How to push to protected main branches in a GitHub Action?

Question

This is my github action workflow.

name: Release

on:
  push:
    branches:
      - main

jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          persist-credentials: false
      - name: Setup java
        uses: actions/setup-java@v1
        with:
          java-version: 11
      - name: Setup node
        uses: actions/setup-node@v1
        with:
          node-version: "14.x"
          cache: npm
      - name: Install dependencies
        run: npm ci
      - name: Build package
        run: npm run build --if-present
      - name: Semantic release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
          HUSKY: 0
        run: chmod +x script/prepare-release.sh && npx semantic-release

However, my workflow fails with the following error log.

[semantic-release] › ✖  An error occurred while running semantic-release: Error: Command failed with exit code 1: git push --tags https://x-access-token:[secure]@github.com/didrlgus/convention-template.git HEAD:main
remote: error: GH006: Protected branch update failed for refs/heads/main.        
remote: error: At least 1 approving review is required by reviewers with write access.      

Maybe it's because my main branch is a protected branch.
How can I push with a protected branch on github action?

Answer 1

There is a workaround. Steps as follows:

1. Create new Github user eg. my-org-bot

2. Generate Personal Access Token for this user on https://github.com/settings/tokens and save it somewhere (select repo scope for the token)

3. Go to your repo and add my-org-bot to contributors

4. Open your branch protection rules and add my-org-bot to the rule below:

5. Go to repository secrets and add new secret for Actions with key =BOT_ACCESS_TOKEN and the value = Personal Access Token generated previously

6. Modify your GH Workflow Checkout step with below:

Now your workflow should be able to push directly to your protected branch on behalf of my-org-bot user.

Answer 2

Just found that you can use GitHub deploy keys:

1. Generate SSH key pair: ssh-keygen -t ed25519. No need for passphrases etc.

2. Add public key (.pub one) as a deploy key at Your repo -> Settings -> Security -> Deploy keys, check "Allow write access".

3. Add private key as a secret at Your repo -> Settings -> Security -> Secrets and variables -> Actions

4. Specify your secret key when checking out the repo:

   - name: Checkout
     uses: actions/[email protected]
     with:
       ssh-key: ${{secrets.YOUR_SECRET_KEY}}
   

Such deployment key is not tied to any account, but gives full write access including bypassing branch protection rules:

Deploy keys with write access can perform the same actions as an organization member with admin access, or a collaborator on a personal repository.