From within an action, I’m trying to modify tags to automate the versioning scheme recommended in the toolkit documentation: a “most recent major release” tag (such as v1) pointing at the most recent semantic versioning tag with the same major release, i.e., if I have tags v1.0.0, v1.0.1, v1.1.0, v1.2.0 and v1.2.1, then v1 should point to the same commit as v1.2.1. When I release v1.3.0, v1 should automatically be updated to point to what v1.3.0 points to.
To have access to all the tags, I check out the repository with all commits:
- name: 'Check out code'
uses: 'actions/checkout@v2'
with:
fetch-depth: 0
The action runs a shell script in a Docker container, and I set the GITHUB_TOKEN in the environment:
- name: 'Update release tags for latest major and minor releases'
uses: 'bewuethr/release-tracker-action@master'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
According to the documentation for the checkout action, the auth token is persisted in the Git config, and indeed, I can do things like
git push --delete origin "$tag"
without problems.
However, after creating new tags, if any new tag doesn’t point to the most recent commit, I can’t push it and get an error message like this:
! [remote rejected] v0.1 -> v0.1 (refusing to allow a bot to create or update workflow `.github/workflows/releasetracker.yml`)
I’m trying to push nothing but the tags by using something like
git push origin "$tag1" "$tag2"
and definitely didn’t modify the workflow file.
From a shell script running in a docker action, how can I push my new tags pointing to older commits?
Things I’ve tried:
- Use the authentication token explicitly in the URL for the remote by setting it to https://$GITHUB_ACTOR:$GITHUB_TOKEN@github.com/$GITHUB_REPOSITORY or just https://$GITHUB_TOKEN@github.com/$GITHUB_REPOSITORY
- Use SSH instead of HTTPS by setting the remote URL to git@github.com:$GITHUB_REPOSITORY
- Add .git to remote URL
- Push directly from a step in the job instead of from within the action with run: git push --tags
- Use branches instead of moving tags (see also this discussion)
I’ve seen other people doing similar things by using the GitHub API instead of Git commands (like in the Branch Cleanup Action, where a branch is deleted using an API call), but is that the only way? It does feel like a bug that my push is prevented with a reason that doesn’t seem to apply to my situation.
I also haven’t tried using a personal access token instead of GITHUB_TOKEN, because again, it feels like it shouldn’t be necessary.
As a side note, posts with similar problems in this forum such as Refusing to allow an integration to create or update seemed to have “refresh the token of your client” as the solution, but that doesn’t apply in my case.