Getting "refusing to allow a GitHub App to create or update workflow `.github/workflows/xxxxx.yml` without `workflows` permission" error, even though no workflow file is modified

This is the minimal workflow yaml to reproduce an error.

name: create-branch

on: push

jobs:
  create-branch:
    name: create-branch
    runs-on: ubuntu-latest
    permissions:
      contents: write
      issues: write
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - run: |
          git fetch
          git checkout -b new_release v2022.24.2
          git push -u origin new_release

As this code shows, there is no step to modify workflows.

I have discovered that I get no error when I checked out the branch from main branch, but from a tag v2022.24.2 I get the error with the title of this post.

Why do I get this error?

1 Like

Probably because you’re creating a new branch, so the workflow files are new to that branch.

This post was flagged by the community and is temporarily hidden.

1 Like

so the workflow files are new to that branch

Thanks, I got the point.

Now, I gave up creating a new branch in workflows, and then just am using Github API instead to create a new branch.

However, this is pretty strange that I don’t get this error when I checked out a new branch from main which also has same workflow files as v2022.24.2 branch has.

If what @airtower-luna say is true, the branch to be checked out from should not matter, but it does.

I still don’t get this.

What exactly do you mean by "checked out a new branch from main"? Do you create the branch on your machine and then push it?

I mean steps like this.

    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - run: |
          git fetch
          git checkout -b new_release
          git push -u origin new_release

git checkout creates a new branch from main, not a tag.

Hm, that’s a good point, it shouldn’t matter whether the starting point is a branch or tag. Though maybe the exact commit matters. In the version where you start from a branch you start from the GITHUB_REF of the workflow run. How does the tag in the first version relate to that?