"refusing to allow a bot to create or update workflow" when pushing tags on older commits

[bewuethr]

From within an action, I’m trying to modify tags to automate the versioning scheme recommended in the toolkit documentation: a “most recent major release” tag (such as v1) pointing at the most recent semantic versioning tag with the same major release, i.e., if I have tags v1.0.0, v1.0.1, v1.1.0, v1.2.0 and v1.2.1, then v1 should point to the same commit as v1.2.1. When I release v1.3.0, v1 should automatically be updated to point to what v1.3.0 points to.

To have access to all the tags, I check out the repository with all commits:

- name: 'Check out code'
      uses: 'actions/checkout@v2'
      with:
        fetch-depth: 0

The action runs a shell script in a Docker container, and I set the GITHUB_TOKEN in the environment:

- name: 'Update release tags for latest major and minor releases'
      uses: 'bewuethr/release-tracker-action@master'
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

According to the documentation for the checkout action, the auth token is persisted in the Git config, and indeed, I can do things like

git push --delete origin "$tag"

without problems.

However, after creating new tags, if any new tag doesn’t point to the most recent commit, I can’t push it and get an error message like this:

! [remote rejected] v0.1 -> v0.1 (refusing to allow a bot to create or update workflow `.github/workflows/releasetracker.yml`)

I’m trying to push nothing but the tags by using something like

git push origin "$tag1" "$tag2"

and definitely didn’t modify the workflow file.

From a shell script running in a docker action, how can I push my new tags pointing to older commits?

Things I’ve tried:

• Use the authentication token explicitly in the URL for the remote by setting it to https://$GITHUB_ACTOR:$GITHUB_TOKEN@github.com/$GITHUB_REPOSITORY or just https://$GITHUB_TOKEN@github.com/$GITHUB_REPOSITORY
• Use SSH instead of HTTPS by setting the remote URL to git@github.com:$GITHUB_REPOSITORY
• Add .git to remote URL
• Push directly from a step in the job instead of from within the action with run: git push --tags
• Use branches instead of moving tags (see also this discussion)

I’ve seen other people doing similar things by using the GitHub API instead of Git commands (like in the Branch Cleanup Action, where a branch is deleted using an API call), but is that the only way? It does feel like a bug that my push is prevented with a reason that doesn’t seem to apply to my situation.

I also haven’t tried using a personal access token instead of GITHUB_TOKEN, because again, it feels like it shouldn’t be necessary.

---

As a side note, posts with similar problems in this forum such as Refusing to allow an integration to create or update seemed to have “refresh the token of your client” as the solution, but that doesn’t apply in my case.

[weide-zhou]

Hi @bewuethr ,

The error is due to that GITHUB_TOKEN is used to update the tag. Please create a personal access token as secrets instead. Please follow below items to fix your code:

1. In the workflow yaml, add ‘persist-credentials: false’ for ‘actions/checkout@v2’.

Use PAT for ‘bewuethr/release-tracker-action@master’.

Code sample as below:

jobs:
  release-tracking:
    runs-on: 'ubuntu-latest'
    steps:
    - name: 'Check out code'
      uses: 'actions/checkout@v2'
      with:
        fetch-depth: 0
        persist-credentials: false
    - name: 'Update release tags for latest major and minor releases'
      uses: '{org}/release-tracker-action@master'
      env:
        GITHUB_ACTOR: username
        TOKEN: ${{ secrets.PAT }}

2. In the ‘tagupdater’ file, set remote url.

   git remote set-url --push origin “https://$GITHUB_ACTOR:$TOKEN@github.com/$GITHUB_REPOSITORY”

tagpush.png817×296 17.2 KB

But there is a limitation that a new workflow is triggered again since PAT update the tag, and the workflow will fail.

Probably api call can work better.

Thanks.

[bewuethr]

Thanks, I half suspected I’d have to do it like that. I was mostly confused because some things such as deleting tags worked, and the error message “refusing to allow a bot to create or update workflow” is implying that I’m trying to do something with my worfklow, but I wasn’t.

[antonosmond]

I hit the same problem. I'm trying to force push tags from a github action and get the same error about updating the workflow which I'm definitely not trying to do.
@bewuethr don't suppose you found a nicer solution than the one recommended here did you?

[bewuethr]

I have since switched the action to a composite step action instead of using docker, but more importantly, I use the GitHub API to create the tag instead of pushing it using git:

# Create an annotated tag
createannotatedtag() {
	local tag=$1
	local semvertag=$2


	# Find SHA of object tag points to
	local sha
	sha=$(getparentsha "$semvertag")


	# Create tag object
	echo "Creating tag object for $tag..."
	local tagsha
	tagsha=$(gh api 'repos/{owner}/{repo}/git/tags' \
		--raw-field "tag=$tag" \
		--raw-field "message=latest release in $tag" \
		--raw-field "object=$sha" \
		--raw-field "type=commit" \
		--jq '.sha')


	# Create tag reference
	echo "Creating tag reference..."
	gh api 'repos/{owner}/{repo}/git/refs' \
		--raw-field "ref=refs/tags/$tag" \
		--raw-field "sha=$tagsha" \
		| jq .
}

See the code here. This works without requiring a personal access token; if you default your actions to read only, you have to explicitly add contents: write permissions to the workflow (see docs).