GitHub PAT cannot modify workflow files - Stack Overflow

admin管理员组

文章数量:1245899

AIM: To modify one GitHub Actions .yaml file by running another GitHub Actions file. Specifically, I want to randomize the cron schedule of the other file.

PROBLEM: It gives error

 ! [remote rejected] main -> main (refusing to allow a GitHub App to create or update workflow `.github/workflows/main-runner.yaml` without `workflows` permission)

What I tried:

1. Using a classic PAT with Workflows Permission (which is GH_CLASSIC_TOKEN in repo secrets):

2. Allowing Workflow Permissions in repo settings:

3. Deleting Repo and re-creating it.

Links to my repo:

1. Seeker220/workflow-test-repo
2. Failed GitHub Actions Logs

Relevant Code:

1. trigger-creator.yaml

name: Trigger Creator

on:
  workflow_dispatch:  # Allows manual triggering of the workflow

jobs:
  update-cron:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4

      - name: Enable Main Workflow
        run: gh workflow enable main-runner.yaml
        env:
          GH_TOKEN: ${{ secrets.GH_CLASSIC_TOKEN }}

      - name: Generate Randomized Cron Time
        id: random-cron
        run: |
          # Generate a random hour between 0 and 23
          NEW_HOUR=$((RANDOM % 24))
          
          # Generate a random minute between 0 and 59
          NEW_MINUTE=$((RANDOM % 60))

          # Create new cron expression
          NEW_CRON="$NEW_MINUTE $NEW_HOUR * * *"
          echo "NEW_CRON=$NEW_CRON" >> $GITHUB_ENV

      - name: Update `main-runner.yaml` with New Cron
        run: |
          # Replace the old cron with the new one in main-runner.yaml
          sed -i "s/^    - cron: \".*\"/    - cron: \"${NEW_CRON}\"/" .github/workflows/main-runner.yaml

      - name: Commit and Push Changes
        run: |
          git config --global user.name "github-actions"
          git config --global user.email "[email protected]"
          git remote set-url origin https://x-access-token:${{ secrets.GH_CLASSIC_TOKEN }}@github/${{ github.repository }}.git
          git add .github/workflows/main-runner.yaml
          git commit -m "Update main-runner cron to: ${NEW_CRON}"
          git push origin main
        env:
          GH_CLASSIC_TOKEN: ${{ secrets.GH_CLASSIC_TOKEN }}

2. main-runner.yaml

name: Main Runner

on:
  schedule:
    - cron: "0 15 * * *"  # Placeholder cron, gets updated dynamically

jobs:
  run-task:
    runs-on: ubuntu-latest
    steps:
      - name: Run Sample Command
        run: echo "Hello from Main Runner"

      - name: Disable Itself After Running
        run: gh workflow disable main-runner.yaml
        env:
          GH_TOKEN: ${{ secrets.GH_CLASSIC_TOKEN }}

So far, these didn't solve the issue. I have found similar questions on SE, in most of them, OP was using a GITHUB_TOKEN instead of PAT.

Thanks :)

AIM: To modify one GitHub Actions .yaml file by running another GitHub Actions file. Specifically, I want to randomize the cron schedule of the other file.

PROBLEM: It gives error

 ! [remote rejected] main -> main (refusing to allow a GitHub App to create or update workflow `.github/workflows/main-runner.yaml` without `workflows` permission)

What I tried:

1. Using a classic PAT with Workflows Permission (which is GH_CLASSIC_TOKEN in repo secrets):

2. Allowing Workflow Permissions in repo settings:

3. Deleting Repo and re-creating it.

Links to my repo:

1. Seeker220/workflow-test-repo
2. Failed GitHub Actions Logs

Relevant Code:

1. trigger-creator.yaml

name: Trigger Creator

on:
  workflow_dispatch:  # Allows manual triggering of the workflow

jobs:
  update-cron:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4

      - name: Enable Main Workflow
        run: gh workflow enable main-runner.yaml
        env:
          GH_TOKEN: ${{ secrets.GH_CLASSIC_TOKEN }}

      - name: Generate Randomized Cron Time
        id: random-cron
        run: |
          # Generate a random hour between 0 and 23
          NEW_HOUR=$((RANDOM % 24))
          
          # Generate a random minute between 0 and 59
          NEW_MINUTE=$((RANDOM % 60))

          # Create new cron expression
          NEW_CRON="$NEW_MINUTE $NEW_HOUR * * *"
          echo "NEW_CRON=$NEW_CRON" >> $GITHUB_ENV

      - name: Update `main-runner.yaml` with New Cron
        run: |
          # Replace the old cron with the new one in main-runner.yaml
          sed -i "s/^    - cron: \".*\"/    - cron: \"${NEW_CRON}\"/" .github/workflows/main-runner.yaml

      - name: Commit and Push Changes
        run: |
          git config --global user.name "github-actions"
          git config --global user.email "[email protected]"
          git remote set-url origin https://x-access-token:${{ secrets.GH_CLASSIC_TOKEN }}@github/${{ github.repository }}.git
          git add .github/workflows/main-runner.yaml
          git commit -m "Update main-runner cron to: ${NEW_CRON}"
          git push origin main
        env:
          GH_CLASSIC_TOKEN: ${{ secrets.GH_CLASSIC_TOKEN }}

2. main-runner.yaml

name: Main Runner

on:
  schedule:
    - cron: "0 15 * * *"  # Placeholder cron, gets updated dynamically

jobs:
  run-task:
    runs-on: ubuntu-latest
    steps:
      - name: Run Sample Command
        run: echo "Hello from Main Runner"

      - name: Disable Itself After Running
        run: gh workflow disable main-runner.yaml
        env:
          GH_TOKEN: ${{ secrets.GH_CLASSIC_TOKEN }}

So far, these didn't solve the issue. I have found similar questions on SE, in most of them, OP was using a GITHUB_TOKEN instead of PAT.

Thanks :)

• github
• github-actions
• workflow
• git-bash
• github-token

Share Improve this question Follow asked Feb 16 at 8:53 Asmit KarmakarAsmit Karmakar 1391010 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

You have to tell git commands to use your generated token. You can do so via the checkout actions at the top of you workflow and provide the token there (see here for docs example, omitted rest of your file for brevity):

...

jobs:
  update-cron:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.GH_CLASSIC_TOKEN }}

...

And afterward, you should be able to push with this token if you only define user.name and user.email via git config (once again irrelevant parts omitted):

...
jobs:
  update-cron:
    runs-on: ubuntu-latest
    steps:
      ...
      - name: Commit and Push Changes
        run: |
          git config --global user.name "github-actions[bot]"
          git config --global user.email "[email protected]"
          git add .github/workflows/main-runner.yaml
          git commit -m "Update main-runner cron to: ${NEW_CRON}"
          git push origin main

Also, please note:

• Changed the email from github-actions to github-actions[bot] as that will register as GitHub Actions bot in the GitHub GUI (which I assume you want?)
• You should use fine-grained tokens with minimal scope (contents: write and workflows: write should do I think), read more about them here (you could do this after the initial testing that this works with personal token) as this approach is more secure

本文标签： GitHub PAT cannot modify workflow filesStack Overflow