4

I have an app that I want to bump versions on during the CI build. I'm trying to push the version bump back using the apps credentials but its getting these errors:

+ git push origin HEAD:master
remote: error: GH006: Protected branch update failed for refs/heads/master.        
remote: error: At least 1 approving review is required by reviewers with write access.

Now when I do it with my own credentials it works because I am an admin in the repo but how can I grant access to an App to push to master despite the usual branch protections?

justin.m.chase
  • 13,061
  • 8
  • 52
  • 100
  • My work around was to use user credentials but I'd much rather do it as the App, it seems like github doesn't have fine enough controls around apps and commit permissions. – justin.m.chase Dec 18 '20 at 04:02

2 Answers2

4

You can (now, May 2022, 18 months later).

Consistently allow GitHub Apps as exceptions to branch protection rules

Previously, some branch protections only allowed exceptions to be granted to users and teams.
Now, GitHub Apps can also be granted exceptions to any branch protection that supports exceptions.

Admins can create branch protection rules to enforce certain workflows for branches, such as requiring a pull request before changes can be merged to a branch.

This is a good practice, but you may want to make exceptions to a rule for specific people, teams, or GitHub Apps.
For example, if you have a GitHub App that calls GitHub APIs to make changes in a repository, you may want to permit that App to make changes without creating a pull request.

Previously, these exceptions could be granted to people and teams, but only some protections allowed GitHub Apps.

Now, branch protections that previously only allowed exceptions for people and teams also support GitHub Apps.
When admins configure these branch protections, they can choose from a list of GitHub Apps that are installed and authorized for the repository, as shown here:

Image of adding a GitHub App as an exception to a branch protection setting -- https://i0.wp.com/user-images.githubusercontent.com/1767415/168915626-eaccb112-d95f-4828-bbfd-317844aa6cda.png?ssl=1

(Image of adding a GitHub App as an exception to a branch protection setting)

For information about branch protection rules, visit Managing a branch protection rule.

For information about GitHub Apps, visit About GitHub Apps.

The justin.m.chase also adds in the comments:

Even though your app can bypass branch protections requiring a PR, it doesn't let you bypass commit protections such as status checks.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • This is the answer. The super short version after doing a lot of investigating is that despite some of the workarounds you _shouldn't_ make commits from actions that bypass branch protections. Rather, make a PR or if you really want automated commits, then make an App and grant that app the permissions listed above here. The reason why the app is ok is because it's not arbitrary behavior that can be changed in the PR itself. Actions are great for checks and side-effects but not committing changes automatically. – justin.m.chase Sep 22 '22 at 14:40
  • @justin.m.chase I agree. Using an app for that seems a better approach indeed. – VonC Sep 22 '22 at 15:16
  • Also, even though your app can bypass branch protections requiring a PR, it doesn't let you bypass _commit_ protections such as status checks. – justin.m.chase Jan 20 '23 at 13:41
  • @justin.m.chase Good point, thank you for this. I have included your comment in the answer for more visibility. – VonC Jan 20 '23 at 14:42
1

You cant. The branch permissions are there to stop anyone from pushing to the branch.

In my setup we have protection from admins pushing too which is even more fun. We have got around it with two service accounts, in the CI code we raise a PR using one service accounts token and then imeditatly the other accounts token approves and merges it

It's not a great workaround but untill GitHub make finer grained permissions it is all we can do

apr_1985
  • 1,764
  • 2
  • 14
  • 27
  • I was afraid of this. It is my conclusion as well. The two user trick is super clever though. – justin.m.chase Dec 18 '20 at 19:40
  • If you allow the one user to bypass branch protections then you can merge your PR with the same account despite other branch protections. I still had to open a PR though to trigger status checks for the commit. – justin.m.chase Jan 20 '23 at 13:45