-
Hello, I’m using Github Actions to auto approve and merge pull requests. I wasn’t able to allow github-actions[bot] to push to a protected branch using the settings page though, so I ended up using the REST API instead. Would it be possible to allow this using the settings page? or enable it by default? Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 39 comments 104 replies
-
If we enabled GitHub Actions to push to a protected branch then any collaborator in your repo could push any code to any branch they wanted simply by creating a branch and coding the workflow to push to to some other branch. Using the REST api to merge the PR is the right flow and overtime hopefully there will be actions that make that easier to implement. |
Beta Was this translation helpful? Give feedback.
-
Thanks! Do you know of any possible solution to allow auto-merging as part of a workflow? I think it’s a common issue. I’ve looked into automerge-action and it seems to suffer the same issue, the docs suggests using a pesonal access token but from my understaing it’s just as vulnerable. Could there be any way of maybe limiting GitHub Actions to merge/push to the branch that invoked the workflow? or scoping secrets by branch? or auto-merge outside of GitHub Actions once all check runs are done? |
Beta Was this translation helpful? Give feedback.
-
I found a partial solution to this, it allows you to have protected branches that require 1 approval and a green CI. See https://github.com/ridedott/dependabot-auto-merge-action. |
Beta Was this translation helpful? Give feedback.
-
The same thing applies for other bots. I don’t understand why you don’t allow the CodeOwner feature to prevent updating workflows, and then allow the github action bot to push to the same branch that triggered it. Right now practically I have to choose between protecting branches and using Github Actions on that branch. |
Beta Was this translation helpful? Give feedback.
-
This is kind of not a solution to the problem, it’s not necessarily true that any collaborator could do what you say, why should the workflow have the same permissions as an Action? The collaborator would also have to be able to control the specific Action and what it does, not the whole runner. Consider the following extremely common scenario:
If a malicious collaborator wanted to run arbitrary code through a commit, they would have to get this arbitrary code through the review process. It seems a bit paranoid to not create this feature based on the argument that a reviewer might make a stupid mistake, that is true regardless of whether the feature exists or not. What we need to make this last step above work is for Actions to have their own permission set (or a way to make an imported action get the permissions of an App? Or an App to work like an action?) With a small modification to @robozevel 's suggestion, it seems like a good solution. If there’s a way to do that already, I haven’t been able to find it, but would be more than happy to hear it! |
Beta Was this translation helpful? Give feedback.
-
I agree with this. @chrispat 's answer completely overlooks this common workflow and it would be great if there was a way to allow this to happen by allowing the GitHub token to have more fine-grained permissions. |
Beta Was this translation helpful? Give feedback.
-
@chrispat I have created a token with every scope and I still can’t publish from a GitHub action. Everything works fine locally using this token. What could possibly be going wrong? |
Beta Was this translation helpful? Give feedback.
-
hi… did you figure out why this happens? I have the same issue. |
Beta Was this translation helpful? Give feedback.
-
btw, I found a solution by reading the documentation of: cycjimmy/semantic-release-actionGitHub Action for Semantic Release. Contribute to cycjimmy/semantic-release-action development by creating an account on GitHub. it is important to either set the |
Beta Was this translation helpful? Give feedback.
-
Personal Access Tokens are an anti-pattern here. When that user moves teams or leaves the company the actions will begin to fail. The concept of a service account/user is the subject at hand here and it is not a new concept. The GITHUB_TOKEN used by Actions (a [THE] service) is how it authenticates with the repository service.Any traditional CI platform would allow you to assign specific roles and permissions to (one or many) service account as you would any user. The fact that Github doesn’t allow this is a short coming. If you are inclined to create an entire Github user, inviting it to your team, this may work, but is not an ideal solution. Aside from the extra $4/mo cost to have this (service) user, a downside is you are now adding to your attack surface area for security breaches. Lock that user down with MFA? Great, now who owns the one time password/mfa registration? You are left in the same spot the PAT problem up top. tldr; It’s absurd that the Github repository settings will not allow you to define how you want to trust it’s own internal service’s (Github Actions) token. |
Beta Was this translation helpful? Give feedback.
-
Is there still no option here that doesn’t require the anti-pattern of creating a bot user just to work around Github limitations? |
Beta Was this translation helpful? Give feedback.
-
@chrispat Could you please explain us what could go wrong with the workflow described by @mtesch-um, I sum-up: PR reviews enforced including for administrators? |
Beta Was this translation helpful? Give feedback.
-
@chrispat Now that this feature has merged, all we need is that GitHub Actions job runner could be selected for this Allow bypassing required pull requests | GitHub Changelog This can be secure if you always run the master branch version of the jobs, and you have CodeOwners on the |
Beta Was this translation helpful? Give feedback.
-
This still wouldn’t be secure as the GitHub Actions user isn’t branch specific. So adding it to this list would mean that anyone could push from any branch using a workflow and bypass all branch protection rules. In fact we are currently rolling out a change to prevent the GitHub Actions user from being included as a valid code reviewer for the required reviewers rule. At the moment I can’t think of any mechanism that could safely enable force pushing to a protected branch using code that is inside the repo. |
Beta Was this translation helpful? Give feedback.
-
Well at present, users are inserting personal access tokens to do what the GITHUB_TOKEN secret should. Even making it so that ONLY on the main branch the token can override protected branches would be a huge step forward. |
Beta Was this translation helpful? Give feedback.
-
Maybe I am just doing things wrong. I have a This leaves a weird situation where I have
I was hoping I could have a I am fine with anyone running the action whenever. I just want the Any tips? |
Beta Was this translation helpful? Give feedback.
-
Hey, really 5 years for this feature? For example in java there release plugin that need to commit release version, build, push to packages, increase version and commit again. Creation of token from admin account looks like a workaround. Especially that GitHub Actions is the native product of GitHub, it's not third party build system. |
Beta Was this translation helpful? Give feedback.
-
To anyone who need this we just had a contributor add a plugin to our automated release too https://www.npmjs.com/package/@auto-it/protected-branch It works like this. Once we have all the changes we want committed it:
Completely automated and you still have branch protection rules |
Beta Was this translation helpful? Give feedback.
-
There seems to be a possible solution https://github.blog/changelog/2022-08-18-bypass-branch-protections-with-a-new-permission/ |
Beta Was this translation helpful? Give feedback.
-
For anyone struggling with this I wanted to share my solution using a Personal Access Token (PAT) that I just got working with a popular library from NPM called release-it. My workflow is to create tags & releases in github that includes an update to a changelog by a manual run of an action on our protected main branch. Please note that this solution will need to be modified if you want the run to be triggered by a push to the branch otherwise you will create an infinite loop. The provided The special things I had trouble figuring out were
As mentioned in the other threads/comments the other trick was to add the user that owns the PAT in the setting of the protected branch name: Release Test
on:
workflow_dispatch:
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
persist-credentials: false
- name: git config
run: |
git config --global user.name "MyPATAccount"
git config --global user.email "MyPATAccount@example.com"
git remote set-url origin https://x-access-token/:${{ secrets.MY_PAT }}@github.com/${{ github.repository }}
- run: npm ci
- run: npm run release
env:
GITHUB_TOKEN: ${{ secrets.MY_PAT }} |
Beta Was this translation helpful? Give feedback.
-
Adding my ➕1️⃣ to this - the most secure solution definitely seems like a "allow actions to bypass rules but only for the calling branch". That would improve security over the PR or PAT approaches. We really could use this for automating manifest updates. |
Beta Was this translation helpful? Give feedback.
-
Are there any new workarounds currently on how to bypass branch protection with a gha bot. I have a separate account for a bot which uses a PAT and I want the bot to be able to commit to protected branches but I do not want users to abuse this by creating an action which uses the bot to commit to the same protected branches. |
Beta Was this translation helpful? Give feedback.
-
This workaround has worked for me, where i wanted to bypass branch protection rules to commit a new version in |
Beta Was this translation helpful? Give feedback.
-
While I know using PATs is a security risk, I came up with a solution that worked for an open source project that I contribute to where we have a need to auto bump versions on both repo PRs AND forked PRs when they merge to the main branch. Historically using a PAT with one workflow run would fail, as it runs in the context of the forked PR and does not have access to the repo secrets. In a nutshell, the solve utilizes two workflows:
I proofed it out and @itsalaidbacklife and I tested it to ensure it works, and then I implemented it in to the Cuttle app which solved a major problem for us and allows everything to be that much more automated. Hopefully it helps one of you, too. |
Beta Was this translation helpful? Give feedback.
-
In my company we came across the same issue and found a solution which works pretty good and does not require adding a PAT:
steps:
- uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ vars.VERSION_BUMPER_APPID }}
private-key: ${{ secrets.VERSION_BUMPER_SECRET }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ steps.app-token.outputs.token }}
I share with you an example release.yml with lerna as build tool: name: Publish Packages
on:
push:
branches:
- main
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: 'write'
packages: 'write'
actions: 'read'
steps:
- uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ vars.VERSION_BUMPER_APPID }}
private-key: ${{ secrets.VERSION_BUMPER_SECRET }}
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0 # pulls all history and tags for Lerna to detect which packages changed
token: ${{ steps.app-token.outputs.token }}
# lerna can only add a commit if git user infos are set
- run: |
git config user.name github-actions
git config user.email github-actions@github.com
- name: Install Dependencies
run: npm ci
shell: bash
- name: publish
uses: actions/setup-node@v4
with:
node-version: 20
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: npx lerna publish --force-publish --yes
Hope this helps :) |
Beta Was this translation helpful? Give feedback.
-
My use case is like this. After someone merge PR to I was using branch protection rules with required pull request before merge, one review approval, some PR checks required etc. Probably anyone figured out that My first attempt to fix this was like this:
Aaaaand... of course it still failed to push to
I was about to do this ugly brute force fix and add Some time ago when I checked what it is, it looked almost exactly as branch protection rules just with different UI. I did not bother with this because I thought there is no real benefit to use those. But there was this one difference I noted. Based on what I saw in ruleset interface you could set some apps or teams to be able to bypass almost all parts of ruleset (not just PR requirements). So my next step was:
And now it works.
It is a PITA that we cannot use Github Action for pushing to protected branch but now at least I found some workaround. //EDIT Reading all the answers here it would probably be better to use custom Github app with rulesets instead of PAT with rulesets. // EDIT 2 Seems like this change works fine for bot user but blocked other devs from actually merging. After some struggle I figured out that
Now |
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
The cleanest way I have found is to have GHA to actually open a PR and merge that PR, as outlined in @chrispat's answer. It's very easy with the I had to give permissions to create and merge PRs to GitHub Actions in the repo's settings. |
Beta Was this translation helpful? Give feedback.
-
I think @ushuz's comment is the best solution so far and deserves to be highlighted: Deploy keys can be added to rulesets' Bypass list! So this is what worked for me:
I've created a repo that that tests this setup here: https://github.com/sbellone/release-workflow-example |
Beta Was this translation helpful? Give feedback.
If we enabled GitHub Actions to push to a protected branch then any collaborator in your repo could push any code to any branch they wanted simply by creating a branch and coding the workflow to push to to some other branch. Using the REST api to merge the PR is the right flow and overtime hopefully there will be actions that make that easier to implement.