Push/Make PR to repo using a workflow in the same repo

Hey everyone,

I’m currently trying to make GitHub workflow work that, roughly spoke, does the following:

  1. Install a python dependency and fire up one of its commands
  2. This command, besides other things, tries to push changes (changes to this repo like adding a file for example) made in the workflow to the repo containing this workflow.

(Side note: Im using this from within a python project and pushing the changes via API calls).

Everything works fine (even running the same code locally executes successfully) but when it comes to pushing changes to the spoken repo from the workflow I run into the following error:

PullRequestException: Could not push MYBRANCH branch:
  Cmd('git') failed due to: exit code(1)
  cmdline: git push
  stderr: 'To https://github.com/Imipenem/Bertman
 ! [remote rejected] TEMPLATE -> TEMPLATE (refusing to allow a GitHub App to 
create or update workflow `.github/workflows/sync_project.yml` without 
`workflows` permission)
error: failed to push some refs to 'https://github.com/Imipenem/Bertman''

The main point here seems to be the following:

refusing to allow a GitHub App to 
create or update workflow .github/workflows/sync_project.yml without 
workflows permission

I use a personal access token to make the API calls which has at least the workflows and repo scope enabled.

So I really dont know why it refuses to push the changes?
May I have to explicitely exclude the .github/workflows/sync_project.yml from the push, as it should not get updated from within this workflow?

Or are there any other restrictions Im not aware of?

Many thanks in advance :wink:

EDIT: I solved the issue by removing the file temporarily! However, I’m curious why the above happened!

Hello,

does your PAT include the workflow scope? That’s required for modifying workflows.

@Imipenem,

To push modified workflow files to the remote:

  • The personal access token (PAT) should has the ‘workflow’ scope.
    In addition, the token also requires ‘repo’ scope for private repositories and ‘public_repo’ scope for public repositories.
    PAT_scopes

  • The GitHub App that executes must have the ‘Workflows’ permission.

According to the logs you shared, the API you called in your workflow seems actually executed the git push command.
You can try to directly run the git push command in a ‘run’ step (jobs.<job_id>.steps.run) in your workflow, and use a PAT which has the ‘workflow’ and ‘repo’ scopes to authenticate. Don’t directly use the GITHUB_TOKEN, it does not have the ‘workflow’ scope.

Thanks for the quick reply.
Yes I created a PAT for this purpose and gave it those scopes.

I set it as a secret in this repo and use this one so might this cause an issue?

Thanks for the reply.
Yes I gave the token both scopes. But I must have done wrong something else.

Can u explain what you mean by not using GITHUB_TOKEN directly? For this specific workflow Im using a secret fromt the repo that contains the specified pat with the scopes. Is this the root cause of the issue?

1 Like

@Imipenem,

The GITHUB_TOKEN is a token automatically created by GitHub during a workflow run. Before each job begins, GitHub fetches an installation access token for the job. The token expires when the job is finished.

The permissions of GITHUB_TOKEN are limited to the repository that contains the workflow. And some permission are not applied to this token, as I mentioned above it does not have the ‘workflow’ scope. So, when you push modified workflow files and use the GITHUB_TOKEN to authenticate, you will get the error messages like as “permission denied” or “remote rejected”.

More details about the GITHUB_TOKEN, you can see “Authenticating with the GITHUB_TOKEN”.

Yes I gave the token both scopes. But I must have done wrong something else.

If possible, please share your repository with us, so that we can check more detailed configurations related to your workflow, to analyze the root cause.

@Imipenem,

How are things going?
Are our above suggestions helpful for you?
You can try to directly run the git push command with a PAT in your workflow to see if it can work.
If the PAT works, then try using it on the API you mentioned above.
If the problem still exists, please share your repository with us for further investigation and evaluation. Thanks.

@brightran sorry forget to answer:
I solved my issue by excluding the workflow from the git things as I don’t need it. But for sure, thats a workaround only.
But as u worte, I used the “automatically created GITHUB_TOKEN” and did not set my PAT for it. So this should have been the issue.
Thanks again for your answer!

@Imipenem,

You’re welcome, and glad that the problem has been solved.
If you have any other questions about this topic, feel free to contact us.