workflows permission requested on tag creation

[nenad-kosanovic-tam]

When we allow parallel execution of a workflow, which is activated on branch push event, and branch that triggered workflow contains changes related to any workflow yaml file stored in /.github/workflows code base directory, push tag action fails with error:

! [remote rejected] v0.0.3-106.1 -> v0.0.3-106.1 (refusing to allow a GitHub App to create or update workflow.github/workflows/continuous-master.yamlwithoutworkflows permission) error: failed to push some refs to 'https://github.com/[REPO_NAME]

Here is simple repository with workflow that reproduce the issue: https://github.com/nenad-kosanovic-tam/update-workflow-tag-action-flat/tree/master

Initially this issue is reported on gitHub support, from where we are redirected here.

Hi Nenad,

Thank you for the follow-up!

I did more testing with this scenario using your examples, and I was able to reproduce this behavior pretty consistently.

It looks to be specific to multiple runs executing close in time from what I noticed - where the HEAD of the branch keeps changing in a short time. If 5 runs were triggered all within half a minute, only the first and last ones succeed while the rest fail with the same permission issue you saw.

I'm not fully certain on the cause, but actions/checkout must be a focus point since this is responsible for fetching the repository that is used when pushing the tag back to the remote.

For now, a workaround would be to specify a PAT including the workflows scope to actions/checkout. Going forward, I think it would be best for you to share your use case in an issue on the actions/checkout repository, so the action maintainers can better troubleshoot what may be different in both the working and non-working scenarios - to see what the difference is in what is attempting to be pushed up through the tag.

Does this sound like a reasonable next step? Please let me know if you have any questions or concerns!

Best,

Arthur
GitHub Support

[loganmauzaize-finalcad]

No update after close to one year?

[natwallbank]

I've encountered this same issue, and see lots of references to it with no obvious solution. Issues that relate to it seem to remain without reply.

My scenario is that I have a workflow that contains the following jobs:

1. Deploy to UAT
2. Deploy to Production (executes on completion of first step)

My production environment is protected, so requires approval. If any commits are made to main in the intervening period between (1) and (2) executing, then (2) fails at the point it tries to push a new tag:

! [remote rejected] 0.5.4 -> 0.5.4 (refusing to allow a GitHub App to create or update workflow.github/workflows/get_version.ymlwithoutworkflows permission)

[carlcsaposs-canonical]

I believe this might be the root cause: https://github.com/orgs/community/discussions/151442

[loganmauzaize-finalcad]

I believe this might be the root cause: https://github.com/orgs/community/discussions/151442

I note you fall in case similar to our one. You are forcing push. After I removed this, everything was fine for us.

[carlcsaposs-canonical]

I note you fall in case similar to our one. You are forcing push. After I removed this, everything was fine for us.

We are able to reproduce the issue without force push—thank you though

[mrmontoya913]

GITHUB-202410-GitHubDataProtectionAgreement.pdf