Able to commit workflow files without "workflow" OAuth scope

I’m using a Personal Access Token to work with a repo over HTTPS. The token has “repo” and “gist” OAuth scopes, and does not have the “workflow” scope, but I find that I am able to push commits that have new or modified GitHub Actions workflow files anyway. Isn’t this supposed to be disallowed?

I have a colleague who is getting the “refusing to allow an OAuth App to create or update workflow” error when he tries similar things from a similar setup. I’m not sure yet what the difference is in what we’re doing.

Hi @nickwalkmsft ,

Do you encounter the same issue here? Please try to reset the password with a new personal access token in Credential manager on windows, and retry commit push afterwards.

Thanks.

Yes, even after generating and using a new token, I am still able to push commits containing changes to workflows even though the token does not have “workflow” scope.

Hi @nickwalkmsft ,

With ‘repo, gist’ OAuth scope token, work with repo over HTTPS, it’s allowed to add/update workflow files.

However with same token, can not add/update workflow file  with below code:

steps:
    - uses: actions/checkout@v2

    - name: Edit yaml file
      run: |
        cd .github/workflows
        touch new.yaml
    - name: Commit files
      run: |
        git config --local user.email "test@github.com"
        git config --local user.name "test"
        git add .
        git commit -m "Add changes"
    - name: Push changes
      uses: ad-m/github-push-action@master
      with:
        github_token: ${{ secrets.PAT1 }}

This is due to ‘actions/checkout’ will add .extraheader property and persist github_token for the later git operation. If you add parameter persist-credentials: false for the action, the error will gone, and push will be succeful.

- uses: actions/checkout@v2
      with:
        persist-credentials: false

Could you please confirm how your colledge did the git setting and operation?

Thanks.