Tagging previous commit from action fails incorrectly if HEAD modified workflow

[jerrosenberg]

Select Topic Area

Bug

Body

See public example here.

For history's sake.. the repo contains a tag workflow that accepts a ref input, finds the most recent semver tag prior to that ref, bumps the patch, tags the ref with the new version, and pushes the tag:

name: Tag

on:
  workflow_dispatch:
    inputs:
      ref:
        type: string

jobs:

  tag:
    runs-on: ubuntu-latest
    permissions:
      contents: write

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: ${{ inputs.ref }}
          fetch-depth: 0
          fetch-tags: true
          filter: tree:0

      - name: Get latest semver tag
        id: get-latest-tag
        run: |
          latest_tag=$(git describe --abbrev=0 --match 'v[0-9]*.[0-9]*.[0-9]*' 2>/dev/null) || latest_tag=v0.0.0
          echo "tag=$latest_tag" >> "$GITHUB_OUTPUT"

      - name: Bump version
        uses: actions-ecosystem/action-bump-semver@v1
        id: bump-semver
        with:
          current_version: ${{ steps.get-latest-tag.outputs.tag }}
          level: patch

      - name: Push new tag
        run: |
          tag=${{ steps.bump-semver.outputs.new_version }}

          git config user.name "${GITHUB_ACTOR}"
          git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"

          git tag -a "${tag}" -m ''
          git push origin "${tag}"

The repo contains 5 commits:

1. Add the workflow
2. Add a file
3. Add another file
4. Add yet another file
5. Update the workflow

Commit 2 is tagged v1.0.0
Commit 4 is tagged v2.0.0

Running the tag workflow for Commit 3 (ref: 6f61ddc16c2d3ab2e82f3c795f3c2b5ce3360489) failed with:

! [remote rejected] v1.0.1 -> v1.0.1 (refusing to allow a GitHub App to create or update workflow .github/workflows/tag.yml without workflows permission)

First notice that the commit 6f61ddc16c2d3ab2e82f3c795f3c2b5ce3360489 does not change the workflow like the error alleges.

I then create and push a branch on that ref called test-branch.

Note the second run is still passing the commit ref 6f61ddc16c2d3ab2e82f3c795f3c2b5ce3360489. The only difference is a branch exists pointing to that commit. This run succeeds and pushes the tag for that commit.

I also created a second public repo here.. This one is formed the same way except it's missing the HEAD commit that modifies the workflow name (Commit 5). The one and only action run for Commit 3 (ref: d45305ad078c0c7d23c8aa0a7e2b8bc316106108) succeeds the first time, even without a branch pointing to it.

The fact that the workflow is updated in the HEAD commit seems to be tripping up whatever workflow permission check GHA has going on. As for why creating a branch pointing to the commit allows it to pass the check, I have no idea.

I have found some other issues citing the error, but all the ones I could find discovered they were in fact modifying the workflow after all. I found another issue here #26164 citing what seems to be a previous version of the error message refusing to allow a bot to create or update workflow but the author seems to have worked around it. I saw references that this type of workflow would require a PAT, but this seems to be outdated advice and anyway doesn't explain why it works in 2 out of the 3 cases above despite not using a PAT.

Any ideas? Looks like a bug.

[natwallbank]

I've just encountered this same issue. I created a GitHub actions workflow that:

1. Deploys to a staging environment
2. Deploys to the production environment

There's an approval step on (2) though, so the workflow can sit there for a little while. If I separately push commits that contain changes to workflow files in the intervening period then I see this same error when I then approve the deployment and the workflow continues. It fails at the point that it tries to push a new tag.

! [remote rejected] 0.5.4 -> 0.5.4 (refusing to allow a GitHub App to create or update workflow.github/workflows/get_version.ymlwithoutworkflows permission)