Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Copilot Lvl 3
Message 1 of 19

How to push to protected branches in a GitHub Action

Hello,

 

we have successfully set up GitHub Actions to automatically bundle/compile our JavaScript files whenever we push to master. This worked well when we first tried it out in a non-master branch, or for one of our extensions (a different repo).

 

Now, we get failures about not being able to push to protected branches. We use the automatic GITHUB_TOKEN secret for pushing - as far as I can tell, there is no way to configure this pseudo-user to be able to push to protected branches.

 

Is there a simple way to proceed here; or do we need to create a new deploy token (which we had to do for our previous solution which was running on Travis CI)?

 

Any help is appreciated, thanks!

18 Replies
Copilot Lvl 3
Message 2 of 19

Re: How to push to protected branches in a GitHub Action

@AndreaGriffiths11 I got an email about your response, but apparently it has been deleted again.

 

Since you were asking... it's still not working unfortunately, even though I reduced some of the protection rules for our master branch.

 

See https://github.com/flarum/core/runs/212450535

Highlighted
Copilot Lvl 3
Message 3 of 19

Re: How to push to protected branches in a GitHub Action

The error we are currently seeing is this:

 

remote: error: GH006: Protected branch update failed for refs/heads/master.
remote: error: 6 of 6 required status checks are expected. At least 1 approving review is required by reviewers with write access.

 

That's not something that should affect direct pushes from an Action, right?

I could only fix this by disabling all checks for this branch, but that now obviously means all MR restrictions are lifted as well. Not good.

Copilot Lvl 3
Message 4 of 19

Re: How to push to protected branches in a GitHub Action

In my case I am getting this error:

 

$ git push origin master
error: src refspec refs/heads/master matches more than one.
fatal: The remote end hung up unexpectedly
error: failed to push some refs to 'https://Ash258:***@github.com/Ash258/GithubActionsBucketForTesting.git'
^^^ Error! See above ^^^ (last command: hub push origin master)

 

https://github.com/Ash258/GithubActionsBucketForTesting/runs/212145912#step:4:110

GitHub Staff
Message 5 of 19

Re: How to push to protected branches in a GitHub Action

That is a strange error.  

 

The checkout step already checks out the ref that triggered the run and then resets that ref to the specific SHA that configured the run.  

 

https://github.com/Ash258/GithubActionsBucketForTesting/runs/212145912#step:3:420

 

I am unsure why your additional checkout is setting up another tracking ref.

 

GitHub Staff
Message 6 of 19

Re: How to push to protected branches in a GitHub Action

The token will not be able to push to a protected branch as that would enable anyone with write access to your repo to push to that protected branch by simply updating the workflow in a branch. Having that ability would make protected branches useless.

 

 

Copilot Lvl 3
Message 7 of 19

Re: How to push to protected branches in a GitHub Action


@chrispat wrote:

The token will not be able to push to a protected branch as that would enable anyone with write access to your repo to push to that protected branch by simply updating the workflow in a branch. Having that ability would make protected branches useless.

 


 

@chrispat, thanks for pointing out this potential branch protection bypass.

 

However, this potential bypass can easily be plugged.

In our company, we have a policy to set Code owners for the .github/ directory to repository's Administrators. That way, we would also prevent an arbitrary user with write access to bypass branch protection rules by altering GitHub Action workflows.

 

I also don't think all rules need to be bypased for a GitHub Action. The one that is relevant is the Require pull request reviews before merging. We would need to be able to directly push commits created by an Action, whilst continuing to require pull request reviews for PRs created by humans.

Copilot Lvl 3
Message 8 of 19

Re: How to push to protected branches in a GitHub Action

Thanks for getting back!

 

Could that restriction be lifted so that the token can not push to any protected branch *except* for the one that triggered the action (if that is even protected)? That way, workflow changes in non-protected branches could still not affect the protected branch, but my scenario would start working. (Because only pushes to master would trigger workflows that could themselves push to master. Any changes to these workflows would have to be committed / approved / merged by somebody with access to those protected branches anyway.

Copilot Lvl 3
Message 9 of 19

Re: How to push to protected branches in a GitHub Action

Could there not be an exception process for things like GitHub Apps? We have a CI utility that performs routine, scripted post-merge activities (version bumps, updating the changelog, etc). It would be incredibly useful to be able to specify "tokens from GitHub App X can bypass the protected branch" 

Copilot Lvl 2
Message 10 of 19

Re: How to push to protected branches in a GitHub Action

I created a personal access token.
I am admin in the repo, and admins have write access without restriction to protected branches.

Then added this token to the Secrets page (../settings/secrets) as `GITHUB_TOKEN_PHIL`.

In the workflow file I override the pseudo token `GITHUB_TOKEN`:

- name: 'Bump Version'
uses: 'phips28/gh-action-bump-version@master'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN_PHIL }}

Now the action can push to the protected branch.

 

BUT this results in an endless workflow, the push triggers another action and so on...
This behavior doesnt appear if I use the default pseudo token and remove the protected state. In this case the action triggers once, and no trigger after the action pushed to branch. (Thats how it should be)
@chrispat is that inconsistency a bug? A push from an action should not trigger a action again IMO.