Github actions vs Protected master branch

Hello.

I’ve encountered a problem that I don’t seem to have found a clear solution for, despite reading through some threads here.

The master branch in my organization’s repository is protected from direct pushing by people, to avoid mishaps from the maintainers who have write access, as well as pull requests to it requiring one positive review.

I’ve got a github action which does a bit of automatic-changelog generation work, in essence taking a couple of files and compiling them into another file, then pushing to master, but it is unable to actually push to the master branch, while using the default GITHUB_TOKEN.

I thought about adding a token with admin access as a github secret, but I am not sure how safe is that, really, considering there are multiple people with write access to the repo.

Are there any good solutions for this, without compromising security, but also without involving additional manual work, as I intend the action to be a “setup and forget”?

@useroth ,

Once you have added a secret, this is encrypted and only exposed to selected actions. GitHub automatically redacts secrets printed to the log, but you also should avoid printing secrets to the log intentionally. Set the PAT as a secret generally is safe.

In addition, you referred to the docs about Enabling branch restrictions to set " Branch protection rules" for the master branch in your repository, right?

When using the  GITHUB_TOKEN to push, you can see it shows that the push is done by “github-actions[bot]”. Maybe after you set branch restrictions, this bot account also will be restricted. So you can try to search and add the bot account into the allow list that can push to master to see if it can work.

Hi I’m having the same issue.

The workflow modifies the changelog, and I want to push it to a protected branch which requires 1 reviewer. When I disable this, it works but it isn’t very safe. 

I tried adding the github-actions bot to the restricted list of people that can push, but it is not available to add

1 Like