GITHUB_TOKEN cannot issue /dispatches call with write-all permissions

When taking a GITHUB_TOKEN from a workflow run (while the run is still running, so it isn’t yet expired) and trying to call repository dispatch results in a 204 but an action isn’t created. Calling that same dispatches endpoint with my PAT works correctly.

Steps To Reproduce

Reproduction can be seen in this repo: GitHub - benkaiser/testing-web-action-persistence: Testing out triggering github actions via the web

Steps to reproduce the behavior:

  1. Create the same repo under your own account
  2. Run “Testing Token” ( token.yml ) workflow
  3. Grab GITHUB_TOKEN that is output from the node.js file. Note that a hyphen is added as the second character to bust the obfuscation in the logs.
  4. An any browser tab (e.g. from a github pages site) run the fetch request in examples/request.js
    replacing the repo user/name with your repo and the Bearer token with your GITHUB_TOKEN pulled from the previous step (making sure to remove the added hyphen second character).
  5. Note that even though you receive a 204 indicating a successful request, the action does not actually start on the repo.

If you run the same request.js in step 4 above with a PAT with workflow permissions, you’ll receive a 204 and the action will successfully fire.

Expected behavior
GITHUB_TOKEN with all permissions should be able to successfully trigger actions via /dispatches endpoint.

1 Like

Hi @benkaiser, welcome to the GitHub Support Community! I believe this is still an intentional limitation of the GITHUB_TOKEN to prevent inadvertent infinite looping of workflows.

That said, in my opinion, intentionally granting these permissions in a workflow file probably should allow you to do this. I’ll pass this thread on to the actions team as feedback for this feature. :+1: