Using a workflow to create a tag failing with permission

Hi there,

I am attempting to create a tag for a given sha in a github workflow that is failing with the following error:

! [remote rejected]       tagA -> tagA (refusing to allow a GitHub App to create or update workflow `.github/workflows/workflow-that-is-not-working.yml` without `workflows` permission)

However there is actually no code in the tag that has a change to that workflow at all. The token that is being used is the GITHUB_TOKEN that is provided by the workflow.

Literature on the internet seems to suggest that this is because the token does not have the workflows permission but as I understand it, only a PAT will allow that permission to be attached. My underlying question is why does github think that there is a change to the workflow-that-is-not-working.yml even though there is no such change? Or is this a symptom of some other issue?

How can I debug this issue further?

If the tagged code includes the workflow, there is by definition. A tag isn’t a change relative to anything (unlike a branch, which might have existed before and get updated), it refers to that commit and its content, basically from nothing.

Hi @airtower-luna, thank you for your followup! That makes sense but what is strange is that there are other workflows that have existed in the repository for quite a while and remain unaffected. If it is in fact the case that any tagged code that includes a workflow requires a PAT, would this error not have shown up before?

I guess the underlying question here is when is a workflow marked as being “created or updated” and is there something specific that is causing the workflow to fail with this error.

Good point, I don’t know how GitHub’s systems calculate that difference internally, so I can’t rule out there’s some other comparison at play. Maybe with the default branch? Or maybe it depends on whether the commit existed in the repository prior to pushing the tag? That’s guesswork though. :sweat_smile: