Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refusing to allow a GitHub App to create or update workflow .github/workflows/main.yml without workflows permission #322

Open
atodorov opened this issue Feb 26, 2024 · 6 comments
Open

Refusing to allow a GitHub App to create or update workflow .github/workflows/main.yml without workflows permission #322

atodorov opened this issue Feb 26, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@atodorov
Copy link

git-auto-commit Version

v5

Machine Type

Ubuntu (eg. ubuntu-latest)

Bug description

I have configured permission: write-all and still get a failure because part of the commit is modifying GitHub actions files.

Steps to reproduce

https://github.com/kiwitcms/gitops/actions/runs/8056214742/job/22004837145?pr=5

Tried solutions

No response

Example Workflow

---
# MegaLinter GitHub Action configuration file
# More info at https://megalinter.io
name: MegaLinter

on:
  pull_request:

permissions: read-all

env: # Comment env block if you do not want to apply fixes
  # Apply linter fixes configuration
  APPLY_FIXES: all # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool)
  APPLY_FIXES_EVENT: pull_request # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all)
  APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request)

concurrency:
  group: ${{ github.ref }}-${{ github.workflow }}
  cancel-in-progress: true

jobs:
  build:
    name: MegaLinter
    runs-on: ubuntu-latest
    # checkov:skip=CKV2_GHA_1:We need this for auto-commit
    permissions: write-all
    steps:
      # Git Checkout
      - name: Checkout Code
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
          fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances

      # MegaLinter
      - name: MegaLinter
        id: ml
        # You can override MegaLinter flavor used to have faster performances
        # More info at https://megalinter.io/latest/flavors/
        uses: oxsecurity/megalinter/flavors/python@v7.9.0
        env:
          # All available variables are described at https://megalinter.io/latest/configuration/
          # and configured in .mega-linter.yml
          VALIDATE_ALL_CODEBASE: true
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      # Upload MegaLinter artifacts
      - name: Archive production artifacts
        if: success() || failure()
        uses: actions/upload-artifact@v4
        with:
          name: MegaLinter reports
          path: |
            megalinter-reports
            mega-linter.log

      - name: git diff
        if: steps.ml.outputs.has_updated_sources == 1
        run: |
          git diff

      # Create pull request if applicable (for now works only on PR from same repository, not from forks)
      - name: Create Pull Request with applied fixes
        id: cpr
        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
        uses: peter-evans/create-pull-request@v6
        with:
          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
          commit-message: "[MegaLinter] Apply linters automatic fixes"
          title: "[MegaLinter] Apply linters automatic fixes"
          labels: bot
      - name: Create PR output
        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
        run: |
          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"

      # Push new commit if applicable (for now works only on PR from same repository, not from forks)
      - name: Prepare commit
        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/dev' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
        run: sudo chown -Rc $UID .git/
      - name: Commit and push applied linter fixes
        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/dev' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
        uses: stefanzweifel/git-auto-commit-action@v5
        with:
          branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
          commit_message: "[MegaLinter] Apply linters fixes"

extracted from https://github.com/kiwitcms/gitops/pull/5/files



### Relevant log output

```shell
Started: bash /home/runner/work/_actions/stefanzweifel/git-auto-commit-action/v5/entrypoint.sh
INPUT_REPOSITORY value: .
INPUT_STATUS_OPTIONS: 
INPUT_FILE_PATTERN: .
INPUT_BRANCH value: mega-linter
Previous HEAD position was f700ab4 Merge ccdda2820d0941feb71b8dd42dc1eee4343fde8f into 52823bb1292ddbf305d26210c260139c1bd19331
Switched to a new branch 'mega-linter'
M	.github/workflows/main.yml
M	.github/workflows/pr.yml
M	action.yml
M	entrypoint.sh
branch 'mega-linter' set up to track 'origin/mega-linter'.
INPUT_ADD_OPTIONS: 
INPUT_FILE_PATTERN: .
INPUT_COMMIT_OPTIONS: 
INPUT_COMMIT_USER_NAME: github-actions[bot]
INPUT_COMMIT_USER_EMAIL: 41898282+github-actions[bot]@users.noreply.github.com
INPUT_COMMIT_MESSAGE: [MegaLinter] Apply linters fixes
INPUT_COMMIT_AUTHOR: atodorov <atodorov@users.noreply.github.com>
[mega-linter 633ac82] [MegaLinter] Apply linters fixes
 Author: atodorov <atodorov@users.noreply.github.com>
 20 files changed, 471 insertions(+), 13 deletions(-)
 create mode 100644 megalinter-reports/IDE-config.txt
 create mode 100644 megalinter-reports/IDE-config/.checkov.yml
 create mode 100644 megalinter-reports/IDE-config/.gitleaks.toml
 create mode 100644 megalinter-reports/IDE-config/.grype.yaml
 create mode 100644 megalinter-reports/IDE-config/.hadolint.yaml
 create mode 100644 megalinter-reports/IDE-config/.idea/externalDependencies.xml
 create mode 100644 megalinter-reports/IDE-config/.jscpd.json
 create mode 100644 megalinter-reports/IDE-config/.markdown-link-check.json
 create mode 100644 megalinter-reports/IDE-config/.markdownlint.json
 create mode 100644 megalinter-reports/IDE-config/.secretlintrc.json
 create mode 100644 megalinter-reports/IDE-config/.vscode/extensions.json
 create mode 100644 megalinter-reports/IDE-config/.yamllint.yml
 create mode 100644 megalinter-reports/updated_sources/.github/workflows/main.yml
 create mode 100644 megalinter-reports/updated_sources/.github/workflows/pr.yml
 create mode 100644 megalinter-reports/updated_sources/action.yml
 create mode 100755 megalinter-reports/updated_sources/entrypoint.sh
INPUT_TAGGING_MESSAGE: 
No tagging message supplied. No tag will be added.
INPUT_PUSH_OPTIONS: 
To https://github.com/kiwitcms/gitops
 ! [remote rejected] HEAD -> mega-linter (refusing to allow a GitHub App to create or update workflow `.github/workflows/main.yml` without `workflows` permission)
error: failed to push some refs to 'https://github.com/kiwitcms/gitops'
Error: Invalid status code: 1
    at ChildProcess.<anonymous> (/home/runner/work/_actions/stefanzweifel/git-auto-commit-action/v5/index.js:17:19)
    at ChildProcess.emit (node:events:514:28)
    at maybeClose (node:internal/child_process:1105:16)
    at ChildProcess._handle.onexit (node:internal/child_process:305:5) {
  code: 1
}
Error: Invalid status code: 1
    at ChildProcess.<anonymous> (/home/runner/work/_actions/stefanzweifel/git-auto-commit-action/v5/index.js:17:19)
    at ChildProcess.emit (node:events:514:28)
    at maybeClose (node:internal/child_process:1105:16)
    at ChildProcess._handle.onexit (node:internal/child_process:305:5)
@atodorov atodorov added the bug Something isn't working label Feb 26, 2024
@stefanzweifel
Copy link
Owner

Hi @atodorov,

As far as I know, the default token used by GitHub Actions can't have workflows: write permission.
Probably another security measure by GitHub, to prevent bad actions from stealing secrets from your repository.

(I can't find documentation about this, but I ran into a similar issues years ago)

The easiest solution might be to create a personal access token (PAT) and add it to your workflow.
https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs

Will add a warning to the README to warn users, that the action can't modify workflow files.

@atodorov
Copy link
Author

(I can't find documentation about this, but I ran into a similar issues years ago)

Sadly I wasn't able to find documentation either and trying to set

permissions:
   workflows: write

is invalid syntax.

@stefanzweifel
Copy link
Owner

I also assume that the error message "refusing to allow a GitHub App to create or update workflow .github/workflows/main.yml without workflows permission" is just a UX error.

GitHub probably assumes that the push comes from a GitHub App, but GitHub Actions is not the same as a GitHub App. Maybe we can forward this to a feedback repo somewhere. 🤔

@atodorov
Copy link
Author

GitHub probably assumes that the push comes from a GitHub App, but GitHub Actions is not the same as a GitHub App.

FTR I think in this case GitHub is correct. My commit (after I excluded the conflicting files) looks like this:

atodorov authored and github-actions[bot] committed

Where https://github.com/apps/github-actions redirects to https://github.com/features/actions. Internally github-actions is just another app for which you are automatically authenticated!

@stefanzweifel
Copy link
Owner

@atodorov This seems like a reasonable explanation. 👍

Back to your original issue, have you tried the approach with a personal access token? I'm fairly certain that this will resolve your issue. Can try to reproduce this on my end in the coming days/weeks.

@blakeNaccarato
Copy link

See #266 (comment) for detail on creating and scoping a PAT for this.

Also #87 (comment) for the nuclear option. They discuss setting up your own GitHub App to reliably commit to protected branches, but this "create an entire app and jump through lots of auth hurdles" approach would also apply to permitting a bot to do workflow editing. Maybe only worth it at scale across repos in a GitHub Org where PATs are forbidden.

atodorov added a commit to gluwa/crunch that referenced this issue Apr 4, 2024
@atodorov
Add a git diff as part of MegaLinter's auto-commit output
b1ca2bf 
b/c we need a personal access token here in order for this to work, see
stefanzweifel/git-auto-commit-action#322
atodorov added a commit to gluwa/crunch that referenced this issue Apr 4, 2024
@atodorov
Add a git diff as part of MegaLinter's auto-commit output
33f2398 
b/c we need a personal access token here in order for this to work, see
stefanzweifel/git-auto-commit-action#322
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@atodorov @stefanzweifel @blakeNaccarato