refusing to allow a GitHub App to create or update workflow .github/workflows/issue-inactive.yml without workflows permission

[Alanscut]

When the other files in .github directory changed, the sync action will failed:

Pushing synced data to target branch.
To https://github.com/xxx/yyyy
 ! [remote rejected] dev -> dev (refusing to allow a GitHub App to create or update workflow `.github/workflows/issue-inactive.yml` without `workflows` permission)
error: failed to push some refs to 'https://github.com/xxx/yyyy'
ERROR:  exit 1
Could not push changes to target repo.
Try running in test mode to verify your action input. If that does not help, please open an issue.
Resetting git config to previous settings.

[m-roberts]

I have the same issue, though obviously on a different workflow file. Seems that a Personal Access Token is required to get around this? Seems related to #12

[aormsby]

I agree, that does seem similar to #12.

In a nutshell -- if everything else works, but you just can't push at the final step, it's almost certainly permission/credentials related. That has been my experience during development.

Check out the Setup Notes here on the wiki and see if they help. If not, let me know and we can try to dig into the issue a bit.

[josesimoes]

I'm having the same issue. If a action yaml it's changed upstream the update will fail with that message that workflow permission is required for the app.

I've followed the other issue, and after moving the token to the checkout step it started to work.

BTW, that's for this handy action! 👏🏻 👏🏻 👏🏻

[m-roberts]

I am unable to get the following working, which (if I understand correctly) is using my PAT as a checkout token as mentioned by @josesimoes, but target_repo_token: ${{ secrets.GITHUB_TOKEN }} does not seem to change the result (I am still getting the same error)

name: Upstream Sync

on:
  schedule:
    - cron:  '0 7 * * *'
  workflow_dispatch:

jobs:
  sync_latest_from_upstream:
    runs-on: ubuntu-latest
    name: Sync latest commits from upstream repo

    steps:
    - name: Checkout code
      uses: actions/checkout@v2
      with:
        ref:  upstream
        token: ${{ secrets.GITHUB_TOKEN }}

    - name: Sync upstream changes
      id: sync
      uses: aormsby/[email protected]
      with:
        target_sync_branch: upstream
        target_repo_token: ${{ secrets.GITHUB_TOKEN }}
        upstream_sync_branch: master
        upstream_sync_repo: <source_repo>

[josesimoes]

@m-roberts on the above: I've removed the token on the Fork-Sync-With-Upstream-action action config.
Take a look at how it ended up working for me:
https://github.com/OrgPal/nf-interpreter/blob/orgpal-mesh/.github/workflows/merge-upstream.yml

[m-roberts]

Sadly I have modified my earlier code to remove the token from the sync action, but I still get an error.

[aormsby]

@m-roberts Check if you have 'write' permissions for actions enabled.

1. check in your repo settings - docs

2. Check the 'Set up job' step in your workflow logs

If it's all set to 'write', then I wonder if workflow write permissions are not available on the action token anymore. In that case, try creating a new token with those permissions and using it in the checkout step and the sync step of the workflow.

The only thing stopping you here is permissions, not the action itself. If there have been Action updates that affect permissions, I am not yet aware of them.

[misilot]

Did anyone figure this out?

[Soltus]

When encountering this error, three things need to be checked:

1. Warehouse settings Workflow permissions allow write permissions
2. The TOKEN used has workflows permission. If it is an organizational repo, you need to check the scope of TOKEN.
3. actions/checkout also requires TOKEN with workflows permission

Often, the third point is easily overlooked

    - name: Checkout target repo
      uses: actions/checkout@v4
      with:
        # optional: set the branch to checkout,
        # sync action checks out your 'target_sync_branch' anyway
        ref:  ${{ env.target_sync_branch }}
        token: ${{ secrets.MY_GH_TOKEN_W }}

    # REQUIRED step
    # Step 2: run the sync action
    - name: Sync upstream changes
      id: sync
      uses: aormsby/[email protected]
      with:
        target_sync_branch: ${{ env.target_sync_branch }}
        target_repo_token: ${{ secrets.MY_GH_TOKEN_W }}
        upstream_sync_branch: ${{ env.upstream_sync_branch }}
        upstream_sync_repo: ${{ env.upstream_sync_repo }}

[YehiaMostafaElabd]

Hello everyone I was Having this issue too
it was because I was Using token: ${{ secrets.GITHUB_TOKEN }} as it not allow to edit in .github/workflow directory
You should made PAT token with privileges to edit in .github/workflow thanks for everyone