9

I have a GitHub action that uses :

github_token: ${{ secrets.GITHUB_TOKEN }}

When I run it I get:

  ! [remote rejected]     tmp_upstream/master -> master (refusing to allow a GitHub App to create or update workflow `.github/workflows/build-images-workflow-run.yml` without `workflows` permission)
error: failed to push some refs to '***github.com/myname/repo'

https://docs.github.com/en/actions/reference/authentication-in-a-workflow explains that

GitHub automatically creates a GITHUB_TOKEN secret to use in your workflow. You can use the GITHUB_TOKEN to authenticate in a workflow run.

But I used the workflow and it didn't seem to create the token. I went to create a personal token and then tried to save it with the name GITHUB_TOKEN but it says that the name is invalid. How can I solve this?

personal token

Improve this question
3

3 Answers 3

Reset to default
7

In order to modify a workflow, a GitHub App, such as the one used for issuing tokens for GitHub Actions, requires the workflow scope. This is so that GitHub Apps you've added to your repository can't access the secrets in your repository without your permission. The token issued for GitHub Actions doesn't have this permission by default.

If you don't need to modify the workflow files, then you can just avoid modifying them and this will go away. If you do need to modify them, you can create an appropriately scoped PAT and store it under a name that doesn't start with GITHUB, say WORKFLOW_TOKEN. You can then adjust your action to say this:

github_token: ${{ secrets.WORKFLOW_TOKEN }}
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

to be honest I don't fully understand this according to Method 2 dev.to/dtinth/… I don't even need to do this and the token is created behind when the workflow is activated
Yes, GitHub Actions creates a token, but you cannot use that token to modify workflow files. If you create a differently named PAT or other token with the workflow scope, then you can modify those files.
I don't want to modify a workflow. The workflow is there because I forked the project. I just want to execute the workflow. This workflow just sync the upstream into my fork. That is it.
If you're pushing data that contains the workflow files, you must have the workflow scope on your token, even if that data is normally just up in the main project.
3

When generating tokens, you need to give the correct permissions for the token. You have to tick the following checkbox, next to workflow in order to have update privileges.

enter image description here

Improve this answer

1 Comment

to be honest I don't fully understand this according to Method 2 dev.to/dtinth/… I don't even need to do this and the token is created behind when the workflow is activated
2

You need to set token input of actions/checkout

See also https://github.com/actions/checkout#usage

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.