Github actions error when updating readme in current repo with token

Question

What I'm trying to achieve is to update an existing README.md file in my private repository myprivaterepo with the contents of 2 other .md files from another public repository readmes that belongs to me.

Here's the updater.py python script file placed in the root of myprivaterepo:

import os

# File paths
TEMPLATE_README = "README.md"
INFO_FILE = "https://github.com/abcxyz/readmes/blob/main/info.md"
GENERAL_FILE = "https://github.com/abcxyz/readmes/blob/main/general.md"
OUTPUT_README = "README.md"

# Read the README template
with open(TEMPLATE_README, "r") as file:
    readme_content = file.read()

# Read external content
with open(INFO_FILE, "r") as file:
    info_content = file.read()

with open(GENERAL_FILE, "r") as file:
    general_content = file.read()

# Replace placeholders
readme_content = readme_content.replace("{{info}}", info_content)
readme_content = readme_content.replace("{{general}}", general_content)

# Write the updated README
with open(OUTPUT_README, "w") as file:
    file.write(readme_content)

print("README updated successfully!")

Here's the workflow .yml file

name: Update README with Content

on:
  push:
    branches:
      - main

jobs:
  update-readme:
    runs-on: ubuntu-latest

    steps:
      # Step 1: Checkout the current repository
      - name: Checkout Current Repo
        uses: actions/checkout@v3

      # Step 2: Clone `readmes` repository
      - name: Clone Central Readme Repo
        run: git clone https://github.com/abcxyz/readmes.git

      # Step 3: Install Python
      - name: Install Python
        uses: actions/setup-python@v4
        with:
          python-version: 3.x

      # Step 4: Run Python script to generate README.md
      - name: Run Update Script
        run: python updater.py

      # Step 5: Commit & Push changes to current repository
      - name: Commit and Push Changes
        run: |
          git config --local user.name "GitHub Actions"
          git config --local user.email "[email protected]"
          git add README.md
          git commit -m "Auto update README"
          git push
        env:
          GITHUB_TOKEN: ${{ secrets.README_UPDATE_TOKEN }}

The README_UPDATE_TOKEN is a github classic personal access token with repo & workflow enabled and saved in the private repository's > settings > secrets & variables > Actions as a repository secret with name README_UPDATE_TOKEN.

I've also tried with the following job:

- name: Commit and Push Changes

  run: |
          git config --global user.name "GitHub Actions"
          git config --global user.email "[email protected]"
          git remote set-url origin https://${{ secrets.README_UPDATE_TOKEN }}@github.com/abcxyz/myprivaterepo.git
          git add README.md
          git commit -m "Auto update README"
          git push

I'm getting the following error with both jobs:

Run git config --global user.name "GitHub Actions"
16[main 7e4e35a] Update README with latest support and contact info
17 1 file changed, 12 insertions(+), 2 deletions(-)
18remote: Write access to repository not granted.
19fatal: unable to access 'https://github.com/abcxyz/myprivaterepo.git/': The requested URL returned error: 403
20Error: Process completed with exit code 128.

How can I fix this?

Answer 1

Turns out, I needed to set write permissions to the specific workflow with:

name: Update README with Content

on:
  push:
    branches:
      - main

# Set Write Permission
permissions:
  contents: write

This enabled write access to the repository only for this specific workflow and the changes were made as intended. If you'd like to enable write access for all workflows (not recommended) you could do it from Repository Settings > Code & automation > Actions > General > Scroll down on the right side to Workflow Permissions > Enable Read and write permissions.

Hope this helps.