Menu
I have two GitHub Actions in the same repo. I'm trying to update one from the other, but I get the following error when trying to commit and push the changes:
! [remote rejected] HEAD -> some-branch (refusing to allow a GitHub App to create or update workflow .github/workflows/the-other-action.yml without workflows permission)
This is a simplified version of the GH Action I'm trying to run:
name: my-action
on:
workflow_dispatch:
schedule:
- cron: "0 9 * * *"
jobs:
components:
runs-on: ubuntu-latest
steps:
- name: Checkout the code
uses: actions/checkout@v2
- name: Update the other Action
run: |
# Do something to .github/workflows/the-other-action.yaml here
- name: Create Pull Request
uses: peter-evans/create-pull-request@v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
branch: some-branch
commit-message: Updated stuff
I'm trying to figure out how to give the workflows permission to the GITHUB_TOKEN, but not sure how to?
(For context: I'm running this action once per day to check if a new version of a tool used in the other action has been released. If so, it creates a PR updating the other action to use the newer version instead)
383
You need to use a Personal Access Token with workflows permission here, instead of the
GITHUB_TOKENwhich has a defined scope.
Actually, this just changed (Sept. 8th, 2022) with:
GitHub Actions: Use the
GITHUB_TOKENwithworkflow_dispatchandrepository_dispatchCustomers will now be able to use the
GITHUB_TOKENwithworkflow_dispatchandrepository_dispatchevents to trigger workflows.Prior to this change, events triggered by
GITHUB_TOKENwould not create a new workflow run. This was done to prevent the accidental trigger of endless workflows.This update makes an exception for
workflow_dispatchandrepository_dispatchevents since they are explicit calls made by the customer and not likely to end up in a loop.name: Create Workflow Dispatch on: workflow_dispatch: jobs: build: runs-on: ubuntu-latest steps: - name: Trigger Workflow uses: actions/github-script@v6 with: script: | github.rest.actions.createWorkflowDispatch({ owner: context.repo.owner, repo: context.repo.repo, workflow_id: 'test.yml', ref: 'main', })For more details see
Triggering a workflow from a workflow.
So GITHUB_TOKEN might now work.
In the context of the OP's question: the primary task here is to modify a workflow file from within another workflow.
The recent GitHub change that I mention above allows for triggering workflows with the GITHUB_TOKEN, but it does not explicitly mention whether the token can be used to push changes to workflow files directly. That ability would solve the original issue.
You will still need to modify your workflow to commit and push the changes to the workflow file. The step in the action where you are trying to update the workflow file would look something like this:
- name: Update the other Action
run: |
# Do something to .github/workflows/the-other-action.yaml here
git config --local user.email "[email protected]"
git config --local user.name "GitHub Action"
git add .github/workflows/the-other-action.yaml
git commit -m "Update the other Action"
git push
You need to use a token that has the necessary permissions to push the changes, and you can test it with the updated abilities of the GITHUB_TOKEN:
With the peter-evans/create-pull-request@v3 action, that would be:
- name: Create Pull Request
uses: peter-evans/create-pull-request@v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
branch: some-branch
commit-message: Updated stuff
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
