I want to create a github app in my organization that will allow me to create an automatic versioning commit directly on the main branch after every pull request is merged to main
branch.
I have a branch protection rule for the main
branch which requires a pull request before merging, and I need to allow my github app to bypass this rule.
Here is the list of steps I did:
Permissions
Read access to codespaces metadata, metadata, organization events, and organization plan
Read and write access to Dependabot alerts, actions, actions variables, administration, attestations api, checks, code, codespaces, codespaces lifecycle admin, codespaces secrets, commit statuses, custom organization roles, custom repository roles, dependabot secrets, deployments, discussions, environments, issues, members, merge queues, organization actions variables, organization administration, organization announcement banners, organization codespaces, organization codespaces secrets, organization codespaces settings, organization copilot seat management, organization dependabot secrets, organization hooks, organization personal access token requests, organization personal access tokens, organization secrets, organization self hosted runners, organization user blocking, packages, pages, pull requests, repository advisories, repository custom properties, repository hooks, secret scanning alerts, secrets, security events, team discussions, and workflows
Admin access to organization custom properties, organization projects, and repository projects
"Allow specified actors to bypass required pull requests"
list for my pull request rulepeter-murray/workflow-application-token-action@v3
action to generate a short lived token with sufficient permissions to do this operation):... prior workflow steps
- name: Get token for gh app Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v3
with:
application_id: ${{ vars.AUTOCOMMIT_APP_ID }}
application_private_key: ${{ secrets.AUTOCOMMIT_APP_PRIVATE_KEY }}
- name: Commit automatic version bump
if: github.event.pull_request.merged == true
env:
GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
run: |-
git config user.name 'autocommit app'
git config user.email '[email protected]'
git add .
git commit -m "chore: update version number (automated)"
git push
... later workflow steps
Run git config user.name 'autocommit app'
[main 27e4f11] chore: update version number (automated)
1 file changed, 1 insertion(+), 1 deletion(-)
remote: error: GH013: Repository rule violations found for refs/heads/main.
remote: Review all repository rules at http://github.com/sandbox-org/org-sandbox-repo/rules?ref=refs%2Fheads%2Fmain
remote:
remote: - Changes must be made through a pull request.
remote:
To https://github.com/sandbox-org/org-sandbox-repo
! [remote rejected] main -> main (push declined due to repository rule violations)
error: failed to push some refs to 'https://github.com/sandbox-org/org-sandbox-repo'
If I completely turn of branch protection, the commit step works just fine, so I think the token creation is valid, but of course this is not a solution
I got an answer for this in a post I made in the github forums: https://github.com/orgs/community/discussions/136531#discussioncomment-10421321
The app's token must be used during the checkout step, before I try to create the commit
EDIT: Here is an example of what I mean:
... prior workflow steps
- name: Get token for gh app Token
id: get_autocommit_app_token
uses: peter-murray/workflow-application-token-action@v3
with:
application_id: ${{ vars.AUTOCOMMIT_APP_ID }}
application_private_key: ${{ secrets.AUTOCOMMIT_APP_PRIVATE_KEY }}
# ==============
- uses: actions/checkout@v3
with:
token: ${{ steps.get_autocommit_app_token.outputs.token }
# ==============
- name: Commit automatic version bump
if: github.event.pull_request.merged == true
env:
GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
run: |-
git config user.name 'autocommit app'
git config user.email '[email protected]'
git add .
git commit -m "chore: update version number (automated)"
git push
... later workflow steps