Pushing to PR protected branch with token obtained from this action

[faileon]

Hello everyone,
I have created a custom GithubApp to which I gave permission to bypass branch protection rules (Allow specified actors to bypass required pull requests).

I have a workflow setup like this:

name: release

on: workflow_dispatch

jobs:
    release:
        runs-on: ubuntu-latest
        environment: production
        steps:
            - uses: actions/checkout@v3
              with:
                  fetch-depth: 0
                  ref: master
            - name: Use Node.js
              uses: actions/setup-node@v3
              with:
                  node-version: 18.10.0
            - name: Setup Git
              run: |
                  git config user.name "DWA Bot"
                  git config user.email "[email protected]"
            - name: DWA-bot auth
              id: dwa-bot
              uses: actions/create-github-app-token@v1
              with:
                  app-id: ${{ secrets.DWA_BOT_APP_ID }}
                  private-key: ${{ secrets.DWA_BOT_PRIVATE_KEY }}
            - name: Log in to Docker Hub
              uses: docker/login-action@v3
              with:
                  username: ${{ secrets.DOCKER_USERNAME }}
                  password: ${{ secrets.DOCKER_PASSWORD }}
            - run: npm ci
            - name: Version
              shell: bash
              run: npx nx affected --base=last-release --target=version --parallel=1
              env:
                  GITHUB_TOKEN: ${{ steps.dwa-bot.outputs.token }}
                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
                  PKG_GITHUB_TOKEN: ${{ secrets.PKG_GITHUB_TOKEN }}
            - name: Tag last-release
              shell: bash
              run: |
                  git tag -f last-release
            - name: Push changes
              uses: ad-m/github-push-action@master
              with:
                  github_token: ${{ steps.dwa-bot.outputs.token }}
                  branch: master
            - name: Push tags
              uses: ad-m/github-push-action@master
              with:
                  github_token: ${{ steps.dwa-bot.outputs.token }}
                  branch: master
                  force: true
                  tags: true

However the workflow still fails with the following erro:
remote: error: Changes must be made through a pull request.

Output from the create-github-app-token action seems to be OK:
owner and repositories not set, creating token for the current repository ("dwa")

Anyone could please shed some light on what I might be doing wrong?

Thank you.

[gr2m]

I don't think it's a problem with our action.

Can you please try to set persist-credentials: false for the checkout step?

            - uses: actions/checkout@v3
              with:
                  fetch-depth: 0
                  ref: master
                  persist-credentials: false

[faileon]

Ah thank you so much, actions/checkout seems to indeed be the root cause of this issue.

After investigating further it seems that the checkout action persists the passed credentials by default and subsequent git commands will pick them up automatically... I did not expect that.

I believe your proposed solution works, I am also adding mine, which is to specify the token for the checkout action.

        steps:
            - name: DWA-bot auth
              id: dwa-bot
              uses: actions/create-github-app-token@v1
              with:
                  app-id: ${{ secrets.DWA_BOT_APP_ID }}
                  private-key: ${{ secrets.DWA_BOT_PRIVATE_KEY }}
            - uses: actions/checkout@v4
              with:
                  fetch-depth: 0
                  ref: master
                  token: ${{ steps.dwa-bot.outputs.token }}

This resolved the issue. Thanks again for the quick reply.

[Dogacel]

Thank you so much 🙇 I never realized checkout implicitly brought credentials.