I have a workflow, that does some modifications on the repository, and pushes it, expecting the push workflow to start. Now I know that the intended way in the documentation suggests me creating a PAT, but that seems like a hacky solution to me, since the whole build procedure is tied to my account being active and having necessary permissions.
It also expects my account to have push access to my main branches, which I don't want to have. I want to operate through PRs.
Do I have any other options? Do I need to create a my-github-bot account in my org and create a PAT for that? All these options seem too hacky compared to just having a switch to enable workflow triggering with the default ${{ secrets.GITHUB_TOKEN }}
The workflow that pushes can also use the workflow_dispatch trigger on the second workflow to start the other workflow. Either by doing a REST call or by including a call gh:
gh workflow run {{workflow.yaml}} --ref {{sha}} --repo {{owner/repo}}
Or use one of the available actions to invoke the workflow after your push step.
For example:
- name: Invoke workflow with inputs
uses: benc-uk/workflow-dispatch@v1
with:
workflow: Another Workflow
You can also use a GitHub app, there's a special action for that. You grant the app the permissions to invoke the workflow and then let the workflow retrieve a token to invoke the other workflow if needed, heck, you could even use that token to do the push.
- name: Get Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v1
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
- name: Use Application Token to create a release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
with:
....
A bit of setup is required to register the app and give it the right permissions.