Pushing to PR protected branch with token obtained from this action

[faileon]

Hello everyone,
I have created a custom GithubApp to which I gave permission to bypass branch protection rules (Allow specified actors to bypass required pull requests).

I have a workflow setup like this:

name: release on: workflow_dispatch jobs: release: runs-on: ubuntu-latest environment: production steps: - uses: actions/checkout@v3 with: fetch-depth: 0 ref: master - name: Use Node.js uses: actions/setup-node@v3 with: node-version: 18.10.0 - name: Setup Git run: |  git config user.name "DWA Bot"  git config user.email "dwabot@example.com"  - name: DWA-bot auth id: dwa-bot uses: actions/create-github-app-token@v1 with: app-id: ${{ secrets.DWA_BOT_APP_ID }} private-key: ${{ secrets.DWA_BOT_PRIVATE_KEY }} - name: Log in to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - run: npm ci - name: Version shell: bash run: npx nx affected --base=last-release --target=version --parallel=1 env: GITHUB_TOKEN: ${{ steps.dwa-bot.outputs.token }} NPM_TOKEN: ${{ secrets.NPM_TOKEN }} PKG_GITHUB_TOKEN: ${{ secrets.PKG_GITHUB_TOKEN }} - name: Tag last-release shell: bash run: |  git tag -f last-release  - name: Push changes uses: ad-m/github-push-action@master with: github_token: ${{ steps.dwa-bot.outputs.token }} branch: master - name: Push tags uses: ad-m/github-push-action@master with: github_token: ${{ steps.dwa-bot.outputs.token }} branch: master force: true tags: true

However the workflow still fails with the following erro:
remote: error: Changes must be made through a pull request.

Output from the create-github-app-token action seems to be OK:
owner and repositories not set, creating token for the current repository ("dwa")

Anyone could please shed some light on what I might be doing wrong?

Thank you.

[gr2m]

I don't think it's a problem with our action.

Can you please try to set persist-credentials: false for the checkout step?

 - uses: actions/checkout@v3 with: fetch-depth: 0 ref: master persist-credentials: false

[faileon]

Ah thank you so much, actions/checkout seems to indeed be the root cause of this issue.

After investigating further it seems that the checkout action persists the passed credentials by default and subsequent git commands will pick them up automatically... I did not expect that.

I believe your proposed solution works, I am also adding mine, which is to specify the token for the checkout action.

 steps: - name: DWA-bot auth id: dwa-bot uses: actions/create-github-app-token@v1 with: app-id: ${{ secrets.DWA_BOT_APP_ID }} private-key: ${{ secrets.DWA_BOT_PRIVATE_KEY }} - uses: actions/checkout@v4 with: fetch-depth: 0 ref: master token: ${{ steps.dwa-bot.outputs.token }}

This resolved the issue. Thanks again for the quick reply.

[Dogacel]

Thank you so much 🙇 I never realized checkout implicitly brought credentials.