Github App does not have access to enable auto-merge

[timc13]

Select Topic Area

Question

Body

I'm trying to setup a workflow that create a PR and enable auto-merge on it. I've followed the steps laid out here, but for my own bot (not dependabot). This bot does have content: write & pull-requests: write permissions.

The error I get is
GraphQL: ["Pull request User is not authorized for this protected branch"] (enablePullRequestAutoMerge)

[szaffarano]

I get the same error using the following workflow:

name: Dependabot auto-merge

on: pull_request

permissions:
  pull-requests: write
  contents: write
  issues: write
  repository-projects: read

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:

    - run: |
        gh pr review --approve "$PR_URL"
        gh pr edit --add-label "automerge" "$PR_URL"
        gh pr merge --auto --squash "$PR_URL"
      env:
        PR_URL: ${{ github.event.pull_request.html_url }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

I also tried permissions: write-all with the same outcome: GraphQL: Pull request User is not authorized for this protected branch (enablePullRequestAutoMerge)

The PR is approved and tagged, but the last sentence, gh pr merge --auto --squash "$PR_URL" fails. Using a PAT with the same permissions works as expected:

Any clue what is wrong?

Thanks

[unicornware]

is auto-merge enabled in your repo?

if i remember correctly, i had to allow auto-merge before using gh pr edit --auto

[szaffarano]

Hi @unicornware
Yes, it is enabled. The workflow works as expected when I use a PAT with the permissions listed above, but it doesn't work using the GITHUB_TOKEN.

[unicornware]

gotcha, what do your branch protection settings look like?

[szaffarano]

Hi @unicornware
Here it's a screenshot with the branch protection settings. We only have one rule for main. Also, remember that by using a PAT token with only read access to metadata and r/w access to code, issues, and pull requests, the workflow works.

Thanks

[FarhaKousar1601]

The error message you're encountering is "GraphQL: ['Pull request: User is not authorized for this protected branch'] (enablePullRequestAutoMerge)," indicates that your GitHub app does not have the necessary permissions to enable auto-merge on a pull request.

To resolve this issue, you'll need to ensure that your GitHub app has the required permissions to perform this action. Here are the steps you can take:

1. Check App Permissions: Make sure that your GitHub app has the necessary permissions to enable auto-merge on pull requests. You mentioned that your bot has "content: write" and "pull-requests: write" permissions, but enabling auto-merge on a protected branch might require additional permissions. You should review your GitHub app settings and ensure it has the required permissions.

2. Protected Branch Settings: Verify the protected branch settings for the repository where you are trying to enable auto-merge. Ensure that your bot has the appropriate permissions to make changes to protected branches. This can be configured in the repository's settings under "Branches" or "Settings."

3. Webhook Payload: Double-check your workflow configuration to ensure that it is correctly setting up the pull request and attempting to enable auto-merge on the right branch. Ensure that your workflow is using the correct token or credentials associated with your GitHub app.

4. Webhook Events: Confirm that your GitHub app is subscribed to the necessary webhook events. Enabling auto-merge may require the "pull_request" event or similar events to be included in your GitHub App's subscription.

5. Testing in a Safe Environment: Consider testing your workflow in a safe or test repository to ensure that the permissions and configuration are correct before applying it to your production repository.

If you've already verified the above and are still facing issues, you might want to reach out to GitHub Support for further assistance, as they can provide more specific guidance based on your GitHub app's configuration and the repository settings. Additionally, ensure that your GitHub app is correctly authenticated and authorized when making API calls to enable auto-merge on pull requests. #67124

[szaffarano]

Hi @FarhaKousar1601 , thanks for your reply

Check App Permissions: Make sure that your GitHub app has the necessary permissions to enable auto-merge on pull requests. You mentioned that your bot has "content: write" and "pull-requests: write" permissions, but enabling auto-merge on a protected branch might require additional permissions. You should review your GitHub app settings and ensure it has the required permissions.

I tried even setting permissions: write-all (please check the first image I attached in my question showing all the permissions the bot had.

Protected Branch Settings: Verify the protected branch settings for the repository where you are trying to enable auto-merge. Ensure that your bot has the appropriate permissions to make changes to protected branches. This can be configured in the repository's settings under "Branches" or "Settings."

I'm not sure how to verify it. In a previous answer, I attached the settings in our main branch (the only one protected).

Webhook Payload: Double-check your workflow configuration to ensure that it is correctly setting up the pull request and attempting to enable auto-merge on the right branch. Ensure that your workflow is using the correct token or credentials associated with your GitHub app.

Same answer here as in the first question, the logs show that the user has the proper permissions and I even tried setting write-all permissions. Regarding the workflow configuration, it's the same config as the GH docs.

Webhook Events: Confirm that your GitHub app is subscribed to the necessary webhook events. Enabling auto-merge may require the "pull_request" event or similar events to be included in your GitHub App's subscription.

you mean, on: pull_request?

[szaffarano]

Testing in a Safe Environment: Consider testing your workflow in a safe or test repository to ensure that the permissions and configuration are correct before applying it to your production repository.

I tried the same workflow in a public repo and it worked! The only difference I found (besides some small changes because the repo having issues belongs to an organization and is using an enterprise account) is regarding the default branch, main instead of master. Other than that, both repos have the same configurations.

Any clue?

Thanks

[szaffarano]

The problematic option (now it's obvious.. 🥲 ) was Restrict who can push to matching branches

Is there any way to include dependabot in this list?

Thanks everyone for your help!

[ro3t]

The problematic option (now it's obvious.. 🥲 ) was Restrict who can push to matching branches

Is there any way to include dependabot in this list?

Thanks everyone for your help!

same question here

[smnieves-cbg]

The problematic option (now it's obvious.. 🥲 ) was Restrict who can push to matching branches
Is there any way to include dependabot in this list?
Thanks everyone for your help!

same question here

Has this been addressed yet?

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[nbennke]

Hello community, I think the topic is still relevant. Or missing a feedback how to prevent.

I there any activity in this direction? How can we get a toolchain with automatically merges of dependabot pull requests when all tests and conditions got fullfilled?

[adrianschmidt]

The only workaround I know of so far is to use an access token from a user, which can be included in the list of allowed users.

However, you might not need the Restrict who can push to matching branches option. The naming of it makes it seem like without that option, anyone will be able to push anything to the protected branch, but that's not true (at least not as far as I've seen when testing it). I think that option is only needed if you have some users that need write privileges to the repo, but are not allowed to merge a branch even if all the branch protection requirements are fulfilled!

(Please correct me if I have come to the wrong conclusion here! 🙏)

[ThijsBorst]

I have the same issue. I would like to add Dependabot as a user who can auto merge

[DominikTobaben1061]

Hi @ThijsBorst @smnieves-cbg @ro3t @szaffarano @timc13 and anyone confronted with the GraphQL: Pull request User is not authorized for this protected branch (enablePullRequestAutoMerge) tying to use dependabots auto-merge feature in their github actions pipeline:

The reason is obviously the Branch Protection-Rule which denys dependabot the merge to your main/master branch.
I realized, that it is possible to add dependabot already, but apparently not via the UI.

Here is the example, you can search and add renovate to your Repos branch protection rule...

...but dependabot does not appear...

Any attempt to add a custom value via the WebUI did not work for me.

You should be able to add dependabot via the REST API: https://docs.github.com/en/rest/branches/branch-protection?apiVersion=2022-11-28

Or, you can use the GitHub Repository Settings Bot and a settings.yml to add dependabot, here is the branch part:

(CAUTION: This is only the interesting part)

repository:
...
  allow_auto_merge: true
...

branches:
  - name: main
    # https://docs.github.com/en/rest/reference/repos#update-branch-protection
    # Branch Protection settings. Set to null to disable
    protection:
      # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
      required_pull_request_reviews:
        # The number of approvals required. (1-6)
        required_approving_review_count: 1
        # Dismiss approved reviews automatically when a new commit is pushed.
        dismiss_stale_reviews: true
        # Blocks merge until code owners have reviewed.
        require_code_owner_reviews: true
        # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
#         dismissal_restrictions:
#           users: []
#           teams: []
      # Required. Require status checks to pass before merging. Set to null to disable
      required_status_checks:
        # Required. Require branches to be up to date before merging.
        strict: true
        # Required. The list of status checks to require in order to merge into this branch
        contexts: []
      # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
      enforce_admins: false
      # Prevent merge commits from being pushed to matching branches
      required_linear_history: true
      # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
      restrictions:
        apps: ["dependabot"]
        users: []
        teams: []
      required_signatures: true
...

And now the Repository's branch protection rule looks like this and the pipeline should work:

[DominikTobaben1061]

Sorry I was a bit early. Even though dependabot now appears, the error is still the same. This should be the correct slug though (as stated in this bot message posted for another issue dependabot/dependabot-core#9147 (comment))

[DominikTobaben1061]

We ended up now using a Service Account PAT