refusing to allow a GitHub App to create or update workflow

Question

I have a GitHub action that uses :

github_token: ${{ secrets.GITHUB_TOKEN }}

When I run it I get:

  ! [remote rejected]     tmp_upstream/master -> master (refusing to allow a GitHub App to create or update workflow `.github/workflows/build-images-workflow-run.yml` without `workflows` permission)
error: failed to push some refs to '***github.com/myname/repo'

https://docs.github.com/en/actions/reference/authentication-in-a-workflow explains that

GitHub automatically creates a GITHUB_TOKEN secret to use in your workflow. You can use the GITHUB_TOKEN to authenticate in a workflow run.

But I used the workflow and it didn't seem to create the token. I went to create a personal token and then tried to save it with the name GITHUB_TOKEN but it says that the name is invalid. How can I solve this?

Answer 1

In order to modify a workflow, a GitHub App, such as the one used for issuing tokens for GitHub Actions, requires the workflow scope. This is so that GitHub Apps you've added to your repository can't access the secrets in your repository without your permission. The token issued for GitHub Actions doesn't have this permission by default.

If you don't need to modify the workflow files, then you can just avoid modifying them and this will go away. If you do need to modify them, you can create an appropriately scoped PAT and store it under a name that doesn't start with GITHUB, say WORKFLOW_TOKEN. You can then adjust your action to say this:

github_token: ${{ secrets.WORKFLOW_TOKEN }}