How to resolve "refusing to allow an OAuth App to create or update workflow" on git push

Question

Getting

refusing to allow an OAuth App to create or update workflow .github/workflows/cd.yml without workflow scope"

on git push. How to grant workflow scope?

How did you create the token you're using to push? How did you create the OAuth app? Did the OAuth app request the `workflow` scope when requesting scopes for the token? We need a lot more details about what's going on and how it was set up to be able to give you a useful answer. — bk2204, Sep 25 '20 at 21:15

score 286 · Answer 1 · edited Sep 12 '22 at 23:14

286

I've literally just come across this problem when trying to use IntelliJ to push to a branch that contains a GitHub Action workflow (YAML file in .github/workflows). I didn't find existing resources on the Internet very helpful, so I hope this will help you fix it too.

TL;DR: Update your Personal Access Token with the workflow scope enabled in GitHub, or create a new one, and configure your application to use that.

Background: third-party tools with GitHub integrations like IntelliJ, Visual Studio Code, Github Desktop, etc use tokens to connect to your GitHub account so they can pull/push, etc on your behalf. In the case of IntelliJ, their instructions only say to include the repo, the gist, and the read:org scopes. But you need the workflow scope to modify GitHub Actions.

Here's how to fix it:

In your Github account, go to Settings (in your avatar dropdown in the top right-hand corner)
Go to Developer Settings > Personal Access Tokens
If your token is listed, update it to include the workflow scope:
- Click on the token name.
- Select workflow scope and save.
- If the app you use won't re-fetch permissions for your token automatically, you may have to create a new one (step 4 below).
- Click on Update Token to save the change. DONE!
If there's no token listed there, generate a new one:
- Click on Generate Token.
- Select the scopes you need, including workflow.
- Read the information carefully, then click OK to continue.
- Copy the new token that Github shows you.
- Apply the new token to your application. For example, for the Intellij IDE, go to Settings > Version Control > GitHub, remove the existing integration and re-add it, pasting in the new token.

edited Sep 12 '22 at 23:14

Nils

5,612
4
34
37

answered Sep 26 '20 at 16:27

Emma Burrows

4,734
1
20
24

Can someone explain why this happens? – Xanlantos Mar 30 '21 at 07:08
47

You can also edit current Personal Access Token to change its scope by including `workflow` to it. This is exactly what I just did to overcome the issue. – gonadarian Apr 02 '21 at 10:09
1

@Xanlantos I think it's because the Workflow thing didn't exist when you originally created the token – endolith Aug 30 '21 at 18:33
@gonadarian answer worked for me and seems the most painless – Richard Vartan Melkonian Oct 05 '21 at 15:03
1

@gondadarian. Yes! Thank you. Updating existing user personal access token and adding `workflow` to it was the most seamless and easiest way to solve this problem. Thanks so much for sharing that ! – Clever Programmer Oct 09 '21 at 19:36
It worked for me too. I just added new personal access token, reauthorized from my IDE and received a notification email "A previously authorized third-party OAuth application has been granted additional scopes". Seems like GitHub has changed something with workflow scopes – pkirilin Jan 04 '22 at 20:23
I can't find the "workflow" box to tick :( – ScottyBlades Feb 13 '22 at 23:40
1

"You will need to recreate your application's integration with Github using the new token for the change to take effect." How does one do this? – ScottyBlades May 16 '22 at 19:38
worked for me, trying to work with Intellj, but on a sudden this propped up, just updating the token with workflow worked. Thanks – preetam singh Jun 23 '22 at 05:45
1

It seems unnecessary to regenerate the token. It can save some headaches. – A Mehmeto Jul 14 '22 at 20:33
1

People still struggling: make sure to update 'Tokens (classic)' not the 'fine-grained tokens (beta)'. Hope you read this! – Wim den Herder Feb 04 '23 at 16:42

Diego · Answer 2 · 2022-07-21T05:46:58.493

62

Running macOS. I am pushing my .yml workflow file from the Atom text editor and this worked for me.

Go to github personal access tokens settings and generate a new token. Make sure you select both repo and workflow access scope.

Go to Keychain Access app on Mac, and search for github. I found an entry (shown below) named github.com, of Internet password kind, which was previously filled with a seemingly random token. Replace the password entry with the generated token (the one begins with ghp_) from step 1.

edited Jul 21 '22 at 05:46

answered May 30 '21 at 19:30

Diego

867
7
13

@eden glad that it helped! – Diego Jun 07 '21 at 03:25
where should the password be entered? – toan Mar 07 '22 at 15:12
@toan double click an entry, a window pops up, then click "show password" in the window to edit it – Diego Mar 16 '22 at 13:41

score 53 · Answer 3 · answered Oct 14 '20 at 12:01

53

For Windows 10: Go to Settings -> Credentials Manager -> Windows Credentials -> Remove github.com credentials -> git pull/push your github project from git-bash console -> Reconnect GitHub Account in your IDE/Source control. You don't need create Personal Access Token with "workflow", you don';t need create secret GITHUB_TOKEN (it creates auto and can't created manual)

answered Oct 14 '20 at 12:01

CSRedRat

709
5
5

5

For me, it was deleting all github related credentials and logout and back in in the github desktop app. But closest answer by far! – Robin Jan 20 '21 at 20:01
4

Just resolved it! I deleted all references to github within my Windows Credentials. When I git pushed again, it forced a browser log in and then everything worked! – RockyK May 01 '21 at 19:01
This has happened to me twice now in the last two weeks. Not sure why. But this answer is what fixed it. – Mark Brown Jun 02 '21 at 20:04
I encountered this after adding a custom action for firebase hosting to my repository. For me on windows. I had installed git via git desktop; but was pushing both from the command line and from vscode. Going to the github desktop client and re-logging in was enough. – toddwseattle Jan 03 '22 at 14:59
worked for me! I reauthenticated with the browser and it is now working, I just hope didn't remove too many things for other applications which were working well. – Vincenzooo Sep 06 '22 at 12:15
This worked for me.. Deleted all github related credentials in windows credential manager and repushed in Sourcetree. It prompt me to relogin in the browser and it worked. – Alexander Feb 18 '23 at 09:31

score 29 · Answer 4 · answered Mar 22 '21 at 15:50

This issue also happens simply because your current token is not allowed to work with workflow on Github. Do the following steps to fix

For people using Android Studio on MacOS:

Delete your current token (Preferences -> Version Control -> GitHub):

remember to hit the "Ok" button.

Try to push/pull again from Android Studio, an popup now will appear.
Hit Use Token... button, another popup will appear.
Click on Generate, you will be sent to GitHub website to generate a new token. Remember to select the workflow permission.
Click generate Button to get a new token and paste it to Android Studio in step 3. It's all set now.

Thanks for the effort to create the graphics! Very easy to follow. Problem solved. — Anthony Holland, Mar 26 '21 at 00:06

RonC · Answer 5 · 2021-11-15T12:59:14.157

On Windows 10 Here is step by step how I was able to fix the issue

I've included lots of screenshots `cause this was way harder to resolve then it should have been.

In hind sight, what @CSRedRat said is right but as I was having the problem I couldn't understand that because the answer was so terse.

Ultimately what led me to the solution was this article which makes the situation more clear.

Here's the deal. While you can work around this issue using the GitHub Developer Settings Menu to generate a new token and then pasting that into the Windows Credential Manager, you shouldn't because eventually that token will expire and then you will be having this issue again since nothing will know how to refresh the token since you set it manually.

Instead, this token privs issue needs fixed via Git for Windows. So the deal is the "old" Git Credential Manager for Windows didn't ask for privs to create or update workflows but now you need them. The good news is there is a new version our called Git Credential Manager Core and it does ask for these privs and more.

The new credential manager ships with Git 2.28 and later, but isn't enabled by default. If you already have Git for Window of this version or later installed then you already have the software even. In my case I had version 2.30.2 so I already had the new software.

But it was still using my old Git for Windows credentials which don't carry the privs needed. That may be your case as well or if you don't have a version older 2.28 then you need to first install a newer version. Either way, once you have a new enough version of Git for Windows on your machine the next step is to remove the old credentials by typing "windows credential manager" in the windows search box.

Then find each git credential, click on it and click the remove button.

Now next time you try to access your get account from git bash Visual Studio or whatever git client you use, you will be prompted for new credentials because the old ones are gone. Click the Sign in with your browser button in the dialog below:

Then you will see a web page like this one below, and if you expand the workflow drop down you will see it is asking for the privs you need this time. Then click Authorize button.

Once you do that, you will see a page like this for providing your github password:

Now you have a new credential in your windows credential manager that has the privs you need and your operation that use to fail will now succeed. Yea!

Not work for Sourcetree 3.3.4 Windows 11 22H2. – huang Apr 15 '23 at 21:23 — huang, Apr 15 '23 at 21:23

score 16 · Answer 6 · answered Mar 13 '21 at 09:07

16

In my case, I had stale GitHub credentials in macOS Keychain. I was modifying a workflows file and pushing the changes from the command line, hence I didn't think of checking the Keychain at all. The Updating credentials from the macOS Keychain explained how to use git credential-osxkeychain to erase the Keychain:

$ git credential-osxkeychain erase
host=github.com
protocol=https
> [Press Return]

I then had to enter my username and password again. This time I generated a new personal access token and used that token for the password. Then I could finally push the workflows changes.

answered Mar 13 '21 at 09:07

eirikvaa

1,070
1
13
24

Thank you! deleting the credentails from keychain and adding the token again in Android Studio worked for me! – raquezha Apr 03 '21 at 15:57
Fantastic, thanks ! – jonathasborges1 Jan 03 '22 at 22:51

score 9 · Answer 7 · answered Jun 04 '22 at 19:40

9

Find your token, should be here https://github.com/settings/tokens
Grant workflow as showing below

answered Jun 04 '22 at 19:40

http8086

1,306
16
37

score 8 · Answer 8 · answered Oct 20 '22 at 15:51

8

This error occurs when your local environment is configured using the github cli. It's not immediately clear what's needed to update the permissions. In the case of the CLI, though, you can run the below command to enable it and then proceed forward.

gh auth login --scopes workflow

answered Oct 20 '22 at 15:51

Jean D.

81
1
4

1

I received this error when I was trying to push a local repo (containing workflows) to a new, bare GitHub repo. This solution fixed it for me. – skst Feb 22 '23 at 20:05

score 6 · Answer 9 · answered Jun 02 '21 at 13:18

6

Fixed this by using the Desktop Github App for pushing my changes (it seems to have full permissions vs. the limited scope of vs code).

After getting that one commit with the modified workflow file pushed through, I was able to make push commits normally again in vs code.

answered Jun 02 '21 at 13:18

Aerodynamic

782
5
19

1

This worked for me. Is there a way to modify the permissions for vs code? – cy23 Jul 10 '21 at 05:35
Haven't looked into it, but would be a good idea to check out. – Aerodynamic Jul 11 '21 at 15:10

score 4 · Answer 10 · answered May 14 '22 at 16:04

4

You also can change from using https to using SSH.

Create your SSH key, you can follow the docs.
Change your remote from https to SSH, also you can follow the docs.

answered May 14 '22 at 16:04

Esemega

41
1

Dirkiboy · Answer 11 · 2022-09-08T08:05:12.163

4

I run into the same issue after pushing my initial commit for an nbdev project. This did the the trick for me:

deleting all .yaml files under .github/workflows
git add ., git commit -m "CommitMessage" and git push
adding the .yaml files directly on GitHub (under Actions tab and then New workflow
git pull

Then you can keep on working on your local repo and should be able to push your changes to Github without any error messages.

edited Sep 08 '22 at 08:05

answered Sep 08 '22 at 08:04

Dirkiboy

67
8

Concise, and straight to the point. Thanks!! – rennf93 Oct 24 '22 at 17:22

score 3 · Answer 12 · answered Feb 16 '21 at 13:01

3

This happened to me on GitKraken. I simply disconnected and reconnected GitHub from GitKraken and it worked.

answered Feb 16 '21 at 13:01

Phil

615
6
12

score 2 · Answer 13 · answered Jan 18 '21 at 18:02

I had this issue with CLion 2020.2.3 while attempting to push a change to .\github\workflows\build.yml. CLion appears to use the "JetBrains IDE Integration" token (GitHub Settings -> Applications -> Authorized OAuth Apps) which does not include the "workflow" scope. There does not appear to be a way to change the scope of this token.

I created a new Personal Access Token with the correct permissions (GitHub Settings -> Developer settings -> Personal access tokens -> Generate new token), but I was unable to configure CLion to use it.

Ultimately I was able to push the commit using GitHub Desktop instead.

I had the same issue with RubyMine. Despite creating a new token with the workflow scope it behaved as if it wasn't granted the scope. I eventually got it to work by rebooting, though I now suspect simply restarting RubyMine would have worked as well. — Larry Gebhardt, Jan 27 '21 at 14:28

fugu · Answer 14 · 2022-01-06T08:09:54.170

1

I followed this article to install Git Credential Manager Core to handle this automatically - and it works well for me (macOS):

Using homebrew:

brew tap microsoft/git
brew install --cask git-credential-manager-core

edited Jan 06 '22 at 08:09

answered Jan 04 '22 at 12:15

fugu

6,417
5
40
75

This worked for me without a hitch. – basheps Jan 06 '22 at 07:43

Bill Menees · Answer 15 · 2020-11-16T13:13:41.507

I had to upgrade my Git For Windows to version 2.29.2.2. That allowed the git command line to sign in through the browser, which GitHub now requires.

I did this after trying a Windows Credential Manager reset and regenerating my Personal Access Token, which didn't resolve it. But it did cause GitHub to send me an email like this:

[GitHub] Action required - Password authentication in Git for Windows is no longer supported

We have detected that you recently attempted to authenticate to GitHub using an older version of Git for Windows. GitHub has changed how users authenticate when using Git for Windows, and now requires the use of a web browser to authenticate to GitHub. To be able to login via web browser, users need to update to the latest version of Git for Windows.

score 0 · Answer 16 · answered Apr 06 '21 at 21:51

0

This happened to me on PHPStorm. I was trying to use the IDE to commit and push my alterations, so when i got the error, i tried to push with command line on IDE console and i got it.

answered Apr 06 '21 at 21:51

Igor Macedo

1

score 0 · Answer 17 · answered Feb 20 '22 at 00:09

For IntelliJ IDE users, follow these simple steps:

Go to Files > Settings > Version Control > Github and remove the Github account by clicking on the account and then on the '-' button.
Then Sign in to Github.com in your default browser & then click on the '+' button on the same IDE window we opened in step 1. Then select 'Login with token'.
Click on the Generate Button.
This will open a GitHub page in your browser with all the permission prefilled. All you have to do is click on 'Generate Token' at the bottom of the page. Then use that token to fill it in the IDE pop-up window.
Close the settings window & push your code again. This always works for me.

score 0 · Answer 18 · answered Apr 17 '23 at 01:37

If you push to a repo and see:

(refusing to allow a Personal Access Token to create or update workflow .github/workflows/docker_build_push.yml without workflow scope)

It means the GitHub Personal Access Token (PAT) you're using doesn't have 'Workflows' permissions.

To fix

Go here: https://github.com/settings/tokens
Create a new Personal Access Token (PAT) and be sure to check the 'workflows' box
Copy the resulting PAT to clipboard
Delete or remoke any existing PAT(s) (this is done at the same GitHub link)
Since the existing PAT was revoked/deleted, next time you push/pull from a private repo you'll be prompted for a github username (your actual github username or email will work) and a password (paste the PAT into the password field).

That's it! It should push and the error should be gone now.

How to resolve "refusing to allow an OAuth App to create or update workflow" on git push

18 Answers18

On Windows 10 Here is step by step how I was able to fix the issue

To fix

Linked

Related