Error: refusing to allow a GitHub App to create or update workflow

[lktslionel]

Hello,
I have a weird behaviour on GitHub workflow. I have a workflow that:

1. checkout the code at a specific tag
2. Make some modifications
3. Create a branch locally
4. Tag the branch
5. Push all changes with tag to GitHub

And i got the following error:

To https://github.com/ORG/REPO
 ! [remote rejected] release/v3.7.0 -> release/v3.7.0 (refusing to allow a GitHub App to create or update workflow `.github/workflows/deliver.yml` without `workflows` permission)
error: failed to push some refs to 'https://github.com/ORG/REPO'

I don't understand why the workflow think I'm (self) updating the current workflow?
It worked fine before but now it start failing on all my workflows.

Below is the workflow

# deliver.yml
name: Delivery Workflow
on:
  workflow_dispatch:
    inputs:
      component-version:
        description: 'Component version you want to deliver. Eg: X.Y.z-rc.N'
        required: true
        type: string

jobs:
  deliver:
    name: Deliver
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          ref: 'v${{ env.COMPONENT_VERSION }}'

      - name: Config Git and NPM
        run: |
          git config user.name github-actions
          git config user.email [email protected]
          npm config set user github-actions
          npm config set email [email protected]

      - name: Bump version
        run: |
          npm version v2.0.0 # v2.0.0 is an example

      - name: Commit changes
        run: |
          git push origin v2.0.0 # v2.0.0 is an example

I don't use a PAT and I want to not have to.

Any idea?
Thanks

[kammce]

I'm having this issue as well

[pie972]

You need to grant the workflows permission to your GitHub App.

1. Go to the settings page of your GitHub App.
2. Under "Permissions & events", click on "Configure permissions".
3. In the "Repository permissions" section, check the "Read & write" permission for the "Workflows" option.
4. Click on "Save changes".

[tempestrock]

For those who come across this issue here:
I had the same problem. The usual answer I read everywhere was to add token: ${{ secrets.GITHUB_TOKEN }} in the with section of the checkout action. However that didn't work for me.
The solution for me was the following: My workflow got triggered by a repository_dispatch event that came from a different repository. And in that case the GITHUB_TOKEN in the with section of the checkout action was not enough. I had to create a personal access token (PAT), give it the permission workflow, and put that into the with section.

[lucasresck]

It may not be obvious that, after creating a personal access token (PAT) at the settings and giving it workflow permissions, it is necessary to copy this key and add it as a secret at the repository's secrets (Repo > Settings > Secrets and variables > Actions). Only after that it is possible to use this new repository's secret, which is a PAT, within the with section. For instance, if your secret is named WORKFLOW_TOKEN, one may use it with

with:
    token: ${{ secrets.WORKFLOW_TOKEN }}

[liquidhiter]

What do you mean by copy this key? I have followed your suggestions to create a PAT with workflow permissions. However, I didn't figure out how to add the PAT as a secret in the repo settings. I have searched on Google and read the GitHub documentation, but still didn't find anything. Can you please shed some light on this?

[bewuethr]

Secrets are under Setttings > Secrets and Variables > Actions, URL https://github.com/OWNER/REPO/settings/secrets/actions

[liquidhiter]

Thanks! I think I didn't clearly describe the issue I am dealing with now. According to lucasresck's suggestion, I know I can add the PAT as a secret at the repository's secrets (Repo > Settings > Secrets and variables > Actions).

But I don't know what needs to be added in the Repository secrets:

• I think I need to add a new repository secret by clicking New repository secret

• I know the name of this new secret is WORKFLOW_TOKEN (it is the name of the new PAT with workflow permission). But I am asked to also enter the value, which value should I use? I carefully checked the newly created PAT, but couldn't find any value.

• actions secrets option
  

• new PAT
  

Am I doing something wrong?

[lucasresck]

Hi, @liquidhiter!

When you create a PAT in GitHub settings, it allows you to copy the token:

This information will not reappear after leaving the page. This is the information you will insert under "Secret" in your GitHub repo settings.

If you didn't copy or save the token, you will have to either regenerate the token or create another token. In your last screenshot, just press "Regenerate token" and copy this value. Then insert this into your repo secrets.

For clarification, I don't think PAT and secret need to have the same name WORKFLOW_TOKEN. They both having the same name is just for organization. What needs to have the same name are the repo secret and the token in the .yml of your action. The "link" between your secret and the PAT is the token itself.

Basically, when you do all this stuff, your action will ask for a secrets.WORKFLOW_TOKEN, which is saved in your repo secrets under the name WORKFLOW, and the token associated to this secret can be used for authentication because it is a personal access token (PAT) with workflow permissions (the PAT's name doesn't matter).

There are some months I don't work with these matters. Sorry for any inaccuracy. Let me know!

[ghost8658private]

Hey @lktslionel have you found a solution to this?? I've been stuck here for a week now, I tried different things and none seems to work

[lktslionel]

No. The PAT v1 works but not the PAT v2.
So weird

[maboloshi]

Sorry for the misinterpretation, but the following is only for permissions that use tokens generated automatically by GitHub Action.

In the workflow file, add:

# Set permissions on GITHUB_TOKEN to allow updates to GitHub Actions workflows
permissions:
  actions: write

In fact, you can also modify the following default parameters：

permissions:
  actions: read
  checks: read
  contents: read
  deployments: read
  discussions: read
  issues: read
  metadata: read
  pages: read
  packages: read
  pull-requests: read
  repository-projects: read
  security-events: read
  statuses: read

see：

• https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
• https://docs.github.com/zh/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories

[maboloshi]

The installation access token permissions for GitHub App, in addition to referencing here, you'll need to go to the Apps page in the repository settings to confirm authorization updates.

[bewuethr]

This is pretty high up when searching for the error message, and some of the answers are outdated. As of today (November 2023), I think this is correct:

• GITHUB_TOKEN can't be given permissions to modify workflow files. actions: write is not sufficient. To modify a workflow file from an actions workflow, you must use a personal access token.
• Fine-grained PATs now work with GraphQL, so they can be used. To make changes to a workflow file and commit it, these repo scopes are required: contents:write, workflows:write. metadata:read is set automatically.
• To authenticate the git command line client, use the token option on checkout

Something like this:

jobs:
  changewf:
    name: Change a workflow file
    runs-on: ubuntu-22.04
    permissions:
      contents: write
      pull-requests: write

    steps:
      - name: Check out repository
        uses: actions/[email protected]
        with:
          # Fine-grained PAT with contents:write and workflows:write
          # scopes
          token: ${{ secrets.WORKFLOW_TOKEN }}

      - name: Make change to workflow file
          GITHUB_TOKEN: ${{ github.token }}
        run: |
          # Create new branch
          git switch -c "feature"

          # Edit workflow file
          echo "# I am a change!" >> .github/workflows/workflow.yml

          git config --global user.name "github-actions"
          git config --global user.email \
              "41898282+github-actions[bot]@users.noreply.github.com"

          git add .github/workflows/workflow.yml
          git commit --message "Update workflow"

          # This authenticates with WORKFLOW_TOKEN, because it was
          # used with the checkout action
          git push --set-upstream origin "feature"
          
          # This authenticates with GITHUB_TOKEN, using the scopes
          # set in jobs.changewf.permissions
          gh pr create --title "Update workflow" --body ''

[iamutkarshtiwari]

@bewuethr Thank you so much for elaborating on the solution. You are a savior! 🙏

[hareacc]

@bewuethr

I did same like as per your sample workflow but getting error remote: Write access to repository not granted. during checkout step

When I create Fine grade PAT, it does not allow me to select my organization's repository so I selected all but after creating token, it show "This token has access to all repositories owned by you.", here it say owned by you but workflow I tried is in my organization repo, does that create issue?

[bewuethr]

Right above that, it should show you the organization, like this:

Not sure what might prevent that from happening, maybe SSO settings or similar?

[hareacc]

There are no SSO. Also after Access on, it showing me my GH Id.

Thanks for your quick response. @bewuethr

[dewodt]

For me, it turns out that my CI (in my case prettier) was trying to modify other .github/workflows files, so if that the case for you, try ignoring .github folder in .prettierignore.

[rdg-develoci]

Thanks man!! That was my issue as well.

[kevanantha]

If you are using Github CLI, you need to re-auth with the correct scope -> gh auth login -s workflow and you are good to go.

Your token scopes should be like this 'gist', 'read:org', 'repo', 'workflow' when you run command gh auth status

[monzim]

worked for me thanks

[louwers]

I am not even modifying a workflow file, yet I still get this.

[marco-merola-ef]

This is happening for me as well. Did you understand why?

It works if I do:
git branch release/v1.0
git checkout release/v1.0
git push origin release/v1.0

It throws the error if I do:
git branch release/v1.0 a40f08f31c783b96b5678a802901cba961366f28
git checkout release/v1.0
git push origin release/v1.0

I don't understand why adding the commit SHA makes github thinking that I am modifying the workflow?!

[louwers]

Yeah this error seems to be dependent on the branch name...

I also included a git SHA in the branch name!!

[jduan-highnote]

Same. In my case, I'm updating a tag instead. I simply do this:

            git tag dev-deploy origin/main
            git push --tags --force

I want to update the dev-deploy tag to point to the latest origin/main. That somehow makes github actions think I'm updating some workflow file. What's even weirder is that every time it fails, it shows some "random" workflow file.

[JeanBarriere]

I had the same issue and I really do not want to create a PAT for this since I know the default GITHUB_TOKEN can create PRs (so obviously it should be able to create branches, right?!).
I found a solution and it's actually a very smart behaviour from GitHub: the error happens because the branch contains changes in
.github/workflows compared to the default branch (e.g. main).

To solve this, you can checkout the default branches files into your new branch, commit those changes and 🎉 , you're synced and allowed to push!

It looks like this:

git checkout $COMMIT_SHA
git switch --create $BRANCH_NAME
git checkout origin/main -- ${ROOT_DIR}/.github/workflows
git add ${ROOT_DIR}/.github/workflows
git commit -m "chore: checkout .github/workflows files from main branch"
git push origin $BRANCH_NAME

Hope this will help!

[JJPowell]

This was the solution that worked for me without having to create a PAT.

[boholder]

The commands are pasting workflow content on origin/main branch to origin/$BRANCH_NAME. Not sure if it works for "merging PR branches into main" situation.

[ryanpeach]

Yeah but I hit this error because I DO want my github actions event to edit the workflows file.

[paololazzari]

I am working with a github app and I just ran into this issue as well (the commit itself did not modify any workflow file).
This was my code:

- name: Generate a token
  id: generate-token
  uses: actions/create-github-app-token@v1
  with:
    app-id: ${{ secrets.APP_ID }}
    private-key: ${{ secrets.PRIVATE_KEY }}

- name: 'Checkout'
  uses: actions/checkout@v3
  with:
    token: ${{ steps.generate-token.outputs.token }}

- name: 'foo'
  run: |-
    ... # make changes

- name: 'Open pull request'
  env:
    GH_TOKEN: ${{ steps.generate-token.outputs.token }}
  run: |-
    # Setup git email and username
    git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
    git config user.name "github-actions[bot]"
    git config --global "url.https://${GH_TOKEN}@github.com/.insteadOf" https://github.com/

    git add ...
    git commit -m ...
    git push origin ...

    gh pr create ...

The issue turned out to be due to the following line of code:

git config --global "url.https://${GH_TOKEN}@github.com/.insteadOf" https://github.com/

by removing it everything worked fine.

[bewuethr]

Yeah, checkout persists the auth token in the local Git config. It took me a long time to figure that out when I needed a Git CLI client with different permissions, but all it takes is setting a different token on checkout.

[mietzen]

This worked for me:

• Create a Github app with permissions for:
  • workflow: read and write
  • content: read and write
• Install it into your account and give it permission to your repo
• Add private key and app id as secrets

For more info read docs of: https://github.com/actions/create-github-app-token

I wanted to sync a fork including tags:

name: Sync Fork

on:
  schedule:
    - cron: '0 2 * * *'
  workflow_dispatch: # on button click
  
jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/create-github-app-token@v1
        id: generate-token
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          fetch-tags: true
          token: ${{ steps.generate-token.outputs.token }}
      - name: Merge upstream
        run: |          
          git remote add upstream https://github.com/${FORK-PARENT}
          git fetch upstream
          git fetch --tags upstream
          
          git merge --no-edit upstream/master
          git push
          git push --tags