Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refusing to allow a GitHub App to create or update workflow .github/workflows/main.yml without workflows permission #322

Closed
atodorov opened this issue Feb 26, 2024 · 7 comments
Closed

Refusing to allow a GitHub App to create or update workflow .github/workflows/main.yml without workflows permission #322

atodorov opened this issue Feb 26, 2024 · 7 comments
Labels
bug Something isn't working

Comments

@atodorov
Copy link

git-auto-commit Version

v5

Machine Type

Ubuntu (eg. ubuntu-latest)

Bug description

I have configured permission: write-all and still get a failure because part of the commit is modifying GitHub actions files.

Steps to reproduce

https://github.com/kiwitcms/gitops/actions/runs/8056214742/job/22004837145?pr=5

Tried solutions

No response

Example Workflow

---
# MegaLinter GitHub Action configuration file
# More info at https://megalinter.io
name: MegaLinter

on:
  pull_request:

permissions: read-all

env: # Comment env block if you do not want to apply fixes
  # Apply linter fixes configuration
  APPLY_FIXES: all # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool)
  APPLY_FIXES_EVENT: pull_request # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all)
  APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request)

concurrency:
  group: ${{ github.ref }}-${{ github.workflow }}
  cancel-in-progress: true

jobs:
  build:
    name: MegaLinter
    runs-on: ubuntu-latest
    # checkov:skip=CKV2_GHA_1:We need this for auto-commit
    permissions: write-all
    steps:
      # Git Checkout
      - name: Checkout Code
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
          fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances

      # MegaLinter
      - name: MegaLinter
        id: ml
        # You can override MegaLinter flavor used to have faster performances
        # More info at https://megalinter.io/latest/flavors/
        uses: oxsecurity/megalinter/flavors/[email protected]
        env:
          # All available variables are described at https://megalinter.io/latest/configuration/
          # and configured in .mega-linter.yml
          VALIDATE_ALL_CODEBASE: true
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      # Upload MegaLinter artifacts
      - name: Archive production artifacts
        if: success() || failure()
        uses: actions/upload-artifact@v4
        with:
          name: MegaLinter reports
          path: |
            megalinter-reports
            mega-linter.log

      - name: git diff
        if: steps.ml.outputs.has_updated_sources == 1
        run: |
          git diff

      # Create pull request if applicable (for now works only on PR from same repository, not from forks)
      - name: Create Pull Request with applied fixes
        id: cpr
        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
        uses: peter-evans/create-pull-request@v6
        with:
          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
          commit-message: "[MegaLinter] Apply linters automatic fixes"
          title: "[MegaLinter] Apply linters automatic fixes"
          labels: bot
      - name: Create PR output
        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
        run: |
          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"

      # Push new commit if applicable (for now works only on PR from same repository, not from forks)
      - name: Prepare commit
        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/dev' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
        run: sudo chown -Rc $UID .git/
      - name: Commit and push applied linter fixes
        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/dev' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
        uses: stefanzweifel/git-auto-commit-action@v5
        with:
          branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
          commit_message: "[MegaLinter] Apply linters fixes"

extracted from https://github.com/kiwitcms/gitops/pull/5/files



### Relevant log output

```shell
Started: bash /home/runner/work/_actions/stefanzweifel/git-auto-commit-action/v5/entrypoint.sh
INPUT_REPOSITORY value: .
INPUT_STATUS_OPTIONS: 
INPUT_FILE_PATTERN: .
INPUT_BRANCH value: mega-linter
Previous HEAD position was f700ab4 Merge ccdda2820d0941feb71b8dd42dc1eee4343fde8f into 52823bb1292ddbf305d26210c260139c1bd19331
Switched to a new branch 'mega-linter'
M	.github/workflows/main.yml
M	.github/workflows/pr.yml
M	action.yml
M	entrypoint.sh
branch 'mega-linter' set up to track 'origin/mega-linter'.
INPUT_ADD_OPTIONS: 
INPUT_FILE_PATTERN: .
INPUT_COMMIT_OPTIONS: 
INPUT_COMMIT_USER_NAME: github-actions[bot]
INPUT_COMMIT_USER_EMAIL: 41898282+github-actions[bot]@users.noreply.github.com
INPUT_COMMIT_MESSAGE: [MegaLinter] Apply linters fixes
INPUT_COMMIT_AUTHOR: atodorov <[email protected]>
[mega-linter 633ac82] [MegaLinter] Apply linters fixes
 Author: atodorov <[email protected]>
 20 files changed, 471 insertions(+), 13 deletions(-)
 create mode 100644 megalinter-reports/IDE-config.txt
 create mode 100644 megalinter-reports/IDE-config/.checkov.yml
 create mode 100644 megalinter-reports/IDE-config/.gitleaks.toml
 create mode 100644 megalinter-reports/IDE-config/.grype.yaml
 create mode 100644 megalinter-reports/IDE-config/.hadolint.yaml
 create mode 100644 megalinter-reports/IDE-config/.idea/externalDependencies.xml
 create mode 100644 megalinter-reports/IDE-config/.jscpd.json
 create mode 100644 megalinter-reports/IDE-config/.markdown-link-check.json
 create mode 100644 megalinter-reports/IDE-config/.markdownlint.json
 create mode 100644 megalinter-reports/IDE-config/.secretlintrc.json
 create mode 100644 megalinter-reports/IDE-config/.vscode/extensions.json
 create mode 100644 megalinter-reports/IDE-config/.yamllint.yml
 create mode 100644 megalinter-reports/updated_sources/.github/workflows/main.yml
 create mode 100644 megalinter-reports/updated_sources/.github/workflows/pr.yml
 create mode 100644 megalinter-reports/updated_sources/action.yml
 create mode 100755 megalinter-reports/updated_sources/entrypoint.sh
INPUT_TAGGING_MESSAGE: 
No tagging message supplied. No tag will be added.
INPUT_PUSH_OPTIONS: 
To https://github.com/kiwitcms/gitops
 ! [remote rejected] HEAD -> mega-linter (refusing to allow a GitHub App to create or update workflow `.github/workflows/main.yml` without `workflows` permission)
error: failed to push some refs to 'https://github.com/kiwitcms/gitops'
Error: Invalid status code: 1
    at ChildProcess.<anonymous> (/home/runner/work/_actions/stefanzweifel/git-auto-commit-action/v5/index.js:17:19)
    at ChildProcess.emit (node:events:514:28)
    at maybeClose (node:internal/child_process:1105:16)
    at ChildProcess._handle.onexit (node:internal/child_process:305:5) {
  code: 1
}
Error: Invalid status code: 1
    at ChildProcess.<anonymous> (/home/runner/work/_actions/stefanzweifel/git-auto-commit-action/v5/index.js:17:19)
    at ChildProcess.emit (node:events:514:28)
    at maybeClose (node:internal/child_process:1105:16)
    at ChildProcess._handle.onexit (node:internal/child_process:305:5)
@atodorov atodorov added the bug Something isn't working label Feb 26, 2024
@stefanzweifel
Copy link
Owner

Hi @atodorov,

As far as I know, the default token used by GitHub Actions can't have workflows: write permission.
Probably another security measure by GitHub, to prevent bad actions from stealing secrets from your repository.

(I can't find documentation about this, but I ran into a similar issues years ago)

The easiest solution might be to create a personal access token (PAT) and add it to your workflow.
https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs

Will add a warning to the README to warn users, that the action can't modify workflow files.

@atodorov
Copy link
Author

(I can't find documentation about this, but I ran into a similar issues years ago)

Sadly I wasn't able to find documentation either and trying to set

permissions:
   workflows: write

is invalid syntax.

@stefanzweifel
Copy link
Owner

I also assume that the error message "refusing to allow a GitHub App to create or update workflow .github/workflows/main.yml without workflows permission" is just a UX error.

GitHub probably assumes that the push comes from a GitHub App, but GitHub Actions is not the same as a GitHub App. Maybe we can forward this to a feedback repo somewhere. 🤔

@atodorov
Copy link
Author

GitHub probably assumes that the push comes from a GitHub App, but GitHub Actions is not the same as a GitHub App.

FTR I think in this case GitHub is correct. My commit (after I excluded the conflicting files) looks like this:

atodorov authored and github-actions[bot] committed

Where https://github.com/apps/github-actions redirects to https://github.com/features/actions. Internally github-actions is just another app for which you are automatically authenticated!

@stefanzweifel
Copy link
Owner

@atodorov This seems like a reasonable explanation. 👍

Back to your original issue, have you tried the approach with a personal access token? I'm fairly certain that this will resolve your issue. Can try to reproduce this on my end in the coming days/weeks.

@blakeNaccarato
Copy link

See #266 (comment) for detail on creating and scoping a PAT for this.

Also #87 (comment) for the nuclear option. They discuss setting up your own GitHub App to reliably commit to protected branches, but this "create an entire app and jump through lots of auth hurdles" approach would also apply to permitting a bot to do workflow editing. Maybe only worth it at scale across repos in a GitHub Org where PATs are forbidden.

atodorov added a commit to gluwa/crunch that referenced this issue Apr 4, 2024
@atodorov
Add a git diff as part of MegaLinter's auto-commit output
b1ca2bf 
b/c we need a personal access token here in order for this to work, see
stefanzweifel/git-auto-commit-action#322
atodorov added a commit to gluwa/crunch that referenced this issue Apr 4, 2024
@atodorov
Add a git diff as part of MegaLinter's auto-commit output
33f2398 
b/c we need a personal access token here in order for this to work, see
stefanzweifel/git-auto-commit-action#322
notaturkey added a commit to gluwa/crunch that referenced this issue May 30, 2024
@notaturkey @zacharyfrederick
@pLabarta @atodorov @pre-commit-ci @dependabot @gaquarius
Release/rpcurlfix (#32)
a47225c 
* initial

* remove docker creds and push for testing

* remove docker creds and push for testing

* add temp credentials

* add temp credentials

* add temp credentials

* add checkout step

* update copy command

* wip

* wip

* testing build of dockerfile

* testing dockerfile

* updated README.md

* initial commit

* added active validator functionality with pablo

* updated yaml workflows

* updated yaml workflows

* Update devnet.dockerfile

* fix: update how we copy over the secrets

* Update devnet.yml

* Update devnet.yml

* Update devnet.yml

* Switch Docker context!!!

* one repo for images, different tags for dev-mainnet

* ability to manually trigger

* run this branch

* fix

added the wrong networks

* ready for pr

* updated workflows to use correct context

* Update testnet.yml

* Update testnet.yml

* removed dynamic validator list functionality

* add: testnet validator list

* add: env files, devnet stashes & remove from gitignore

* rm: config step from testnet & devnet workflows

* add: default stash in config

* updated runtime to fully execute batch payouts

* removed unused logging messages

* more cleanup

* reverted unneeded changes to sleep timing

* update: devnet config & stashes

* docker images are built on release/* branch (#15)

* Enable pre-commit CI

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Enable MegaLinter

- disable Clippy b/c it will be enabled separately as part of several
  other cargo CI jobs
- disable spell checkers - too many false positives

* Update README files to satisfy linters

* Revert "initial" to bring back deleted LICENSE file

This reverts commit ca51756.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Fix issues reported by ShellCheck

- must use double quotes

* Configure top-level permissions in GHA to read-all

* Ignore git leaks from upstream commits

* Improvements to Dockerfile(s)

- ignore
  The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
  See https://avd.aquasec.com/misconfig/ds017

  which is triggered by `rustup update`

* removed references to the unused matrix.rs module

* remove matrix.rs for megalinter

* add .jscpd.json configuration file and set threshold to 5

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* updated .jscpd.json config

* added a healtcheck to the crunch bot and added instructions to the dockerfile

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* update the correct dockerfiles this time

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Add a git diff as part of MegaLinter's auto-commit output

b/c we need a personal access token here in order for this to work, see
stefanzweifel/git-auto-commit-action#322

* Reformat

* Rename release related workflow to release.yml

* Copy over create_release.yml from upstream again where their tests are

because previous commits didn't leave this file alone but rather made
lots of changes into it and then subsequently removed it.

* Rename upstream create_release.yml into ci.yml

will add subsequent changes here to make tests trigger on each PR
however this is a good starting point

* Enable minimal testing on PRs

- cargo check
- cargo clippy
- cargo fmt
- cargo test

* Reformat with cargo fmt

* Stricter checks in CI

* Remove unused imports

* Silence warnings for unused variables

for the upstream code just prefix them with underscore to minimize
differences, for creditcoin/ just remove them

* Remove unnecessary mut

* Allow 2 unused methods from upstream implementation

* Add rust-toolchain.toml and use the same rustc version in CI

because fmt and clippy appear to be slightly different from version to
version and we'd like to have consistency regardless of how or where
this is built

* Reformat again with rustc 1.77.0

* Apply suggestions from clippy

* Adjust CRUNCH_CONFIG_FILENAME to point to an existing file

because .env.example has been removed in
ca51756

* Collect and upload code coverage when executing unit tests

* Enable Dependabot

* Bump taiki-e/install-action from 2.27.14 to 2.32.7

Bumps [taiki-e/install-action](https://github.com/taiki-e/install-action) from 2.27.14 to 2.32.7.
- [Release notes](https://github.com/taiki-e/install-action/releases)
- [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md)
- [Commits](taiki-e/install-action@v2.27.14...v2.32.7)

---
updated-dependencies:
- dependency-name: taiki-e/install-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump azure/login from 1 to 2

Bumps [azure/login](https://github.com/azure/login) from 1 to 2.
- [Release notes](https://github.com/azure/login/releases)
- [Commits](Azure/login@v1...v2)

---
updated-dependencies:
- dependency-name: azure/login
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* Update base64 requirement from 0.13.0 to 0.22.0

Updates the requirements on [base64](https://github.com/marshallpierce/rust-base64) to permit the latest version.
- [Changelog](https://github.com/marshallpierce/rust-base64/blob/master/RELEASE-NOTES.md)
- [Commits](marshallpierce/rust-base64@v0.13.0...v0.22.0)

---
updated-dependencies:
- dependency-name: base64
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* Update env_logger requirement from 0.9.3 to 0.11.3

Updates the requirements on [env_logger](https://github.com/rust-cli/env_logger) to permit the latest version.
- [Release notes](https://github.com/rust-cli/env_logger/releases)
- [Changelog](https://github.com/rust-cli/env_logger/blob/main/CHANGELOG.md)
- [Commits](rust-cli/env_logger@v0.9.3...v0.11.3)

---
updated-dependencies:
- dependency-name: env_logger
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* Update async-recursion requirement from 0.3.2 to 1.1.0

Updates the requirements on [async-recursion](https://github.com/dcchut/async-recursion) to permit the latest version.
- [Release notes](https://github.com/dcchut/async-recursion/releases)
- [Commits](dcchut/async-recursion@v0.3.2...v1.1.0)

---
updated-dependencies:
- dependency-name: async-recursion
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* Update reqwest requirement from 0.11 to 0.12

Updates the requirements on [reqwest](https://github.com/seanmonstar/reqwest) to permit the latest version.
- [Release notes](https://github.com/seanmonstar/reqwest/releases)
- [Changelog](https://github.com/seanmonstar/reqwest/blob/master/CHANGELOG.md)
- [Commits](seanmonstar/reqwest@v0.11.0...v0.12.2)

---
updated-dependencies:
- dependency-name: reqwest
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* chore: remove PORT from RPC url (#31)

* Update Dockerfile

rustup doesnt work

* fix dockerfile

* Dockerfile fix pls

* taking off silent to debug

* certificates fix

* reverting changes

* Update devnet.dockerfile

* Update devnet.dockerfile

* fix certificates

* fixing other dockerfiles

* needs port

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Zachary Frederick <[email protected]>
Co-authored-by: Zach Frederick <[email protected]>
Co-authored-by: Pablito Labarta <[email protected]>
Co-authored-by: Alex Todorov <[email protected]>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: frank <[email protected]>
Co-authored-by: Thomas McDonald <[email protected]>
stefanzweifel added a commit that referenced this issue Jul 6, 2024
@stefanzweifel
Add docs about .github/workflows pushes
5f3fa8a 
See #322
@stefanzweifel
Copy link
Owner

I've updated the troubleshoot section in the README with a section that discussions this problem.
We suggest using a PAT or the nuclear option of creating a GitHub app.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@atodorov @stefanzweifel @blakeNaccarato