Bypass status check only for the initial push #24615

riywo · 2022-05-30T07:33:58Z

riywo
May 30, 2022

When I enable a branch protection for releases/* with “Require status checks to pass before merging”, no one except administrators can create a new branch under releases/* even if the commit is already approved and merged into the other branch with the proper status checks.

When I also enable “Include administrators” for the branch protection, no one can create a new branch under releases/* including the administrators.

I tried this workaround but it looks only for PR. Troubleshooting required status checks - GitHub Docs In this situation, we need to create a branch first to create a PR i.e. deadlock here.

Is there any workaround? Currently, the only workaround I found is disabling “Include administrators.” This workaround also enables automated push by Deploy keys because it has administrator privileges. Managing deploy keys - GitHub Docs However, “Include administrators” should be enabled. Also, this workaround doesn’t apply to GitHub App token or PAT or GITHUB_TOKEN.

Answered by riywo

May 30, 2022

Now I got the proper workaround.

First, push the target commit to a non-protected branch (I used a GitHub Actions workflow). Then, trigger a GitHub Actions workflow on push branch event with GitHub App token which is specified to allow bypass pull request for the protected branch (“Allow specified actors to bypass required pull requests”). In the workflow, run a job named the same as the check status job (approved in this example) before pushing to the protected branch.

jobs:
  approved:
    runs-on: ubuntu-latest
    steps:
      - run: echo "Approved!"
  push:
    runs-on: ubuntu-latest
    needs: [ approved ]
    steps:
      - id: generate-token
        uses: tibdex/github-app-token@v…

View full answer

riywo · 2022-05-30T07:41:48Z

riywo
May 30, 2022
Author

Another workaround would be keeping a single release branch and reusing it for every release…

0 replies

riywo · 2022-05-30T08:28:13Z

riywo
May 30, 2022
Author

Tried an empty commit but it still requires status check:

$ git switch --orphan releases/empty Switched to a new branch 'releases/empty' $ git commit --allow-empty -m "initial commit" [releases/empty (root-commit) 0000000] initial commit

$ git push origin releases/empty Enumerating objects: 2, done. Counting objects: 100% (2/2), done. Writing objects: 100% (2/2), 171 bytes | 171.00 KiB/s, done. Total 2 (delta 0), reused 0 (delta 0), pack-reused 0 remote: error: GH006: Protected branch update failed for refs/heads/releases/empty. remote: error: Required status check "approved" is expected. Changes must be made through a pull request.

0 replies

riywo · 2022-05-30T08:40:42Z

riywo
May 30, 2022
Author

Ah, looks like this part was wrong. If the exact same commit has the passed status check, it can pass the protection rule:

even if the commit is already approved and merged into the other branch with the proper status checks.

Now the error is only:

remote: error: Changes must be made through a pull request.

0 replies

riywo · 2022-05-30T09:06:21Z

riywo
May 30, 2022
Author

Now I got the proper workaround.

First, push the target commit to a non-protected branch (I used a GitHub Actions workflow). Then, trigger a GitHub Actions workflow on push branch event with GitHub App token which is specified to allow bypass pull request for the protected branch (“Allow specified actors to bypass required pull requests”). In the workflow, run a job named the same as the check status job (approved in this example) before pushing to the protected branch.

jobs:
  approved:
    runs-on: ubuntu-latest
    steps:
      - run: echo "Approved!"
  push:
    runs-on: ubuntu-latest
    needs: [ approved ]
    steps:
      - id: generate-token
        uses: tibdex/github-app-token@v1
        with:
          app_id: ${{ secrets.APP_ID }}
          private_key: ${{ secrets.PRIVATE_KEY }}
      - uses: actions/checkout@v3
        with:
          token: ${{ steps.generate-token.outputs.token }}
      - run: git push origin releases/test

With this workaround, I can keep “Require a pull request before merging”, “Require status checks to pass before merging”, “Include administrators”, and “Restrict who can push to matching branches” all enabled! Also, even if the commit is “approved”, administrators still can’t create the protected branch because of " Organization and repository administrators These members cannot bypass", which is good actually since we want to create the protected branch only by the GitHub App.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Bypass status check only for the initial push #24615

{{title}}

Replies: 4 comments

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

GitHub Community

Bypass status check only for the initial push #24615

riywo May 30, 2022

Replies: 4 comments

riywo May 30, 2022 Author

riywo May 30, 2022 Author

riywo May 30, 2022 Author

riywo May 30, 2022 Author

riywo
May 30, 2022

riywo
May 30, 2022
Author

riywo
May 30, 2022
Author

riywo
May 30, 2022
Author

riywo
May 30, 2022
Author