Push protection false positive, push declined (and it's not even enabled)

[m417z]

Select Topic Area

Bug

Body

Hello,

I have a daily GitHub Actions job running at https://github.com/m417z/winbindex. Lately, I've been getting errors similar to the following:

remote: error: GH013: Repository rule violations found for refs/heads/gh-pages.        
remote: Review all repository rules at http://github.com/m417z/winbindex/rules?ref=refs%2Fheads%2Fgh-pages        
remote: 
remote: - GITHUB PUSH PROTECTION        
remote:   —————————————————————————————————————————        
remote:     Resolve the following violations before pushing again        
remote: 
remote:     - GITHUB PUSH PROTECTION        
remote:       ——————————————————————————————————————————————————————        
remote:        Resolve the following secrets before pushing again.        
remote:               
remote:        (?) Learn how to resolve a blocked push        
remote:        https://docs.github.com/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection        
remote:               
remote:               
remote:       —— Login with Amazon OAuth Client Secret —————————————        
remote:        locations:        
remote:          - blob id: 5ec03ac86a8ebe2cad9b3a68d08e011d32c56a65        
remote:               
remote:        (?) To push, remove secret from commit(s) or follow this URL to allow the secret.        
remote:        https://github.com/m417z/winbindex/security/secret-scanning/unblock-secret/2eLwZg2LxVhsIL2fevz6n9th7vj        
remote:               
remote:               
remote:               
remote:       ——[ WARNING ]—————————————————————————————————————————        
remote:        Scan incomplete: This push was large and we didn't finish on time.        
remote:        It can still contain undetected secrets.        
remote:               
remote:        (?) Use the following command to find the path of the detected secret(s):        
remote:            git rev-list --objects --all | grep blobid        
remote:       ——————————————————————————————————————————————————————        
remote: 
To https://github.com/m417z/winbindex
 ! [remote rejected]     gh-pages -> gh-pages (push declined due to repository rule violations)
error: failed to push some refs to 'https://github.com/m417z/winbindex'

The relevant file is info_sources.json, which contains file hashes, so it's clearly a false positive. But the thing is, I didn't find a way to disable this push protection. It seems to be disabled for the repo, and I disabled it for my user by following the docs (under "Code security and analysis"). What can I do to get rid of these checks?

[courtneycl]

👋 @m417z -- hello from the secret scanning team. Thanks for reporting this!

For context: we recently enabled push protection for users across GitHub, and that included apps and bots like GitHub Actions. We're working to allow users to bypass these blocks on behalf of the bot. We're disabling push protection for bots until we have that in place.

You can leverage this repo configuration to allow-list the entire info_sources.json file -- this will ensure secrets in this file are not blocked in the future.

Let us know if you have any issues.

[m417z]

Thanks Courtney! I think it would be helpful to include that repo configuration link in the block message.