8

I have a GitHub action that uses :

github_token: ${{ secrets.GITHUB_TOKEN }}

When I run it I get:

  ! [remote rejected]     tmp_upstream/master -> master (refusing to allow a GitHub App to create or update workflow `.github/workflows/build-images-workflow-run.yml` without `workflows` permission)
error: failed to push some refs to '***github.com/myname/repo'

https://docs.github.com/en/actions/reference/authentication-in-a-workflow explains that

GitHub automatically creates a GITHUB_TOKEN secret to use in your workflow. You can use the GITHUB_TOKEN to authenticate in a workflow run.

But I used the workflow and it didn't seem to create the token. I went to create a personal token and then tried to save it with the name GITHUB_TOKEN but it says that the name is invalid. How can I solve this?

personal token

papanito
  • 2,349
  • 2
  • 32
  • 60
sony
  • 137
  • 2
  • 9
  • When you created your token, did you tick the box to update workflows? – mnestorov Mar 15 '21 at 18:58
  • @mnestorov yes.. – sony Mar 15 '21 at 19:07
  • Similar question: [github - How to resolve "refusing to allow an OAuth App to create or update workflow" on git push - Stack Overflow](https://stackoverflow.com/questions/64059610/how-to-resolve-refusing-to-allow-an-oauth-app-to-create-or-update-workflow-on) – user202729 Aug 17 '21 at 05:01

3 Answers3

6

In order to modify a workflow, a GitHub App, such as the one used for issuing tokens for GitHub Actions, requires the workflow scope. This is so that GitHub Apps you've added to your repository can't access the secrets in your repository without your permission. The token issued for GitHub Actions doesn't have this permission by default.

If you don't need to modify the workflow files, then you can just avoid modifying them and this will go away. If you do need to modify them, you can create an appropriately scoped PAT and store it under a name that doesn't start with GITHUB, say WORKFLOW_TOKEN. You can then adjust your action to say this:

github_token: ${{ secrets.WORKFLOW_TOKEN }}
bk2204
  • 64,793
  • 6
  • 84
  • 100
  • to be honest I don't fully understand this according to Method 2 https://dev.to/dtinth/authenticating-as-a-github-app-in-a-github-actions-workflow-27co I don't even need to do this and the token is created behind when the workflow is activated – sony Mar 15 '21 at 19:18
  • Yes, GitHub Actions creates a token, but you cannot use that token to modify workflow files. If you create a differently named PAT or other token with the `workflow` scope, then you can modify those files. – bk2204 Mar 15 '21 at 22:05
  • I don't want to modify a workflow. The workflow is there because I forked the project. I just want to execute the workflow. This workflow just sync the upstream into my fork. That is it. – sony Mar 16 '21 at 08:19
  • If you're pushing data that contains the workflow files, you must have the `workflow` scope on your token, even if that data is normally just up in the main project. – bk2204 Mar 16 '21 at 12:57
3

When generating tokens, you need to give the correct permissions for the token. You have to tick the following checkbox, next to workflow in order to have update privileges.

enter image description here

mnestorov
  • 4,116
  • 2
  • 14
  • 24
  • to be honest I don't fully understand this according to Method 2 https://dev.to/dtinth/authenticating-as-a-github-app-in-a-github-actions-workflow-27co I don't even need to do this and the token is created behind when the workflow is activated – sony Mar 15 '21 at 19:16
3

You need to set token input of actions/checkout

See also https://github.com/actions/checkout#usage

JounQin
  • 31
  • 7