Refusing to allow a GitHub App to create or update workflow without `workflows` permission

Hi!
I currently want to create a workflow to update another workflow scheduled (see the corresponding workflow).
It creates a new branch, makes some changes, commits them and tries to push via git push https://{actor}:{token}@github.com/{repo}.git {branch_name} command.

But it fails with ! [remote rejected] nightly -> nightly (refusing to allow a GitHub App to create or update workflow `.github/workflows/check.yml` without `workflows` permission) error message
(see Print actor and repo · Undin/intellij-rust@88db06b · GitHub).

I know that workflow file modification requires workflow permission that’s why I pass my custom PAT with the corresponding permissions. I even check scopes of the corresponding token via x-oauth-scopes: header (see screenshot below) to ensure that I didn’t make a mistake here.

.

But it still fails.

Could you help me to understand where I’m wrong, please and make it work?

1 Like

A likely reason is that the PAT isn’t actually used when pushing the changes. In the linked workflow file I can’t see any git commit or git push command. However I see that actions/checkout is called without a token parameter, which means it will configure Git to use the default GITHUB_TOKEN.

In the linked workflow file I can’t see any git commit or git push command.

The workflow runs python script which calls git push

However I see that actions/checkout is called without a token parameter, which means it will configure Git to use the default GITHUB_TOKEN .

Oh, it actually solves my issue. Thank you a lot!

1 Like