force-push performed with github-actions bot's token

[menny]

Force-push was done with a different token than provided

The workflow file that created the PR: https://github.com/AnySoftKeyboard/AnySoftKeyboard/blob/master/.github/workflows/localization_update.yml
I'm using a personal token for the user https://github.com/anysoftkeyboard-bot

The PR and commit were created with the right user. And PR checks ran.

Later, the workflow ran again and this time github-actions force-pushed.

AnySoftKeyboard/AnySoftKeyboard#2057

[peter-evans]

@menny Thanks for reporting this issue. I think the reason for this is that v2 of checkout now preserves authentication for later use. If you don't provide a token it uses the default GITHUB_TOKEN. So it might be using that preserved token to push instead of the token set by the action. If this is case, I will investigate how to fix this so that the token passed to the action overrides the one set at checkout.

You can try adding your PAT to checkout as a workaround.

      - uses: actions/checkout@v2
        with:
          token: ${{ secrets.BOT_MASTER_RW_GITHUB_TOKEN }}

[menny]

nice :)
will try and let you know.

[peter-evans]

@menny I've now fixed this with the latest release so that you don't need to add your PAT to actions/checkout. The action should now correctly use the passed token to push.

[peter-evans]

@menny Going to close this issue now because I'm fairly confident that it's fixed. Please let me know if you see any further issues.