Push to another repository

Hi there,

I’m struggling with pushing commits to another repository. I wrote a workflow on one of repositories I maintain and checkout, commit and push are ok on this repo. However, from the same workflow I try to push to another repo (brsynth/brs_utils-feedstock which is a fork I also maintain), I have the error below. I tried with GITHUB_TOKEN and and personal access token whose I don’t know how to use.

Any help would be very appreciated. Thank you

Run ad-m/github-push-action@master
  with:
     github_token: ***
     repository: brsynth/brs_utils-feedstock
     directory: .
Push to branch master
remote: Permission to brsynth/brs_utils-feedstock.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/brsynth/brs_utils-feedstock.git/': The requested URL returned error: 403

This is below my workflow file content:

name: Create Tag/Release

on:
  push:
    branches:
      - stable

jobs:

  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          persist-credentials: false
          fetch-depth: 0
      - name: Bump version and push tag
        id: tag_version
        uses: mathieudutour/github-tag-action@v5.6
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          release_branches: stable
          tag_prefix:
      - name: Create Release
        uses: actions/create-release@v1
        with:
          tag_name: ${{ steps.tag_version.outputs.new_tag }}
          release_name: Release ${{ steps.tag_version.outputs.new_tag }}
          body: ${{ steps.tag_version.outputs.changelog }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - uses: actions/setup-ruby@v1
      - name: Generate CHANGELOG
        env:
          CHANGELOG_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gem install github_changelog_generator
          github_changelog_generator -u brsynth -p brs-utils
      - name: Commit files
        run: |
          git config --local user.email "$GITHUB_EMAIL"
          git config --local user.name "$GITHUB_USERNAME"
          git commit -m "doc(CHANGELOG): update" -a
        env:
          GITHUB_USERNAME: brsynth
          GITHUB_EMAIL: joan.herisson@univ-evry.fr
      - name: Push changes
        uses: ad-m/github-push-action@master
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          branch: ${{ github.ref }}
      - name: Checkout feedstock fork
        uses: actions/checkout@v2
        with:
          repository: brsynth/brs_utils-feedstock
          persist-credentials: false
          fetch-depth: 0
      - name: Update recipe
        run: |
          wget -O- https://github.com/brsynth/brs-utils/archive/refs/tags/$VERSION.tar.gz | shasum -a 256 > sha.txt
          sha=`python -c "f = open('sha.txt'); print(f.read().split()[0]); f.close()"`
          rm -f sha.txt
          sed -i -E "s/(\{% set version = \")[^>]+(\" %\})/\1somethin\2/" recipe/meta.yaml
          sed -i -E "s/(sha256: )[^>]+/\1$sha/" recipe/meta.yaml
          git config --local user.email "$GITHUB_EMAIL"
          git config --local user.name "$GITHUB_USERNAME"
          git commit -m "chore(meta.yml): update version" -a
        env:
          GITHUB_USERNAME: brsynth
          GITHUB_EMAIL: joan.herisson@univ-evry.fr
          VERSION: ${{ steps.tag_version.outputs.new_tag }}
      - name: Push changes
        uses: ad-m/github-push-action@master
        with:
          github_token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
          repository: brsynth/brs_utils-feedstock

It looks like you’re still using the GitHub token in The middle of the code. And that won’t let you push to the remote repository.

I meet the same question. What is your opinion about this question? I have replaced the token the first step used with the personal access token, but it said the personal access token was a bad credentials. I have searched in this page, but it did’t help a lot.
My english is not good.

I succed to push to another repo of my organisation by using a personal access token:

  1. Create you PAT on your account (Settings > Developper Settings)
  2. Create a secret (with PAT as value) on the repos you want to push on
  3. Use the secret as a token in your workflow (${{ secrets.<secret_name> }})

I decided I wanted to avoid using a PAT entirely in the build and push process, so instead I created a workflow in the remote repository that would do the build by cloning the origin repository. This allowed me to use a GitHub token to push.

To trigger the build, I use a HTTPrequest that triggers a workflow dispatch. You can see it live at cfndev.github.io/test-jekyll.yml at 2486fb695e258d6eae0fd4851c7bd2ad010d195f · datapolitical/cfndev.github.io · GitHub
and
chrisfnicholson.github.io/build-dev-branch.yml at 1b780ef95becf3058169dbf48582f095abc0dade · datapolitical/chrisfnicholson.github.io · GitHub

I should clarify that this does require a PAT to send the curl request, but that PAT is not passed to any outside action. The alternative for me was to use a PAT that was accessible to third-party code, which is a major security risk.

Thanks for your answer. I chose repo and workflow for my PAT, but it don’t work for pushing to another repo.

This is an example of a workflow triggered from REPO1 and modify a REPO2 (both owned by user) :

    runs-on: ubuntu-latest
    steps:
      - name: Checkout REPO2
        uses: actions/checkout@v2
        with:
          repository: <user>/<repo2>
          persist-credentials: false
          fetch-depth: 0
      - name: Update
        run: |
          <modify the repo>
          git config --local user.email "$GITHUB_EMAIL"
          git config --local user.name "$GITHUB_USERNAME"
          git commit -m "chore: my comment" -a
        env:
          GITHUB_USERNAME: <user>
          GITHUB_EMAIL: <e-mail>
      - name: Push changes on REPO2
        uses: ad-m/github-push-action@master
        with:
          github_token: ${{ secrets.<SECRET_WITH_PAT_VALUE_AVAILABLE_AS_SECRET_IN_REPO2> }}
          branch: ${{ github.ref }}

Thank you, I"ll have a try;