Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

remote: Permission to git denied to github-actions[bot]. #96

Closed
Shaquu opened this issue Jul 29, 2021 · 54 comments · Fixed by #190
Closed

remote: Permission to git denied to github-actions[bot]. #96

Shaquu opened this issue Jul 29, 2021 · 54 comments · Fixed by #190

Comments

@Shaquu
Copy link

Shaquu commented Jul 29, 2021

Hi,
I am trying to push changes but like you will see it fails due to some errors.

Test run is here:
https://github.com/NRCHKB/node-red-contrib-homekit-docker/runs/3194895671?check_suite_focus=true

Error

Run ad-m/github-push-action@master
  with:
    github_token: ***
    branch: refs/pull/42/merge
    directory: .
Push to branch refs/pull/42/merge
remote: Permission to NRCHKB/node-red-contrib-homekit-docker.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/NRCHKB/node-red-contrib-homekit-docker.git/': The requested URL returned error: 403
Error: Invalid exit code: 128
    at ChildProcess.<anonymous> (/home/runner/work/_actions/ad-m/github-push-action/master/start.js:29:21)
    at ChildProcess.emit (events.js:210:5)
    at maybeClose (internal/child_process.js:1021:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:283:5) {
  code: 128
}
Error: Invalid exit code: 128
    at ChildProcess.<anonymous> (/home/runner/work/_actions/ad-m/github-push-action/master/start.js:29:21)
    at ChildProcess.emit (events.js:210:5)
    at maybeClose (internal/child_process.js:1021:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:283:5)

Part of the gh action:

  dependabot:
    #needs: [build]
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - uses: actions/setup-node@v2
        with:
          node-version: '14'
      - uses: actions/checkout@v2
        with:
          persist-credentials: false
          fetch-depth: 0
      - run: |
          git config user.name github-actions[bot]
          git config user.email github-actions[bot]@users.noreply.github.com
          npm version patch -m "[RELEASE] %s"
      - name: Push changes
        uses: ad-m/github-push-action@master
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          branch: ${{ github.ref }}
      - uses: fastify/github-action-merge-dependabot@v2.1.1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
@ad-m
Copy link
Owner

ad-m commented Jul 30, 2021

Do you have organisation restriction? Is that branch protected?

@Shaquu
Copy link
Author

Shaquu commented Jul 30, 2021

I am trying to push to dependapot pr branch. There should be no limits on that.
Maybe I am passing branch incorrectly.
I will check and get back.

@ad-m
Copy link
Owner

ad-m commented Jul 30, 2021

Looks mention:

GITHUB_TOKEN Permissions
  Actions: read
  Checks: read
  Contents: read
  Deployments: read
  Discussions: read
  Issues: read
  Metadata: read
  Packages: read
  PullRequests: read
  RepositoryProjects: read
  SecurityEvents: read
  Statuses: read

Default is:


GITHUB_TOKEN Permissions
  Actions: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

See https://github.com/ad-m/cbosa/runs/3197304980?check_suite_focus=true .

Something is restricting permission.

What do you have at https://github.com/NRCHKB/node-red-contrib-homekit-docker/settings/actions in "Workflow permissions" section?

@Shaquu
Copy link
Author

Shaquu commented Jul 30, 2021

@ad-m here it is, says read and write
image

In your reference (cbosa run), you were pushing to master, I am trying to push to PR branch.

@Shaquu
Copy link
Author

Shaquu commented Jul 30, 2021

Okay, I see the issue. Dependabot is pushing from fork. It is why permissions are limited.
Dependabot is creating branch on my repo.

@Shaquu
Copy link
Author

Shaquu commented Jul 30, 2021

@ad-m update.
I have used custom token:

        with:
          github_token: ${{ secrets.DEPENDABOT_TOKEN }}

It is defined on repo level
image

I receive new error from your action:
Missing input "github_token: ${{ secrets.GITHUB_TOKEN }}".

UPDATE.
Another hint found:
Secrets are not passed to workflows that are triggered by a pull request from a fork
Except it is branch on my repo.

@ad-m
Copy link
Owner

ad-m commented Aug 1, 2021

Note: With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository.

See Using encrypted secrets in a workflow

Something is restricting permission.

See "Maximum access by forked repos" in Permissions for the GITHUB_TOKEN

I suggest - in your scenario – using the "push" event instead of "pull_request" and using GITHUB_TOKEN. Then the "push" event will be executed in the context of the source repository (repository that is fork), so it will be a local operation and will be a full write to the local repository.

@Shaquu
Copy link
Author

Shaquu commented Aug 1, 2021

Just to clarify. I am merging between branches on the same repo.

Solution might be to extend permissions for GitHub token per job:
https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions

@ad-m
Copy link
Owner

ad-m commented Aug 1, 2021

Thank for you clarification. It makes a big different.

I don't understand why extends of permission for GitHub token is required in your scenario. In my experience, the token should have the necessary "read / write" permissions currently. I already shared information permission of one of my job on personal repository.

Setting up permission in a workflow can potentially solve the problem, but it's worth understanding why it is required in this case.Setting up permission in a workflow can potentially solve the problem, but it's worth understanding why it is required in your case.

GitHub documentation mention:

People with admin permissions to an enterprise, organization, or repository can set the default permissions to be either permissive or restricted.

Could you verify that in your organisation?

@noxxious
Copy link

noxxious commented Sep 2, 2021

@Shaquu ran into the same issue here and it seems it is a limitation of the way dependabot works and there's a note in Github docs

Note: Workflow runs triggered by Dependabot pull requests run as if they are from a forked repository, and therefore use a read-only GITHUB_TOKEN. These workflow runs cannot access any secrets. See "Keeping your GitHub Actions and workflows secure: Preventing pwn requests" for strategies to keep these workflows secure.
https://docs.github.com/en/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token

@noxxious
Copy link

noxxious commented Sep 2, 2021

It seems also you can manage this behavior in your organization action settings "Fork pull request workflows in private repositories" -> "Send secrets to workflows from fork pull requests."

@albjeremias
Copy link

so im trying to create a branch.. called dist.. where dist folder is generated...

should I push it with dependabot? or is there a better strategy?

@lixuguang
Copy link

I have the same problem

@ZPascal
Copy link
Collaborator

ZPascal commented Jun 2, 2022

Hi @lixuguang, do you have checked the access rights of the token?

@siegfault
Copy link

I ran into this issue while trying to solve the same problem. In case it's helpful, I found some good examples that helped me resolve it. What @noxxious said, that dependabot by default has a readonly token, is true, but it looks like adding a top-level entry allows us to change that:

permissions:
  pull-requests: write
  issues: write
  repository-projects: write

See:

@SamYuan1990
Copy link

permissions:
  pull-requests: write
  contents: write
  repository-projects: write

Hi team,

I tried permissions above but it won't work.
is there any guidance to set up / check the permissions?
for example if the branch protected or workflow permissions?

@ZPascal
Copy link
Collaborator

ZPascal commented Oct 3, 2022

Hi @SamYuan1990,

as far as I know, it should work with the corresponding rules. Could you please describe your setup and post the corresponding error message?

@SamYuan1990
Copy link

Hi @SamYuan1990,

as far as I know, it should work with the corresponding rules. Could you please describe your setup and post the corresponding error message?

Hi @ZPascal , we find a bot account to avoid this issue.

We once have a rule for commit on default branch should have a pr back.

and then, the issue appears as push back without a pr.

@ZPascal
Copy link
Collaborator

ZPascal commented Oct 16, 2022

Hi @SamYuan1990, could you please share the scopes of the token and the used GitHub Action configuration to reproduce the error?

@panienkaczuprynienka
Copy link

@ad-m here it is, says read and write image
In your reference (cbosa run), you were pushing to master, I am trying to push to PR branch.

where is this?

You will find it under the repo setting and then click on action

Worked for me too! Thanks!

@Olalexy1
Copy link

Olalexy1 commented Dec 3, 2023

Hi. Here is a simple trick to solve this issue:

  1. Open GitHub Repository where the problem is occurring.
  2. Go to Settings.
  3. Go to Actions.
  4. Go to General.
    image
  5. Scroll down to Workflow permissions.
  6. Make sure the following settings are enabled and click "Save"

image

Thanks alot for this

@marknoble
Copy link

Hi. Here is a simple trick to solve this issue:

  1. Open GitHub Repository where the problem is occurring.
  2. Go to Settings.
  3. Go to Actions.
  4. Go to General.
    image
  5. Scroll down to Workflow permissions.
  6. Make sure the following settings are enabled and click "Save"

image

Thanks alot for this

The images look broken here... it's hard to tell what settings you suggest enabling without them. 🤔

@ZPascal
Copy link
Collaborator

ZPascal commented Dec 7, 2023

@marknoble You can also follow this recommendation to handle access rights.

@marknoble
Copy link

@marknoble You can also follow this recommendation to handle access rights.

I was able to confirm that permissions are set to read and write, but I'm still seeing this error:

remote: Permission to {repo name}.git denied to github-actions[bot].

So, I'm still researching solutions.

@ZPascal
Copy link
Collaborator

ZPascal commented Dec 8, 2023

@marknoble Could you please explain your use case? Maybe you need a PAT.

@marknoble
Copy link

@marknoble Could you please explain your use case? Maybe you need a PAT.

Fortunately/unfortunately I nuked my repo and did a fork on the project I was trying to emulate. For whatever reason, that solved the issue for me.

I had initially manually created the folder structure and files.

I wish I knew what I was doing wrong, but forking from the working project resolved the issue for me. 🤷‍♂️

@ZPascal
Copy link
Collaborator

ZPascal commented Dec 10, 2023

I wish I knew what I was doing wrong, but forking from the working project resolved the issue for me.

@marknoble That sounds great. Maybe you've specified the wrong reference or it's necessary to use the force option for the initial commit.

@aangelinsf
Copy link

aangelinsf commented Dec 22, 2023

Came here to see why my workflow was failing. It took adding permissions so that Dependabot could modify the pull-request and push the changes back to the repo:

permissions:
  contents: write
  pull-requests: write

@Tungobhadra
Copy link

Tungobhadra commented Jan 5, 2024

Hi. Here is a simple trick to solve this issue:

  1. Open GitHub Repository where the problem is occurring.
  2. Go to Settings.
  3. Go to Actions.
  4. Go to General.
    image
  5. Scroll down to Workflow permissions.
  6. Make sure the following settings are enabled and click "Save"

image

This really worked, thanks :)

@klaus-cicd
Copy link

Hi. Here is a simple trick to solve this issue:

  1. Open GitHub Repository where the problem is occurring.
  2. Go to Settings.
  3. Go to Actions.
  4. Go to General.
    image
  5. Scroll down to Workflow permissions.
  6. Make sure the following settings are enabled and click "Save"

image

Still doesn't work (JamesIves/github-pages-deploy-action@v4.4.3)

I get:

remote: Permission to ShlomiRex/pathfinding-algorithms-visualization.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/ShlomiRex/pathfinding-algorithms-visualization.git/': The requested URL returned error: 403

EDIT: Never mind, because I'm using webpack/babel and generate files (generating static HTML, JS, CSS files from react project), I added this write premission and now it works:

permissions:
  contents: write # We generate static HTML, JS, CSS so we need write access to the repo
  pages: write
  id-token: write

Thanks

@XingXiaoWu
Copy link

在这里,说读和写 图像

在您的参考(cbosa 运行)中,您正在推动 master,我正在尝试推动 PR 分支。

To avoid anyone being unable to find it, here

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.