Github App does not have access to enable auto-merge

[timc13]

Select Topic Area

Question

Body

I'm trying to setup a workflow that create a PR and enable auto-merge on it. I've followed the steps laid out here, but for my own bot (not dependabot). This bot does have content: write & pull-requests: write permissions.

The error I get is
GraphQL: ["Pull request User is not authorized for this protected branch"] (enablePullRequestAutoMerge)

[szaffarano]

I get the same error using the following workflow:

name: Dependabot auto-merge

on: pull_request

permissions:
  pull-requests: write
  contents: write
  issues: write
  repository-projects: read

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:

    - run: |
        gh pr review --approve "$PR_URL"
        gh pr edit --add-label "automerge" "$PR_URL"
        gh pr merge --auto --squash "$PR_URL"
      env:
        PR_URL: ${{ github.event.pull_request.html_url }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

I also tried permissions: write-all with the same outcome: GraphQL: Pull request User is not authorized for this protected branch (enablePullRequestAutoMerge)

The PR is approved and tagged, but the last sentence, gh pr merge --auto --squash "$PR_URL" fails. Using a PAT with the same permissions works as expected:

Any clue what is wrong?

Thanks

[unicornware]

is auto-merge enabled in your repo?

if i remember correctly, i had to allow auto-merge before using gh pr edit --auto

[szaffarano]

Hi @unicornware
Yes, it is enabled. The workflow works as expected when I use a PAT with the permissions listed above, but it doesn't work using the GITHUB_TOKEN.

[unicornware]

gotcha, what do your branch protection settings look like?

[szaffarano]

Hi @unicornware
Here it's a screenshot with the branch protection settings. We only have one rule for main. Also, remember that by using a PAT token with only read access to metadata and r/w access to code, issues, and pull requests, the workflow works.

Thanks

[FarhaKousar1601]

The error message you're encountering is "GraphQL: ['Pull request: User is not authorized for this protected branch'] (enablePullRequestAutoMerge)," indicates that your GitHub app does not have the necessary permissions to enable auto-merge on a pull request.

To resolve this issue, you'll need to ensure that your GitHub app has the required permissions to perform this action. Here are the steps you can take:

1. Check App Permissions: Make sure that your GitHub app has the necessary permissions to enable auto-merge on pull requests. You mentioned that your bot has "content: write" and "pull-requests: write" permissions, but enabling auto-merge on a protected branch might require additional permissions. You should review your GitHub app settings and ensure it has the required permissions.

2. Protected Branch Settings: Verify the protected branch settings for the repository where you are trying to enable auto-merge. Ensure that your bot has the appropriate permissions to make changes to protected branches. This can be configured in the repository's settings under "Branches" or "Settings."

3. Webhook Payload: Double-check your workflow configuration to ensure that it is correctly setting up the pull request and attempting to enable auto-merge on the right branch. Ensure that your workflow is using the correct token or credentials associated with your GitHub app.

4. Webhook Events: Confirm that your GitHub app is subscribed to the necessary webhook events. Enabling auto-merge may require the "pull_request" event or similar events to be included in your GitHub App's subscription.

5. Testing in a Safe Environment: Consider testing your workflow in a safe or test repository to ensure that the permissions and configuration are correct before applying it to your production repository.

If you've already verified the above and are still facing issues, you might want to reach out to GitHub Support for further assistance, as they can provide more specific guidance based on your GitHub app's configuration and the repository settings. Additionally, ensure that your GitHub app is correctly authenticated and authorized when making API calls to enable auto-merge on pull requests. #67124

[szaffarano]

Hi @FarhaKousar1601 , thanks for your reply

Check App Permissions: Make sure that your GitHub app has the necessary permissions to enable auto-merge on pull requests. You mentioned that your bot has "content: write" and "pull-requests: write" permissions, but enabling auto-merge on a protected branch might require additional permissions. You should review your GitHub app settings and ensure it has the required permissions.

I tried even setting permissions: write-all (please check the first image I attached in my question showing all the permissions the bot had.

Protected Branch Settings: Verify the protected branch settings for the repository where you are trying to enable auto-merge. Ensure that your bot has the appropriate permissions to make changes to protected branches. This can be configured in the repository's settings under "Branches" or "Settings."

I'm not sure how to verify it. In a previous answer, I attached the settings in our main branch (the only one protected).

Webhook Payload: Double-check your workflow configuration to ensure that it is correctly setting up the pull request and attempting to enable auto-merge on the right branch. Ensure that your workflow is using the correct token or credentials associated with your GitHub app.

Same answer here as in the first question, the logs show that the user has the proper permissions and I even tried setting write-all permissions. Regarding the workflow configuration, it's the same config as the GH docs.

Webhook Events: Confirm that your GitHub app is subscribed to the necessary webhook events. Enabling auto-merge may require the "pull_request" event or similar events to be included in your GitHub App's subscription.

you mean, on: pull_request?

[szaffarano]

Testing in a Safe Environment: Consider testing your workflow in a safe or test repository to ensure that the permissions and configuration are correct before applying it to your production repository.

I tried the same workflow in a public repo and it worked! The only difference I found (besides some small changes because the repo having issues belongs to an organization and is using an enterprise account) is regarding the default branch, main instead of master. Other than that, both repos have the same configurations.

Any clue?

Thanks

[szaffarano]

The problematic option (now it's obvious.. 🥲 ) was Restrict who can push to matching branches

Is there any way to include dependabot in this list?

Thanks everyone for your help!

[ro3t]

The problematic option (now it's obvious.. 🥲 ) was Restrict who can push to matching branches

Is there any way to include dependabot in this list?

Thanks everyone for your help!

same question here

[smnieves-cbg]

The problematic option (now it's obvious.. 🥲 ) was Restrict who can push to matching branches
Is there any way to include dependabot in this list?
Thanks everyone for your help!

same question here

Has this been addressed yet?