Using a Github App Token instead of PAT

[vibro]

I'm working with the new Ruleset feature in Github and I'm running into an issue with the push action + custom token.

I have a Github App that I have granted access to the repo. In my Rule, I also allow this application to bypass rule prohibiting pushing to a particular branch. I'm using the github-app-token action to generate a token. Rules currently do not have a way to allow github-actions[bot] to bypass them (see this discussion for more info).

I am able to push a commit fine using the push action, but when I check the rule insights, it shows the commit as coming from github-actions[bot] instead of my custom app. Is it possible to use a Github App token in this action?

Example action:

jobs:
  cherry-pick-commit:
    runs-on: self-hosted
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Generate Githup App Token
        id: generate_token
        uses: tibdex/github-app-token@v1
        with:
          app_id: ${{ secrets.APP_ID }}
          installation_id: ${{ secrets.INSTALLATION_ID }}
          private_key:  ${{ secrets.APP_PRIVATE_KEY }}

      - name: Define Branch Name
        id: branch_name
        run: echo "BRANCH=$(./bin/branch-name ${{ github.event.inputs.action }})" >> "$GITHUB_ENV"

      - name: Setup Git User
        run: |
          # Extract commit information
          AUTHOR_NAME=$(git show -s --format='%an' ${{ github.event.inputs.commit }})
          AUTHOR_EMAIL=$(git show -s --format='%ae' ${{ github.event.inputs.commit }})
          git config --local user.email "${AUTHOR_EMAIL}"
          git config --local user.name "${AUTHOR_NAME}"
      - name: Checkout Branch
        run: git checkout ${{ env.BRANCH }}

      - name: Cherry Pick
        run: |
          git cherry-pick -X theirs ${{ github.event.inputs.commit }}
    
      - name: Push changes
        uses: ad-m/github-push-action@v0.6.0
        env:
          TOKEN: ${{ steps.generate_token.outputs.token }}
        with:
          github_token: ${{ env.TOKEN }}
          branch: ${{ env.BRANCH }}

Here's the insight showing that it came from github-actions[bot]

[ZPascal]

Hi @vibro, I think a switch to the master/ version to ad-m/github-push-action@master and the change of the sequence of the Setup Git User and Checkout Branch could solve your case.

[vibro]

Hi @ZPascal thanks for getting back to me so quickly!

I tried the master branch, no luck there. I also did change the order but that didn't do anything either. The git user/email is set correctly (from the original commit) but the pusher still shows as github-actions[bot]

bottom is the original commit, that I used the action to cherrypick the commit, here's the cherry-pick with the right user (me)

[ZPascal]

Hi @vibro, that's bad. I'll set up a test case to further investigate the topic.

[vibro]

Thanks! I may also open a ticket with the Rules folks, it's possible that something is going wrong there too.

[ahf90]

I'm using an app token in a similar way here and you can see here that the commit shows as pushed by me. I'm not cherry-picking and I'm using a different action to get the token, but I thought it might help you troubleshoot.

[vibro]

I'm using an app token in a similar way here and you can see here that the commit shows as pushed by me. I'm not cherry-picking and I'm using a different action to get the token, but I thought it might help you troubleshoot.

@ahf90 in my screenshots here the commit is also done by my user, but in the Rules entry, it's showing up as Github actions[bot]. That is the "push" user. I would expect the "push" user to by my app, not Github actions[bot].

[ZPascal]

Hi @vibro, I tried to set up a test case on my end, but I need some more information. Is the GH app within an organization, or did you register it personally? What is the functionality of the app and is it possible to share the code?

Also, was the commit in the branch created by the GitHub actions[bot] dummy user, or was it your own user? Would it be helpful if I created a debug release for you?

I also ran test cases with a PAT from my technical user. I have customized the git user and email to my technical user in the first case. In my second case, I reverted it to the GitHub actions[bot] user.

Result of the commit at the end:

1. the commit was made by my technical user.
2. the commit was performed by the GitHub actions[bot] user.

[vibro]

@ZPascal The GH app is within an organization, and I'm only using it to get a more functional access token that can perform more actions than a deploy token (and is not tied to a user like a PAT).

My issue is with the new Ruleset functionality. In Rules, there are audits to show if an experimental rule would have passed or not. I have a rule that blocks commit to main for all users but allows my GH App to bypass this rule. When I run this push action, the committer is shown as me (because I'm setting the config.user in the action) but in the Rule audit trail, it shows the push done as the Github actions[bot]. It's very possible this is a Rules issue as this feature is new. I haven't opened a ticket with them yet but I will.

[ZPascal]

My issue is with the new Ruleset functionality. In Rules, there are audits to show if an experimental rule would have passed or not. I have a rule that blocks commit to main for all users but allows my GH App to bypass this rule. When I run this push action, the committer is shown as me (because I'm setting the config.user in the action) but in the Rule audit trail, it shows the push done as the Github actions[bot]. It's very possible this is a Rules issue as this feature is new. I haven't opened a ticket with them yet but I will.

To my understanding @vibro, this does not sound like a problem from the push action. The corresponding user was used correctly in the commit. There is a possibility that the rule functionality evaluates the used user (token), but this would also indicate that your app passes a generalized (GH default token) and not a personalized token (e.g. impersonated Token).

From my understanding, you should open an issue on the Rules side. Feel free to come back, if you need support from the GH Push Action community.

[mattbarlow-sg]

Been troubleshooting a similar issue, and one thing I learned is that if you are using the actions/checkout action it persists the github action credentials to the gitconfig, so I needed to add this in order to use the token returned from the GitHub App in the subsequent github push step:

    steps:
      - uses: actions/checkout@v3
        with:
          persist-credentials: false

[vibro]

@mattbarlow-sg that was it! Worked perfectly, thanks so much.

@ZPascal maybe that is worth putting in the README? If you use actions/checkout@v3 for checkout, then using a custom PAT for pushing with this action doesn't work without persist-credentials: false on the checkout action.

[ZPascal]

Hi @mattbarlow-sg, thanks for sharing the knowledge and solution!

@vibro That sounds good. I will adjust the documentation accordingly.

[ZPascal]

Hi @vibro & @mattbarlow-sg,

FYI: I've documented the corresponding setup. @vibro Can we close the issue?

[vibro]

looks great, thanks!