How to push to protected branches in a GitHub Action

Yes, please, good idea! It would be awesome if “GitHub App” can be added here:

How can we ask for it?

8 Likes

It’s not possible. I found the answer here: https://github.community/t5/GitHub-Actions/Allowing-github-actions-bot-to-push-to-protected-branch/m-p/34454#M1924

1 Like

@phips28 wrote:

I created a personal access token.
I am admin in the repo, and admins have write access without restriction to protected branches.

Then added this token to the Secrets page (…/settings/secrets) as GITHUB\_TOKEN\_PHIL.

In the workflow file I override the pseudo token GITHUB_TOKEN:

-name:‘Bump Version’
uses:‘phips28/gh-action-bump-version@master’
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN_PHIL }}

Now the action can push to the protected branch.

 

BUT this results in an endless workflow, the push triggers another action and so on…
This behavior doesnt appear if I use the default pseudo token and remove the protected state. In this case the action triggers once, and no trigger after the action pushed to branch. (Thats how it should be)
@chrispat is that inconsistency a bug? A push from an action should not trigger a action again IMO.

Your solution worked for me.  I didn’t experience an endless workflow though.  Probably because I wasn’t pushing back to the same branch.  In your case, you might want to dig into the events to see if it holds some kind of information that lets you distinguish between whether the workflow was triggered by an actual person or if it was triggered by an action.

1 Like

I tried to do as others, to use custom token with all rights possible and it still doesn’t work, branch protection doesn’t let it go through:

https://github.com/derberg/generator/blob/master/.github/workflows/release.yml

I don’t get why this topic is not addressed and integrated with CodeOwners, if they have no better idea to solve it. Typical flows are not supported, this one, and the other about working through forks where GITHUB_TOKEN suddenly becomes read-only

2 Likes

I was expecting this option too. We are implementing a bot doing some chores by adding some commits optionally to master. I really want this to happen!

1 Like

Do we have a better solution for solving this issue now?

It is pretty painful that I have to raise PR to do the manual merge. 

5 Likes

That’s exctly what I expected!

Didn’t get how the automated workflow for a release should be, if there is no way to let the github-actions bot push to protected branches.

I would really love to see this feature in near feture. (Add github app to allow-push-list)

4 Likes

It should really be possible to mark that the Actions token is allowed to bypass the branch protections. Not as a default behavior, but certainly as an opt-in toggle.

3 Likes

I’m in this same boat here. Forced to choose between locking down my branch or automation. Frustrating.

2 Likes

+1 For having an option to allow GitHub actions to bypass branch protection.

I was able to create a workflow that temporarily disables the branch protection and then enables it again. This works fine if you don’t have multiple pull requests merged to master at the same time. And of course this means there is no branch protection for a few seconds.

The workflow

  1. Removes branch protection from master
  2. Runs npm version to increment the release number and create a tag
  3. Pushes the version number change to master and the tag
  4. Enables the branch protection for master again.
  5. Builds and publishes the library to NPM
name: Publish Release

on:
  push:
    branches: [ master ]

jobs:
  build-publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Setup GIT
        run: |
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
          git config user.name "$GITHUB_ACTOR"
      - name: Setup Node.js
        uses: actions/setup-node@v1
        with:
          node-version: 10
          registry-url: https://npm.pkg.github.com/
          scope: '@YOUR_ORG_HERE'
      - name: Branch protection OFF
        uses: octokit/request-action@v2.x
        with:
          route: PUT /repos/:repository/branches/master/protection
          repository: ${{ github.repository }}
          required_status_checks: |
            null
          enforce_admins: |
            null
          required_pull_request_reviews: |
            null
          restrictions: | 
            null 
        env:
          GITHUB_TOKEN: ${{ secrets.GH_ACTIONS_REPO_ADMIN_CI_TOKEN }}
      - name: Versioning
        run: |
          npm version minor -m "chore(release): %s"
          git push "https://$GITHUB_ACTOR:$GITHUB_TOKEN@github.com/$GITHUB_REPOSITORY"
          git push "https://$GITHUB_ACTOR:$GITHUB_TOKEN@github.com/$GITHUB_REPOSITORY" --tags
        env:
          NODE_AUTH_TOKEN: ${{secrets.GH_PACKAGES_TOKEN}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
      - name: Branch protection ON
        uses: octokit/request-action@v2.x
        with:
          route: PUT /repos/:repository/branches/master/protection
          repository: ${{ github.repository }}
          mediaType: |
            previews: 
              - luke-cage
          required_status_checks: |
            strict: true
            contexts:
              - build
          enforce_admins: |
            null
          required_pull_request_reviews: |
            dismiss_stale_reviews: true
            required_approving_review_count: 1
          restrictions: | 
            null 
        env:
          GITHUB_TOKEN: ${{ secrets.GH_ACTIONS_REPO_ADMIN_CI_TOKEN }}
      - name: Build and Publish
        run: |
          npm ci
          npm run build -- --prod
          npm publish
        env:
          NODE_AUTH_TOKEN: ${{secrets.GH_PACKAGES_TOKEN}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
2 Likes

It would be great if the github actions could bypass the branch protection policies for us, too. We would like to automatically add the latest changelog from LTS branches to the master branch’s changelog file on new LTS releases.

1 Like

Plus one for asking this feature support

1 Like

on:
push:
branches:
- master
jobs:
publish-gpr:
if: “!contains(github.event.head_commit.author.name, ‘GITHUBACTION’)”
runs-on: ubuntu-latest
steps:

- name: Set up git for commits
run: |
git config user.name “GITHUBACTION”
timeout-minutes: 1
- name: Push
run: git push --follow-tags --no-verify origin HEAD:master
timeout-minutes: 1
empty-job:
# if no jobs run, github action considers it a test failure – which seems like a bug
# this makes it so the top-level if statement for the job does not give status failure.
runs-on: ubuntu-latest
if: success()
steps:
- name: Meep
run: |
echo “This job will always succeed. If no jobs run, we still want the workflow to give status success.”

Am I right that these are the workaround options that we have?

  1. Create an admin Personal Access Token, add to githubsecrets, and have the CI use that, and disable the “Include administrators” option under the protected branch setting

  2. Not require approvals before merging to the protected branch

  3. Have the CI create a PR which a human must manually approve and merge

Hey guys, we just spent a good time trying to work this out, posting our solution:

  • Don’t enforce branch protection on admin.
  • Create dedicated system-admin user and set him as admin on the protected repo.
  • Create a personal access token from system-admin user and store it as ADMIN_TOKEN in the repo secrets.
  • User actions/checkout@v2 with the token we created.
  • Configure git name and email

Example:

jobs:
  publish:
    name: Publish
    runs-on: ubuntu-latest
    steps:
        - name: checkout
          uses: actions/checkout@v2
          with:
            token: ${{ secrets.ADMIN_TOKEN }}

        - name: Configure CI Git User
          run: |
            git config --global user.name '@system-admin'
            git config --global user.email 'system-admin@users.noreply.github.com'

        - name: Do git actions
          run: |
            touch test.temp
            git commit -am "Hey, I'm pushing from the CI! :)"
            git push
2 Likes

Hey @nirsky do you know if you need a dedicated system-admin if you are part of on organization? I’m wondering if I can just have org matinees create an admin token? It doesn’t look like the username and email on your GitHub user actually means anything right?

Hey @renamari, you can definitely use the org maintainers token, no problem with that, the system-admin was just an example.
The reason we created a dedicated user is because we use the same accounts for our personal GitHub, which means the token could be used to access our own personal repos…