Search code examples
gitgithubgithub-actionsgit-branchgithub-app

Why can't my github app bypass branch protection


I want to create a github app in my organization that will allow me to create an automatic versioning commit directly on the main branch after every pull request is merged to main branch. I have a branch protection rule for the main branch which requires a pull request before merging, and I need to allow my github app to bypass this rule.

Here is the list of steps I did:

  • create my repo and create a branch protection rule that requires the existance of a pull request
  • create a new github app in my github organizaiton, and give every single available permission to the app (so this includes every possible write permission for repos etc). Here is the full list of these permissions as well:
Permissions
 Read access to codespaces metadata, metadata, organization events, and organization plan
 Read and write access to Dependabot alerts, actions, actions variables, administration, attestations api, checks, code, codespaces, codespaces lifecycle admin, codespaces secrets, commit statuses, custom organization roles, custom repository roles, dependabot secrets, deployments, discussions, environments, issues, members, merge queues, organization actions variables, organization administration, organization announcement banners, organization codespaces, organization codespaces secrets, organization codespaces settings, organization copilot seat management, organization dependabot secrets, organization hooks, organization personal access token requests, organization personal access tokens, organization secrets, organization self hosted runners, organization user blocking, packages, pages, pull requests, repository advisories, repository custom properties, repository hooks, secret scanning alerts, secrets, security events, team discussions, and workflows
 Admin access to organization custom properties, organization projects, and repository projects
  • install the app in every repo in my organization
  • create a private key for my application and export it as a organization level secret variable
  • export the app id to a github variable as well
  • add the app to the "Allow specified actors to bypass required pull requests" list for my pull request rule
  • create a workflow that runs when a pull request is merged which has the following step for creating the commit on main (I am using the peter-murray/workflow-application-token-action@v3 action to generate a short lived token with sufficient permissions to do this operation):
... prior workflow steps
      - name: Get token for gh app Token
        id: get_workflow_token
        uses: peter-murray/workflow-application-token-action@v3
        with:
          application_id: ${{ vars.AUTOCOMMIT_APP_ID }}
          application_private_key: ${{ secrets.AUTOCOMMIT_APP_PRIVATE_KEY }}
      - name: Commit automatic version bump
        if: github.event.pull_request.merged == true
        env:
          GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
        run: |-
          git config user.name 'autocommit app'
          git config user.email '[email protected]'
          git add .
          git commit -m "chore: update version number (automated)"
          git push
... later workflow steps
  • At this point I expect the commit to be created and pushed to main, but I get the following error:
Run git config user.name 'autocommit app'
[main 27e4f11] chore: update version number (automated)
 1 file changed, 1 insertion(+), 1 deletion(-)
remote: error: GH013: Repository rule violations found for refs/heads/main.        
remote: Review all repository rules at http://github.com/sandbox-org/org-sandbox-repo/rules?ref=refs%2Fheads%2Fmain        
remote: 
remote: - Changes must be made through a pull request.        
remote: 
To https://github.com/sandbox-org/org-sandbox-repo
 ! [remote rejected] main -> main (push declined due to repository rule violations)
error: failed to push some refs to 'https://github.com/sandbox-org/org-sandbox-repo'

If I completely turn of branch protection, the commit step works just fine, so I think the token creation is valid, but of course this is not a solution


Solution

  • I got an answer for this in a post I made in the github forums: https://github.com/orgs/community/discussions/136531#discussioncomment-10421321

    The app's token must be used during the checkout step, before I try to create the commit

    EDIT: Here is an example of what I mean:

    ... prior workflow steps
          - name: Get token for gh app Token
            id: get_autocommit_app_token
            uses: peter-murray/workflow-application-token-action@v3
            with:
              application_id: ${{ vars.AUTOCOMMIT_APP_ID }}
              application_private_key: ${{ secrets.AUTOCOMMIT_APP_PRIVATE_KEY }}
          # ==============
          - uses: actions/checkout@v3
            with:
              token: ${{ steps.get_autocommit_app_token.outputs.token }
          # ==============
          - name: Commit automatic version bump
            if: github.event.pull_request.merged == true
            env:
              GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
            run: |-
              git config user.name 'autocommit app'
              git config user.email '[email protected]'
              git add .
              git commit -m "chore: update version number (automated)"
              git push
    ... later workflow steps