bin
    GITHUB_TOKEN: ***
setting git user
/usr/bin/git config user.name "github-actions[bot]"
/usr/bin/git config user.email "github-actions[bot]@users.noreply.github.com"
setting GitHub credentials
No changesets found, attempting to publish any unpublished packages to npm
No user .npmrc file found, creating one
/home/runner/setup-pnpm/node_modules/.bin/pnpm changeset tag
🦋  New tag:  v0.1.3
/usr/bin/git push origin --tags
remote: Permission to parnavh/gregmat-buddy.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/parnavh/gregmat-buddy/': The requested URL returned error: 403
Error: Error: The process '/usr/bin/git' failed with exit code 128
Error: The process '/usr/bin/git' failed with exit code 128

I have given the PAT write permission to content, issues and PRs.

I have a ruleset that has the following branch rules: Restrict deletions and Block force pushes. This ruleset was initially enabled which caused this error and the action was successful when the ruleset was disabled. I dont see any force pushes happening in the logs, is there a particular reason why this fails, and will I have to add myself as an exception to the ruleset in order to make it work?

refs:
failing action
successful action after disabling ruleset
tree at the time of discovery

@almahdi404
Copy link

Did you find any solution?

@parnavh
Copy link
Author

parnavh commented Sep 3, 2024

No, but I did find a workaround, I just added the PAT owner (myself) to the exception list and it works now

@almahdi404
Copy link

almahdi404 commented Sep 3, 2024

I am also adding a repo scoped PAT.

And i don't know how it's working for everyone else.

@parnavh
Copy link
Author

parnavh commented Sep 3, 2024

Maybe we made some mistake, but this works till the devs get a chance to check this out

@almahdi404
Copy link

Found the correct solution

permissions:
  id-token: write
  contents: write
  pull-requests: write

Not sure if id-token is necessary.

@parnavh
Copy link
Author

parnavh commented Sep 8, 2024

Works on a protected main branch? Strange... didn't work for me

@almahdi404
Copy link

I am not using protect rules. But that is what i needed.

Anyways, permissions should be added in the Usage examples.

@almahdi404
Copy link

One more thing

You are probably using an organization, which means you must first enable this behavior on the organization level and then on the repository level

Go to https://github.com/organizations/YOUR_ORG/settings/actions and check Allow GitHub Actions to create and approve pull requests
Then go to https://github.com/YOUR_ORG/YOUR_REPO/settings/actions and check the box that previously was grayed out

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants