[BUG] cannot push to protected branch with user supposed to be allowed to

[Roms1383]

Select Topic Area

Bug

Body

Hi ! It seems branch protection rules cannot be bypassed when they are supposed to, or did I miss something ?

context

• organization repo: cyb3rpsych0s1s/4ddicted (that I own)
• branch protection rules:
  as you can see I require a PR with approval but also set my personal bot Bender to be allowed to both bypass protection rule and to force push. I also set his Personal Access Token both in the organization's Secrets and as an env var in the failing workflow job

but as you can see from my latest Actions runs, it doesn't get allowed.

I have done a search for a similar discussion and tried the solutions suggested there (e.g. [skip ci]) but it didn't solve.

Is there any way to fix this ?

[Roms1383]

I'm gonna disable the changelog action for now as I need to keep releasing, so as a reminder the related Actions are numbered: 101, 103, 105, 107 and latest 109.

[yesh4gvm]

Did you find any solution for same ? @Roms1383 . I am facing same issue

[Roms1383]

Looking at my commits I think I just removed it. Haven't retried ever since @yesh4gvm.

[yesh4gvm]

ok @Roms1383

[anthms]

Hi @Roms1383 👋 - the authentication used for git operations run directly through the terminal is configured by the actions/checkout step:
https://github.com/actions/checkout/blob/main/action.yml#L12-L24

A token parameter can be passed, otherwise GITHUB_TOKEN is used by default - which will authenticate further git commands in the job as the github-actions bot.

If you set the relevant PAT to the token parameter for actions/checkout - the git operation should pass with bypassing the protection rule requirement.

steps:
      - uses: actions/checkout@v3
        with:
          token: ${{ secrets.KROMS_BOT_TOKEN }}
          fetch-depth: 0
      ...
      - name: Regenerate CHANGELOG.md
        run: |
          git config user.name "kroms-bot"
          git config user.email ""
          ...

[Roms1383]

Oh ok I'll have to give a try again in the coming weeks, thanks @anthms.

[joshjohanning]

Do you have required status checks enabled? If you enable required status checks, then even users/apps that you add to your list won't be able to bypass directly pushing without creating a pull request.

What you can do is have that user create a pull request and then they can use the fact that they are added to the list to override the merge.

[bl4ko]

For me a way to make this work was to use a Ruleset feature instead of classic branch protection rule.

You can make ruleset with the same options as classic branch protection rule, but in the bypass list, you must select Write role. Now all collaborators will be able to force push (your bot in this case), even if they don't meet the requirements for the push.