remote: Permission to git denied to github-actions[bot].

[Shaquu]

Hi,
I am trying to push changes but like you will see it fails due to some errors.

Test run is here:
https://github.com/NRCHKB/node-red-contrib-homekit-docker/runs/3194895671?check_suite_focus=true

Error

Run ad-m/github-push-action@master
  with:
    github_token: ***
    branch: refs/pull/42/merge
    directory: .
Push to branch refs/pull/42/merge
remote: Permission to NRCHKB/node-red-contrib-homekit-docker.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/NRCHKB/node-red-contrib-homekit-docker.git/': The requested URL returned error: 403
Error: Invalid exit code: 128
    at ChildProcess.<anonymous> (/home/runner/work/_actions/ad-m/github-push-action/master/start.js:29:21)
    at ChildProcess.emit (events.js:210:5)
    at maybeClose (internal/child_process.js:1021:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:283:5) {
  code: 128
}
Error: Invalid exit code: 128
    at ChildProcess.<anonymous> (/home/runner/work/_actions/ad-m/github-push-action/master/start.js:29:21)
    at ChildProcess.emit (events.js:210:5)
    at maybeClose (internal/child_process.js:1021:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:283:5)

Part of the gh action:

  dependabot:
    #needs: [build]
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - uses: actions/setup-node@v2
        with:
          node-version: '14'
      - uses: actions/checkout@v2
        with:
          persist-credentials: false
          fetch-depth: 0
      - run: |
          git config user.name github-actions[bot]
          git config user.email github-actions[bot]@users.noreply.github.com
          npm version patch -m "[RELEASE] %s"
      - name: Push changes
        uses: ad-m/github-push-action@master
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          branch: ${{ github.ref }}
      - uses: fastify/github-action-merge-dependabot@v2.1.1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

[ad-m]

Do you have organisation restriction? Is that branch protected?

[Shaquu]

I am trying to push to dependapot pr branch. There should be no limits on that.
Maybe I am passing branch incorrectly.
I will check and get back.

[ad-m]

Looks mention:

GITHUB_TOKEN Permissions
  Actions: read
  Checks: read
  Contents: read
  Deployments: read
  Discussions: read
  Issues: read
  Metadata: read
  Packages: read
  PullRequests: read
  RepositoryProjects: read
  SecurityEvents: read
  Statuses: read

Default is:

GITHUB_TOKEN Permissions
  Actions: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

See https://github.com/ad-m/cbosa/runs/3197304980?check_suite_focus=true .

Something is restricting permission.

What do you have at https://github.com/NRCHKB/node-red-contrib-homekit-docker/settings/actions in "Workflow permissions" section?

[Shaquu]

@ad-m here it is, says read and write

In your reference (cbosa run), you were pushing to master, I am trying to push to PR branch.

[Shaquu]

Okay, I see the issue. Dependabot is pushing from fork. It is why permissions are limited.
Dependabot is creating branch on my repo.

[Shaquu]

@ad-m update.
I have used custom token:

        with:
          github_token: ${{ secrets.DEPENDABOT_TOKEN }}

It is defined on repo level

I receive new error from your action:
Missing input "github_token: ${{ secrets.GITHUB_TOKEN }}".

UPDATE.
Another hint found:
Secrets are not passed to workflows that are triggered by a pull request from a fork
Except it is branch on my repo.

[ad-m]

Note: With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository.

See Using encrypted secrets in a workflow

Something is restricting permission.

See "Maximum access by forked repos" in Permissions for the GITHUB_TOKEN

I suggest - in your scenario – using the "push" event instead of "pull_request" and using GITHUB_TOKEN. Then the "push" event will be executed in the context of the source repository (repository that is fork), so it will be a local operation and will be a full write to the local repository.

[Shaquu]

Just to clarify. I am merging between branches on the same repo.

Solution might be to extend permissions for GitHub token per job:
https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions

[ad-m]

Thank for you clarification. It makes a big different.

I don't understand why extends of permission for GitHub token is required in your scenario. In my experience, the token should have the necessary "read / write" permissions currently. I already shared information permission of one of my job on personal repository.

Setting up permission in a workflow can potentially solve the problem, but it's worth understanding why it is required in this case.Setting up permission in a workflow can potentially solve the problem, but it's worth understanding why it is required in your case.

GitHub documentation mention:

People with admin permissions to an enterprise, organization, or repository can set the default permissions to be either permissive or restricted.

Could you verify that in your organisation?

[noxxious]

@Shaquu ran into the same issue here and it seems it is a limitation of the way dependabot works and there's a note in Github docs

Note: Workflow runs triggered by Dependabot pull requests run as if they are from a forked repository, and therefore use a read-only GITHUB_TOKEN. These workflow runs cannot access any secrets. See "Keeping your GitHub Actions and workflows secure: Preventing pwn requests" for strategies to keep these workflows secure.
https://docs.github.com/en/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token

[noxxious]

It seems also you can manage this behavior in your organization action settings "Fork pull request workflows in private repositories" -> "Send secrets to workflows from fork pull requests."

[albjeremias]

so im trying to create a branch.. called dist.. where dist folder is generated...

should I push it with dependabot? or is there a better strategy?

[lixuguang]

I have the same problem

[ZPascal]

Hi @lixuguang, do you have checked the access rights of the token?

[siegfault]

I ran into this issue while trying to solve the same problem. In case it's helpful, I found some good examples that helped me resolve it. What @noxxious said, that dependabot by default has a readonly token, is true, but it looks like adding a top-level entry allows us to change that:

permissions:
  pull-requests: write
  issues: write
  repository-projects: write

See:

• https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#changing-github_token-permissions
• https://github.com/dependabot/fetch-metadata#usage-instructions

[SamYuan1990]

permissions:
  pull-requests: write
  contents: write
  repository-projects: write

Hi team,

I tried permissions above but it won't work.
is there any guidance to set up / check the permissions?
for example if the branch protected or workflow permissions?

[ZPascal]

Hi @SamYuan1990,

as far as I know, it should work with the corresponding rules. Could you please describe your setup and post the corresponding error message?

[SamYuan1990]

Hi @SamYuan1990,

as far as I know, it should work with the corresponding rules. Could you please describe your setup and post the corresponding error message?

Hi @ZPascal , we find a bot account to avoid this issue.

We once have a rule for commit on default branch should have a pr back.

and then, the issue appears as push back without a pr.

[ZPascal]

Hi @SamYuan1990, could you please share the scopes of the token and the used GitHub Action configuration to reproduce the error?

[panienkaczuprynienka]

@ad-m here it is, says read and write
In your reference (cbosa run), you were pushing to master, I am trying to push to PR branch.

where is this?

You will find it under the repo setting and then click on action

Worked for me too! Thanks!

[Olalexy1]

Hi. Here is a simple trick to solve this issue:

1. Open GitHub Repository where the problem is occurring.
2. Go to Settings.
3. Go to Actions.
4. Go to General.
   
5. Scroll down to Workflow permissions.
6. Make sure the following settings are enabled and click "Save"

Thanks alot for this

[marknoble]

Hi. Here is a simple trick to solve this issue:

1. Open GitHub Repository where the problem is occurring.
2. Go to Settings.
3. Go to Actions.
4. Go to General.
   
5. Scroll down to Workflow permissions.
6. Make sure the following settings are enabled and click "Save"

Thanks alot for this

The images look broken here... it's hard to tell what settings you suggest enabling without them. 🤔

[ZPascal]

@marknoble You can also follow this recommendation to handle access rights.

[marknoble]

@marknoble You can also follow this recommendation to handle access rights.

I was able to confirm that permissions are set to read and write, but I'm still seeing this error:

remote: Permission to {repo name}.git denied to github-actions[bot].

So, I'm still researching solutions.

[ZPascal]

@marknoble Could you please explain your use case? Maybe you need a PAT.

[marknoble]

@marknoble Could you please explain your use case? Maybe you need a PAT.

Fortunately/unfortunately I nuked my repo and did a fork on the project I was trying to emulate. For whatever reason, that solved the issue for me.

I had initially manually created the folder structure and files.

I wish I knew what I was doing wrong, but forking from the working project resolved the issue for me. 🤷‍♂️

[ZPascal]

I wish I knew what I was doing wrong, but forking from the working project resolved the issue for me.

@marknoble That sounds great. Maybe you've specified the wrong reference or it's necessary to use the force option for the initial commit.

[aangelinsf]

Came here to see why my workflow was failing. It took adding permissions so that Dependabot could modify the pull-request and push the changes back to the repo:

permissions:
  contents: write
  pull-requests: write

[Tungobhadra]

Hi. Here is a simple trick to solve this issue:

1. Open GitHub Repository where the problem is occurring.
2. Go to Settings.
3. Go to Actions.
4. Go to General.
   
5. Scroll down to Workflow permissions.
6. Make sure the following settings are enabled and click "Save"

This really worked, thanks :)

[klaus-cicd]

Hi. Here is a simple trick to solve this issue:

1. Open GitHub Repository where the problem is occurring.
2. Go to Settings.
3. Go to Actions.
4. Go to General.
   
5. Scroll down to Workflow permissions.
6. Make sure the following settings are enabled and click "Save"

Still doesn't work (JamesIves/github-pages-deploy-action@v4.4.3)

I get:

remote: Permission to ShlomiRex/pathfinding-algorithms-visualization.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/ShlomiRex/pathfinding-algorithms-visualization.git/': The requested URL returned error: 403

EDIT: Never mind, because I'm using webpack/babel and generate files (generating static HTML, JS, CSS files from react project), I added this write premission and now it works:

permissions:
  contents: write # We generate static HTML, JS, CSS so we need write access to the repo
  pages: write
  id-token: write

Thanks

[XingXiaoWu]

在这里，说读和写

在您的参考（cbosa 运行）中，您正在推动 master，我正在尝试推动 PR 分支。

To avoid anyone being unable to find it, here