gitgithubgithub-actionsgit-branchgithub-app

Why can't my github app bypass branch protection


I want to create a github app in my organization that will allow me to create an automatic versioning commit directly on the main branch after every pull request is merged to main branch. I have a branch protection rule for the main branch which requires a pull request before merging, and I need to allow my github app to bypass this rule.

Here is the list of steps I did:

Permissions
 Read access to codespaces metadata, metadata, organization events, and organization plan
 Read and write access to Dependabot alerts, actions, actions variables, administration, attestations api, checks, code, codespaces, codespaces lifecycle admin, codespaces secrets, commit statuses, custom organization roles, custom repository roles, dependabot secrets, deployments, discussions, environments, issues, members, merge queues, organization actions variables, organization administration, organization announcement banners, organization codespaces, organization codespaces secrets, organization codespaces settings, organization copilot seat management, organization dependabot secrets, organization hooks, organization personal access token requests, organization personal access tokens, organization secrets, organization self hosted runners, organization user blocking, packages, pages, pull requests, repository advisories, repository custom properties, repository hooks, secret scanning alerts, secrets, security events, team discussions, and workflows
 Admin access to organization custom properties, organization projects, and repository projects
... prior workflow steps
      - name: Get token for gh app Token
        id: get_workflow_token
        uses: peter-murray/workflow-application-token-action@v3
        with:
          application_id: ${{ vars.AUTOCOMMIT_APP_ID }}
          application_private_key: ${{ secrets.AUTOCOMMIT_APP_PRIVATE_KEY }}
      - name: Commit automatic version bump
        if: github.event.pull_request.merged == true
        env:
          GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
        run: |-
          git config user.name 'autocommit app'
          git config user.email 'autocommit-app@placeholder.com'
          git add .
          git commit -m "chore: update version number (automated)"
          git push
... later workflow steps
Run git config user.name 'autocommit app'
[main 27e4f11] chore: update version number (automated)
 1 file changed, 1 insertion(+), 1 deletion(-)
remote: error: GH013: Repository rule violations found for refs/heads/main.        
remote: Review all repository rules at http://github.com/sandbox-org/org-sandbox-repo/rules?ref=refs%2Fheads%2Fmain        
remote: 
remote: - Changes must be made through a pull request.        
remote: 
To https://github.com/sandbox-org/org-sandbox-repo
 ! [remote rejected] main -> main (push declined due to repository rule violations)
error: failed to push some refs to 'https://github.com/sandbox-org/org-sandbox-repo'

If I completely turn of branch protection, the commit step works just fine, so I think the token creation is valid, but of course this is not a solution


Solution

  • I got an answer for this in a post I made in the github forums: https://github.com/orgs/community/discussions/136531#discussioncomment-10421321

    The app's token must be used during the checkout step, before I try to create the commit

    EDIT: Here is an example of what I mean:

    ... prior workflow steps
          - name: Get token for gh app Token
            id: get_autocommit_app_token
            uses: peter-murray/workflow-application-token-action@v3
            with:
              application_id: ${{ vars.AUTOCOMMIT_APP_ID }}
              application_private_key: ${{ secrets.AUTOCOMMIT_APP_PRIVATE_KEY }}
          # ==============
          - uses: actions/checkout@v3
            with:
              token: ${{ steps.get_autocommit_app_token.outputs.token }
          # ==============
          - name: Commit automatic version bump
            if: github.event.pull_request.merged == true
            env:
              GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
            run: |-
              git config user.name 'autocommit app'
              git config user.email 'autocommit-app@placeholder.com'
              git add .
              git commit -m "chore: update version number (automated)"
              git push
    ... later workflow steps