Publish workflow cannot push to protected branch

[CasperWA]

The publish workflow fails due to an attempt at pushing to a protected branch.

Possible solutions:

• Allow a specific username to push to the branch, use this username
• Create a PR instead.

The first option may be dangerous, since it will open up the possibility of a user force pushing to master without our consent.
The second option fails to be a "one-button-option".

[shyamd]

I suggest we go with the first option and use @gmrigna github user for this so we don't screw things up?

We can also unprotect the master since it does require signed commits, which are hard to do from terminal client.

[CasperWA]

I suggest we go with the first option and use @gmrigna github user for this so we don't screw things up?

How does that work with signing on and security in the context of our Action?

We can also unprotect the master since it does require signed commits, which are hard to do from terminal client.

Not a fan of this. Maybe instead we can create a bot OPTIMADE-dev user?

[shyamd]

It would just use a personal access token that @gmrigna would have to make and put in secrets. It would have no use outside of actions.

Making a bot user is not much different. It's just another account for someone to maintain and bot accounts are generally neglected.

[CasperWA]

Right, PAT should work - true.
Then we go through the GitHub API and all that jazz?

[shyamd]

No, we just add @gmrigna as an exception to the normal protection rules. Have him put his PAT in as a secret, and just switch that commit action to use the PAT in the secret.

[CasperWA]

Well if that works and the two-layered security of a valid username+PAT works, then that would be an implementable solution for sure.

[CasperWA]

This has been solved by the newest edition of the publish workflow, utilizing the action CasperWA/push-protected.