Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

workflows permission requested on tag creation #1421

Open
nenad-kosanovic-tam opened this issue Aug 2, 2023 · 6 comments
Open

workflows permission requested on tag creation #1421

nenad-kosanovic-tam opened this issue Aug 2, 2023 · 6 comments

Comments

@nenad-kosanovic-tam
Copy link

nenad-kosanovic-tam commented Aug 2, 2023

When we allow parallel execution of a workflow, which is activated on branch push event, and branch that triggered workflow contains changes related to any workflow yaml file stored in /.github/workflows code base directory, push tag action fails with error:

! [remote rejected] v0.0.3-106.1 -> v0.0.3-106.1 (refusing to allow a GitHub App to create or update workflow.github/workflows/continuous-master.yamlwithoutworkflows permission) error: failed to push some refs to 'https://github.com/[REPO_NAME]

Here is simple repository with workflow that reproduce the issue: https://github.com/nenad-kosanovic-tam/update-workflow-tag-action-flat/tree/master

Initially this issue is reported on gitHub support, from where we are redirected here.

Hi Nenad,

Thank you for the follow-up!

I did more testing with this scenario using your examples, and I was able to reproduce this behavior pretty consistently.

It looks to be specific to multiple runs executing close in time from what I noticed - where the HEAD of the branch keeps changing in a short time. If 5 runs were triggered all within half a minute, only the first and last ones succeed while the rest fail with the same permission issue you saw.

I'm not fully certain on the cause, but actions/checkout must be a focus point since this is responsible for fetching the repository that is used when pushing the tag back to the remote.

For now, a workaround would be to specify a PAT including the workflows scope to actions/checkout. Going forward, I think it would be best for you to share your use case in an issue on the actions/checkout repository, so the action maintainers can better troubleshoot what may be different in both the working and non-working scenarios - to see what the difference is in what is attempting to be pushed up through the tag.

Does this sound like a reasonable next step? Please let me know if you have any questions or concerns!

Best,

Arthur
GitHub Support

@loganmauzaize-finalcad
Copy link

No update after close to one year?

@natwallbank
Copy link

natwallbank commented Nov 15, 2024

I've encountered this same issue, and see lots of references to it with no obvious solution. Issues that relate to it seem to remain without reply.

My scenario is that I have a workflow that contains the following jobs:

  1. Deploy to UAT
  2. Deploy to Production (executes on completion of first step)

My production environment is protected, so requires approval. If any commits are made to main in the intervening period between (1) and (2) executing, then (2) fails at the point it tries to push a new tag:

! [remote rejected] 0.5.4 -> 0.5.4 (refusing to allow a GitHub App to create or update workflow.github/workflows/get_version.ymlwithoutworkflows permission)

@carlcsaposs-canonical
Copy link

I believe this might be the root cause: https://github.com/orgs/community/discussions/151442

@loganmauzaize-finalcad
Copy link

I believe this might be the root cause: https://github.com/orgs/community/discussions/151442

I note you fall in case similar to our one. You are forcing push. After I removed this, everything was fine for us.

@carlcsaposs-canonical
Copy link

carlcsaposs-canonical commented Feb 14, 2025

I note you fall in case similar to our one. You are forcing push. After I removed this, everything was fine for us.

We are able to reproduce the issue without force push—thank you though

@mrmontoya913
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants