Bypass branch protection with action and Github app - github

I have an action, that automatically indexes all files in the repository and creates a csv. Currently this action always creates their own pull request. This creates the annoying need to approve two pull requests per change (the first one with the change itself and the second one with the change in the index.csv file created by the action minutes later).
What I tried now, is creating a Github App, which is added to the "Allow specified actors to bypass required pull requests" in the branch protection and using tibdex/github-app-token#v1 to create a token in the context of the GitHub app.
Unfortunately, it still does not work. I get the following error:
Run echo "Hello World" >> HelloWorld.txt
[main f8445ab] Add unncessary file for testing
1 file changed, 1 insertion(+)
create mode 100644 HelloWorld.txt
remote: error: GH006: Protected branch update failed for refs/heads/main.
remote: error: Required status check "*****" is expected. At least 1 approving review is required by reviewers with write access.
To https://github.com/***/***.git
! [remote rejected] main -> main (protected branch hook declined)
error: failed to push some refs to 'https://github.com/***/***.git'
Error: Process completed with exit code 1.
The code I'm trying to run in the action is the following:
echo "Hello World" >> HelloWorld.txt
git config --global user.email "****"
git config --global user.name "****"
git add .
git commit -m "Add unncessary file for testing"
git push "https://action-name:${{ steps.generate_token.outputs.token }}#github.com/***/***.git"
I know that it is bad practice and breaks the permission concept to be able to do this, but in this case, it is fine for many reasons which go beyond the discussion at this point.
I'm happy for any suggestions on how to achieve this.
Thanks so much in advance

Related

Github Branch Protection rules vs. workflow permissions

I would like to implement the rule that every (human) user has to open a PR to change something on the protected branch while the workflow to release the new version is able to increase the version number on that same protected branch.
The branch protection is in place, also the "include administrators" checkbox is checked. So noone can accidentially push to that branch.
Now, when I want to push something from a workflow I get the same error message that I get as a user
name: Build pipeline
"on":
push:
branches:
- 'master'
defaults:
run:
shell: bash
jobs:
release:
runs-on:
- self-hosted
- default-runner
needs: []
steps:
- name: Checkout code
uses: actions/checkout#v2
with:
fetch-depth: 0
clean: true
- name: demo push
if: github.ref == 'refs/heads/dev'
run: |
git config --global user.email "runner#xxx.com"
git config --global user.name "Github Actions Runner"
# normally we would generate the release notes here etc, increase the version,... though lets keep the example simple
date >> test.txt
git add test.txt
git commit -m "test2" test.txt
git push
while setting up the job, the permission of the job are printed out:
GITHUB_TOKEN Permissions
Actions: write
Checks: write
Contents: write
Deployments: write
Discussions: write
Issues: write
Metadata: read
Packages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write
and then the step fails with the following output:
user.email=runner#xxx.com
user.name=Github Actions Runner
core.repositoryformatversion=0
core.filemode=true
core.bare=false
core.logallrefupdates=true
remote.origin.url=https://github.xxx.com/xx/xxx
remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
gc.auto=0
http.https://github.xxx.com/.extraheader=AUTHORIZATION: basic ***
branch.dev.remote=origin
branch.dev.merge=refs/heads/dev
[dev 7ddff59] test2
1 file changed, 1 insertion(+)
create mode 100644 test.txt
remote: error: GH006: Protected branch update failed for refs/heads/dev.
remote: error: You're not authorized to push to this branch. Visit https://docs.github.com/enterprise/3.2/articles/about-protected-branches/ for more information.
To https://github.xxx.com/xx/xxx
! [remote rejected] dev -> dev (protected branch hook declined)
error: failed to push some refs to 'https://github.xxx.com/xx/xxx'
Error: Process completed with exit code 1.
So the question is: how can I enforce the human users to open a PR, let it reviewed and checked before it can be merged, while the workflows can directly manipulate the (protected) branch?
After some research I found out that there is currenly (June 2022) no straight forward solution (source).
There are two workarounds. One is to remove the zranch protection in the workflow and restore it afterwards. The risk is that the workflow breaks in between (e.g. when the workflow runner crashes) and the branch stays unprotected. Another risk is that it could happen that a user accidentially or deliberately pushes to the now unprotected branch. (E.g. trigger a release build wait until the branch protection is removed and push to that branch).
The alternative solution is to remove the admin rights from the human users so that they need a PR to change the protected branch. During a release build a PAT of a technical user with admin rights is used (not ${{ secrets.GITHUB_TOKEN }}). In the branch protection the "enforce admins" option is disabled.
Though there is a feature request covering this topic.

Using env variable github.ref_name doesn't give me branch name

When I use in my workflow github.ref_name it doesn't provide me a branch name from where I triggered this workflow. I get 16/merge. Why? When I use github.ref_type I clearly see that my ref type is branch so why I don't get branch name?
Also it's showing when I use $GITHUB_REF or git symbolic-ref HEAD (and separating refs/heads/ off). Ah and I tried github.event.push.ref but it's not showing me anything.
How to get always branch name from where I triggered the workflow?
For following code:
Run echo running on branch ${GITHUB_REF##*/} ${GITHUB_REF}
When your workflow runs becuase of push event you will get:
running on branch main refs/heads/main
But for pulr request event it would be:
running on branch merge refs/pull/3/merge
Why's that?
If the repository is on GitHub and you have any Pull Requests that have been opened, you’ll get these references that are prefixed with refs/pull/. These are basically branches, but since they’re not under refs/heads/ you don’t get them normally when you clone or fetch from the server — the process of fetching ignores them normally.
You can also check this question here

Cannot push on github suddently

Well, it is very weird. I'm using Github protection rules to enforce to make pull requests and to trigger TravisCI for every push. However, because of continuous translation, I need a user who should be able to push without making a pull request and avoiding TravisCI status check (for that I use [ci skip]). This user is included in the white list that Github provides in branch protection rules. It worked perfect since last week, suddenly when I try to push with this user I receive this:
remote: Resolving deltas: 100% (5/5), completed with 5 local objects.
remote: error: GH006: Protected branch update failed for refs/heads/master.
remote: error: Required status check "Travis CI - Pull Request" is expected. At least 1 approving review is required by reviewers with write access.
To https://github.com/*****
! [remote rejected] master -> master (protected branch hook declined)
error: failed to push some refs to 'https://*****'
It is very weird since it always worked till now. And, the user has permissions to push without making a pull request and it is skipping Travis with through the commit message so I do not understand why Github is asking me about status check and approvals.
The latest issue I had :
remote: error: GH006: Protected branch update failed for refs/heads/master.
remote: error: Cannot force-push to this protected branch
To https://github.com/org/project.git
! [remote rejected] master -> master (protected branch hook declined)
error: failed to push some refs to 'https://github.com/org/project.git
Because I'm admin/owner I was able to go and do the following and that helped me to resolve the push problem.
Steps :
--> Settings
-->Branches
--> Tick Allow force pushes
Permit force pushes for all users with push access.
That will do the work.
I solved it finally giving admin access to the user instead of just write access. Now it is able to push avoiding approvals and status check. But I don't understand why does not work just being in the white list of protection branch rules... It worked before, looks like GitHub made some changes...
Master [now Main] is a protected branch. You need to make a new branch and push that instead.
Seen in branch protection rules:
In my case a security rule was somehow created for the repo. This rule allowed only admins to push. I deleted that rule and things started working as expected.
Repo > Settings > Branches > Branch protection rules [Delete]
In my case a Branch Protection Rule was misfiring. Deleting the rule, then recreating it in GitHub fixed the issue.
In my case, I made a Pull (Rebase) first, and then I made Push
In my case git push origin HEAD fixed the problem.

Pushing to GitHub - failed pushing to... (Repo) Premature EOF

Trying to push a project created before, to a private repository, it is the first commit to master branch remote, the repository is empty, just with a README file.
The push takes a long time and throws this error:
Failed pushing to... (Repo) Premature EOF
What is the reason?
Thanks
Edit local .git/config to add compression = 0 in [core] section.

Circumvent pull request for script

We use Jalopy to reformat the code. On jenkins/svn, we checked out, formatted and commited again. Now on bamboo/stash, we want to do the same.
We set up this restriction for the master branch:
Prevent changes without a pull request (Everyone)
(AFAIK, it is not possible, to exclude certain users from this rule, is it?)
Now, as expected, when we try to push the formatted sources, we get this error:
remote: Branch refs/heads/master can only be modified through pull requests.
remote: Check your branch permissions configuration with the project administrator.
remote: ----------------------------------------------------
remote:
To ssh://git#mystash.com/proj/proj1.git
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://git#mystash.com/proj/proj1.git'
Any suggestions on how we can keep the enforcement for pull requests, while still being able to push directly to master from a Bamboo script? Or any better approach?
That is currently correct ... kind of. The Stash UI doesn't provide a way to set this (or see if you have) at the moment. However, the REST API will actually let you set branch permissions and specify users who are exempt. For details, see this comment on the feature suggestion to add full support.