Unable to push tag with GitHub Actions GITHUB_TOKEN: `refusing to allow a GitHub App to create or update workflow .github/workflows/foo.yaml without workflows permission` #151442

carlcsaposs-canonical · 2025-02-14T12:48:09Z

carlcsaposs-canonical
Feb 14, 2025

Select Topic Area

Bug

Body

It is not possible to push a git tag from GitHub Actions using the GITHUB_TOKEN if the tag points to a commit where the contents of .github/workflows/ are not identical to the contents of .github/workflows/ on the latest commit of any branch

When pushing the tag, the workflow will fail with

To https://github.com/carlcsaposs-canonical/bug-report-github-actions-tags
 ! [remote rejected] latest/candidate -> latest/candidate (refusing to allow a GitHub App to create or update workflow `.github/workflows/foo.yaml` without `workflows` permission)
error: failed to push some refs to 'https://github.com/carlcsaposs-canonical/bug-report-github-actions-tags'

If the contents of .github/workflows/ is identical to the contents of .github/workflows/ on the latest commit of any branch, the tag will be pushed successfully

I understand why this protection is in place for branch pushes (you don't want a GitHub App creating a workflow that gives itself access to secrets). However, it appears this protection is being incorrectly applied to tag pushes

To clarify, the tag that is being pushed points to a commit that is already on the main branch—it is just not the latest commit on the main branch. Pushing the tag does not create or update a workflow

It appears that several people have run into this issue before, but may have misunderstood the root cause. For example:
actions/checkout#1421
https://github.com/orgs/community/discussions/109715
https://github.com/orgs/community/discussions/51520
https://github.com/orgs/community/discussions/146011
https://github.com/orgs/community/discussions/35410
https://github.com/orgs/community/discussions/141159

Steps to reproduce

Create a GitHub repository
Add .github/workflows/foo.yaml to main with this content:

on:
  workflow_dispatch:

jobs:
  foo:
    name: foo
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - run: |
          git tag latest/candidate HEAD^ --force
          git push origin latest/candidate --force
    permissions:
      contents: write  # Needed to update git tags

In a new commit, edit the workflow file (e.g. add a comment) on the main branch
Go to Actions & trigger the foo.yaml workflow on main
Check workflow run logs
e.g.

To https://github.com/carlcsaposs-canonical/bug-report-github-actions-tags
 ! [remote rejected] latest/candidate -> latest/candidate (refusing to allow a GitHub App to create or update workflow `.github/workflows/foo.yaml` without `workflows` permission)
error: failed to push some refs to 'https://github.com/carlcsaposs-canonical/bug-report-github-actions-tags'

Here is a repository created with those steps to reproduce: https://github.com/carlcsaposs-canonical/bug-report-github-actions-tags

2025-02-14T12:48:35Z

github-actions[bot]
bot Feb 14, 2025

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

Your input will be carefully reviewed and cataloged by members of our product teams.
- Due to the high volume of submissions, we may not always be able to provide individual responses.
- Rest assured, your feedback will help chart our course for product improvements.
Other users may engage with your post, sharing their own perspectives or experiences.
GitHub staff may reach out for further clarification or insight.
- We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

Upvote and comment on other user feedback Discussions that resonate with you.
Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐

0 replies

carlcsaposs-canonical · 2025-02-14T12:53:19Z

carlcsaposs-canonical
Feb 14, 2025
Author

Log archive from workflow run where this issue was reproduced: logs_34393488059.zip

0 replies

carlcsaposs-canonical · 2025-02-14T12:54:24Z

carlcsaposs-canonical
Feb 14, 2025
Author

(for personal reference) opened GitHub support ticket: https://support.github.com/ticket/3233575

0 replies

andyn-ff · 2025-05-30T10:54:20Z

andyn-ff
May 30, 2025

Nice one, well found! I've hit this restriction too, you helped me get to the root cause and confirm it in my own situation.
Did you get any response back from GitHub on your support ticket yet @carlcsaposs-canonical ?