Permission denied to github-actions[bot] even though PAT has permission

[nickderobertis]

Hey all, I have an action where I am trying to push a change to the same repo. I am authenticating via personal access token (PAT).

For some reason on this repo, the action fails with:

Permission to nickderobertis/flexlate-dev-semantic-release-example.git denied to github-actions[bot]

I added some debugging to show the authentication state of the PAT. gh auth status shows I am properly logged in and a curl to Github’s API shows my PAT has the following permissions:

admin:org
admin:org_hook
admin:repo_hook
delete:packages
delete_repo
gist
read:user
repo
user:email
workflow
write:permissions

Also ls-remote is working fine on the repo so it seems to be a write access problem.

Meanwhile, on other repos, I have been able use the same code just fine. I previously had provided the same PAT to both repos, but I have also tried creating a new PAT and adding to the affected repo with no change in behavior.

I am guessing there must be something different about this repo that prevents access, but I’m not sure what it could be. I can’t find any difference in the settings.

Has anyone encountered this or have ideas on what to check? Thanks!

[airtower-luna]

I notice you don’t set the token in actions/checkout, and don’t opt-out of configuring the Authorization header with it either. The result is that your PAT is effectively ignored, the push works if the default GITHUB_TOKEN is allowed to push.

I assume either that’s the difference between your repositories, or the one with the issue has a branch branch protection rule that gets in the way.

[nickderobertis]

Thank you for pointing that out, this was exactly it! I added:

with:
  token: ${{ secrets.GH_TOKEN }}

to actions/checkout@v3 and it solved the issue. Still not sure why I didn’t need that on other repos, but I will update them all to do this now that I know it was not using the PAT.

[airtower-luna]

nickderobertis:

Still not sure why I didn’t need that on other repos

I can’t be sure, obviously, but the first thing that comes to mind: In the repository settings you can configure whether the GITHUB_TOKEN should have read-write or read-only access. Maybe that’s different between the repositories?

[nickderobertis]

In the repository settings you can configure whether the GITHUB_TOKEN should have read-write or read-only access. Maybe that’s different between the repositories?

Ah, yes, that was the underlying reason. I have no idea how this setting got set differently on the repos as I haven’t touched it. But good to know, thanks so much for your help!

[Dj2chris]

Why does there have to be so many links

[yusukekuro]

Check your workflow permission in Settings > Actions > General .
To push a commit, workflow needs to have write permission.

  <a href="https://github.com/ad-m/github-push-action/issues/96#issuecomment-889984928" target="_blank" rel="noopener nofollow ugc">github.com/ad-m/github-push-action</a>

remote: Permission to git denied to github-actions[bot].

<div class="github-info">
  <div class="date">
    opened <span class="discourse-local-date" data-format="ll" data-date="2021-07-29" data-time="18:27:02" data-timezone="UTC">06:27PM - 29 Jul 21 UTC</span>
  </div>


  <div class="user">
    <a href="https://github.com/Shaquu" target="_blank" rel="noopener nofollow ugc">
      <img alt="Shaquu" src="https://user-images.githubusercontent.com/40115800/181099273-86bc3c76-709d-450f-9d9f-1a5b40eef615.jpeg" class="onebox-avatar-inline" width="20" height="20">
      Shaquu
    </a>
  </div>
</div>

<div class="labels">
</div>

Hi, I am trying to push changes but like you will see it fails due to some erro…rs.

Test run is here:
https://github.com/NRCHKB/node-red-contrib-homekit-docker/runs/3194895671?check_suite_focus=true

Error

Run ad-m/github-push-action@master
  with:
    github_token: ***
    branch: refs/pull/42/merge
    directory: .
Push to branch refs/pull/42/merge
remote: Permission to NRCHKB/node-red-contrib-homekit-docker.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/NRCHKB/node-red-contrib-homekit-docker.git/': The requested URL returned error: 403
Error: Invalid exit code: 128
    at ChildProcess.<anonymous> (/home/runner/work/_actions/ad-m/github-push-action/master/start.js:29:21)
    at ChildProcess.emit (events.js:210:5)
    at maybeClose (internal/child_process.js:1021:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:283:5) {
  code: 128
}
Error: Invalid exit code: 128
    at ChildProcess.<anonymous> (/home/runner/work/_actions/ad-m/github-push-action/master/start.js:29:21)
    at ChildProcess.emit (events.js:210:5)
    at maybeClose (internal/child_process.js:1021:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:283:5)

Part of the gh action:

  dependabot:
    #needs: [build]
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - uses: actions/setup-node@v2
        with:
          node-version: '14'
      - uses: actions/checkout@v2
        with:
          persist-credentials: false
          fetch-depth: 0
      - run: |
          git config user.name github-actions[bot]
          git config user.email github-actions[bot]@users.noreply.github.com
          npm version patch -m "[RELEASE] %s"
      - name: Push changes
        uses: ad-m/github-push-action@master
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          branch: ${{ github.ref }}
      - uses: fastify/github-action-merge-dependabot@v2.1.1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
```</span></p>
  </div>

  </article>

  <div class="onebox-metadata">
    
    
  </div>

  <div style="clear: both"></div>
</aside>

[yondr-luka]

thanks to @yusukekuro, I found this option in the settings of my repo: Settings > Actions > General

But adding permissions to my .yml also worked, and I prefer it this way:

permissions:
  deployments: write
  contents: write
  statuses: write
  actions: write
  checks: read

Github permissions documentation

[nikk30-lilly]

the solution working for me