Github: Pushing to protected branches with fine-grained token
I'm using semantic release in a Github repository to create automatic releases on push. The release needs to commit package.json and CHANGELOG.md to my protected branch.
I used to provide a personal token from my admin account to allow semantic-release to push to protected branch.
In order to improve security, I wanted to replace the PT through a new fine-grained token.
So I created a fine-grained PT from the same admin account as the old PT and gave it write permission to content.
Unfortunately, that doesn't seem to be enough to push to the protected branch.
Any idea which permission might be needed?
UPDATE: Not sure this is even supported yet. I posted the question in the fine-grained personal token feedback discussion
@semantic-release/git needs the Contents permission set to Read and write in order to be able to push to a protected branch.
Do not allow bypassing the above settings MUST be unchecked in the branch protection settings in order for this to work. Allow force pushes is not required.
Note: I find it more convenient to name your Personal Access Token secret CI_GITHUB_TOKEN, or anything differing from the default GITHUB_TOKEN secret provided by GitHub Actions, to differentiate them easily in your workflows (since you should probably use the PAC only for semantic-release).
You will also need to update your action workflow file with the following in order for this to work (otherwise git will keep using the default generated GITHUB_TOKEN):
- name: Checkout
uses: actions/checkout@v3
with:
persist-credentials: false # <--- this
Additionally, if you are using the @semantic-release/github plugin, you may also want to grant Read and write on Issues and Pull requests to allow the bot to comment on issues and PRs when a release mentions it.
If you're looking for a functional implementation (with a manual configuration checklist) of semantic-release in a CI pipeline, you check the PR I made for the cron library.
Important security mention from the documentation
Note: Automatically populated
GITHUB_TOKENcannot be used if branch protection is enabled for the target branch. It is not advised to mitigate this limitation by overriding an automatically populatedGITHUB_TOKENvariable with a Personal Access Tokens, as it poses a security risk. Since Secret Variables are available for Workflows triggered by any branch, it becomes a potential vector of attack, where a Workflow triggered from a non-protected branch can expose and use a token with elevated permissions, yielding branch protection insignificant.
This risk is greatly mitigated by using a fine-grained token, and when using the pull_request workflow trigger, which "prevents write permissions and secrets access to the target repository".
But a user with write access to the repository might still push a branch with a workflow exploit that would expose your Personal Access Token.
Further reading:
- How to only run a step if the workflow is running in the main repository in Github Actions?
- How to run Spring Boot server in background GH Actions?
- Github action issue issue with `npm install`
- GitHub Action workflow not running
- github action expressions - split string
- How to create environment variable from JSON values in GitHub actions
- How to get my own GitHub events payload json for testing GitHub Actions locally?
- Can you use an `enum` with an input in GitHub Action's `action.yml` and a workflow file?
- How to find Package.json version, and use as variable in Github Action
- Different variables handling when running Make locally and in GitHub Actions
- Unable to edit and capture Super Linter error into GitHub Issue
- Combine dynamic Github Workflow matrix with input values and predefined values
- Github actions Configure AWS credentials Error: The security token included in the request is invalid
- Github package successfully published, but not showing up in "Packages" section
- How to configure dialect in SQLfluff for Super-linter actions in GitHub actions YML file?
- Add multiple variables for one selectable option
- How can I catch a Java exception in Github Action
- How to auto close GitHub issue using GitHub CLI in GitHub Actions
- Deploying files from GitHub to Azure
- actions/upload-pages-artifact fails at actions/upload-artifact with "No files were found with the provided path"
- Running Expensive e2e Tests Before Merge in GitHub Merge Queue – Is It the Right Choice?
- Get the AZURE_CREDENTIALS of a Service Principal
- Get current date and time in GitHub workflows
- Official badge for GitHub Actions
- I am not able to import the powershell module Microsoft.Graph.Entra.Beta
- Delete a workflow from GitHub Actions
- Azure Login in seperate jobs within the same workflow use different Subject Identifier
- An error occurred while using the Python magic library at Docker & Github Action. "E ModuleNotFoundError: No module named 'magic'"
- Adding a connection from Azure Web App to GitHub using Deployment center
- How do I automerge dependabot updates (config version 2)?