Tests are not executed if commit is made by another github action

romans-ovo · April 25, 2022, 3:26pm

Hi, I have a test workflow on a specific branch, which I use to open PR. It’s not a protected branch. Another action is triggered manually - modifies and commits file into same branch.

Commit appears in PR but the workflow is not executed. I have disabled vigilant mode. This is for a private enterprise repo.

The only solution I see is to bundle my private pgp key into github action secrets to sign the commit, but I think it’s more dangerous as opposed to running workflow on un-signed commit.

Is there a way to enable this? I couldn’t find after searching.

airtower-luna · April 25, 2022, 5:40pm

How does that workflow authorize the push? In particular, to quote the docs:

When you use the repository’s GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN will not create a new workflow run.

romans-ovo · April 26, 2022, 4:16pm

I’ve tried it with a personal access token to run git push and also tried GitHub - ad-m/github-push-action: GitHub actions to push back to repository eg. updated code with personal access token - however in both cases ci/cd is still not executed on the push into branch.

airtower-luna · April 26, 2022, 5:34pm

How are you providing the PAT to Git?

romans-ovo · April 26, 2022, 9:10pm

Yes, that’s it exactly. Should I use PAT or there is a way to enable execution through permission yaml key in a workflow file?

airtower-luna · April 26, 2022, 9:54pm

Yes, using a PAT is what you need to do to enable this. But you said you’ve tried it with a PAT and it didn’t work, so I wonder how you tried it (a workflow link is best). I’ve seen people who put their PAT into the workflow but the way it was set up the GITHUB_TOKEN got used anyway.

romans-ovo · April 27, 2022, 9:39am

      - run: |
           git config user.name "......."
           git config user.email "...."
           git fetch --unshallow
           git switch pre-prod
           git commit --allow-empty -m 'test-empty-commit'
           # git push origin pre-prod
      - name: Push changes into pre-prod branch
        uses: ad-m/github-push-action@master
        with:
          github_token: ${{ secrets.PERSONAL_GITHUB_TOKEN }}
          branch: pre-prod

In the screenshot below wip commit was done using my local laptop with SSH key. The other commits (test-empty-commit) were done by a workflow.

The problem is that there is no execution indicator (red cross) next to test-empty-commits.

airtower-luna · April 27, 2022, 2:51pm

That behavior indicates that you PAT isn’t used for the push.

The most important part is missing in your workflow excerpt: The actions/checkout step (assuming you don’t retrieve the repository in some custom way). By default it sets the repository up to always send an Authorization header with the GITHUB_TOKEN. You need to either pass your PAT at that point (token option), or disable persisting it (persist-credentials: false).

romans-ovo · April 27, 2022, 5:02pm

  - uses: actions/checkout@v2
    with:
      token: ${{ secrets.PERSONAL_GITHUB_TOKEN }}

Specifying token during the checkout step rather than the push worked perfectly. I can see now the documentation at GitHub - actions/checkout: Action for checking out a repo

The auth token is persisted in the local git config. This enables your scripts to run authenticated git commands. The token is removed during post-job cleanup. Set persist-credentials: false to opt-out.

Thanks for your help @airtower-luna , my issue is now resolved.