I'm using Github Actions to auto approve and merge pull requests. I wasn't able to allow github-actions[bot] to push to a protected branch using the settings page though, so I ended up using the REST API instead.
Would it be possible to allow this using the settings page? or enable it by default?
Solved! Solved! Go to Solution.
If we enabled GitHub Actions to push to a protected branch then any collaborator in your repo could push any code to any branch they wanted simply by creating a branch and coding the workflow to push to to some other branch. Using the REST api to merge the PR is the right flow and overtime hopefully there will be actions that make that easier to implement.
Do you know of any possible solution to allow auto-merging as part of a workflow? I think it's a common issue.
I've looked into automerge-action and it seems to suffer the same issue, the docs suggests using a pesonal access token but from my understaing it's just as vulnerable.
Could there be any way of maybe limiting GitHub Actions to merge/push to the branch that invoked the workflow? or scoping secrets by branch? or auto-merge outside of GitHub Actions once all check runs are done?
I found a partial solution to this, it allows you to have protected branches that require 1 approval and a green CI. See https://github.com/ridedott/dependabot-auto-merge-action.
The same thing applies for other bots. I don't understand why you don't allow the CodeOwner feature to prevent updating workflows, and then allow the github action bot to push to the same branch that triggered it.
Right now practically I have to choose between protecting branches and using Github Actions on that branch.