Misleading information about protected branches setup

[alekseik1]

Hi!
I recently tried to set up automated releases on GitHub Actions as prescribed in official manual. My master branch is protected: it is required that a commit passes CI checks before it can be merged into master.

My CI pipelines has been constantly failing for all times with error 'remote: error: GH006: Protected branch update failed for refs/heads/master. I created a personal access token with admin rights (it was actually my account PAT), saved to repo's secrets and passed it to GH action:

with:
        github_token: ${{ secrets.ADMIN_GITHUB_TOKEN }}

but it did not work. Also, I found another issue here #274 addressing almost the same problem but proposed solution did not work out as well.

After some experiments I found out that an admin token should be also passed to actions/checkout@v2 for it to have push access (action homepage). So my final pipeline looks as follows:

name: build and deploy

on:
  push:
    branches:
      - 'master'

jobs:
  release:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
      with:
        fetch-depth: 0
        token: ${{ secrets.ADMIN_GITHUB_TOKEN }}

    - name: Python Semantic Release
      uses: relekang/python-semantic-release@master
      with:
        github_token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
        pypi_token: ${{ secrets.PYPI_API_TOKEN }}

This version works as expected: creates version commit with changelog if necessary, then pushes it to github, creates release on both GitHub and PyPi (the latter can be disabled in settings though).

I think it should be mentioned in docs that a personal access token should be passed to checkout action as well.

Thanks in advance.

[jenstroeger]

@alekseik1 have you experimented with the Admin scope settings for your PAT, and which scope it is that needs to be enabled? Looks like the admin:repo_hook repo scope is what we want.

We should probably document that scope as well…

[jenstroeger]

Following up on my comment above, here’s what seems to work:

• Create a new PAT (docs) with the repo scope
• In the private repository Settings, under Secrets → Actions create a new repository secret (docs) with name RELEASE_TOKEN and its value the PAT
• In the Action YAML use secrets.RELEASE_TOKEN as shown in @alekseik1 example above (which uses secrets.ADMIN_GITHUB_TOKEN)

[alekseik1]

@jenstroeger nope, I did not try any of PATs. Thanks for investigating it, never thought a PAT token would do the trick.
Either way, it would be nice for these two solutions (token in checkout stage or PAT) to be documented

[jenstroeger]

@alekseik1 I created a personal access token with admin rights (it was actually my account PAT) […]

After some experiments I found out that an admin token should be also passed to actions/checkout@v2 for it to have push access […]

I assumed by “token” you meant a personal access token (PAT) with admin permissions? Did I misunderstand something?

Either way, it would be nice for these two solutions (token in checkout stage or PAT) to be documented

The PAT I created I also added to the checkout step.