Auto Shipit with Protected Branch

[bbrinx]

Describe the bug
When running auto in a CI environment, e.g. Github Actions, auto shipit will fail when master branch protection is turned on. Is there any way, maybe by setting up permissions in a certain way, to overcome this issue without disabling branch protection?

To Reproduce

Using the following Github Action workflow and setting master as a protected branch will result in a failed push attempt with this error message:

Error: Running command 'git' with args [push, --follow-tags, --set-upstream, origin, master] failed

remote: error: GH006: Protected branch update failed for refs/heads/master.        
remote: error: At least 1 approving review is required by reviewers with write access. 

Github Action workflow

name: Release

on:
  push:
    branches:
      - master

jobs:
  release:
    runs-on: ubuntu-latest
    if: "!contains(github.event.head_commit.message, 'ci skip') && !contains(github.event.head_commit.message, 'skip ci')"
    steps:
      - uses: actions/checkout@v1

      - name: Prepare repository
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          git checkout ${GITHUB_REF:11} --
          git remote rm origin
          git remote add origin "https://x-access-token:$GH_TOKEN@github.com/<owner>/<repository>"
          git fetch origin --tags
          git branch --set-upstream-to origin/${GITHUB_REF:11} ${GITHUB_REF:11}

      - name: Use Node.js 12.x
        uses: actions/setup-node@v1
        with:
          node-version: 12.x

      - name: Cache node modules
        uses: actions/cache@v1
        with:
          path: node_modules
          key: yarn-deps-${{ hashFiles('yarn.lock') }}
          restore-keys: |
            yarn-deps-${{ hashFiles('yarn.lock') }}

      - name: Create Release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: |
          yarn install --frozen-lockfile
          yarn build
          yarn auto shipit

• Version 9.6.0

[hipstersmoothie]

secrets.GITHUB_TOKEN doesn't actually have write access to your repo. You need to create a token from a user with write access.

I think this is the issue. If this works please comment back and I will add a note to the docs. (Or if you want to make a PR I will merge it)

[bbrinx]

Unfortunately this didn’t solve the problem. It seems like the GITHUB_TOKEN is created automatically and should have the right permissions. But I tried it with a custom token which also didn’t work.

[hipstersmoothie]

I'm still pretty sure that you're token needs a little more permissions. To check this I did the following:

Turn on branch protection for auto-config-hipstersmoothie and switch to GITHUB_TOKEN.

Result: https://github.com/hipstersmoothie/auto-config-hipstersmoothie/runs/451642081?check_suite_focus=true

I got the same error as your did.

After switching back to the GH_TOKEN I set up (created from a user with write access and giving the token repo access).

Result: https://github.com/hipstersmoothie/auto-config-hipstersmoothie/actions/runs/40930001

Release successful ✅

I think I need to make it clearer what permissions to give the token in the docs 😅

[bbrinx]

Turn on branch protection for auto-config-hipstersmoothie and switch to GITHUB_TOKEN.

When you say turn on branch protection - what does that include? Is Allow force pushes disabled?

EDIT: The second link should probably be this: https://github.com/hipstersmoothie/auto-config-hipstersmoothie/runs/451645892?check_suite_focus=true

[hipstersmoothie]

The second link should probably be this

yup, sorry!

Allow force pushes disabled

auto doesn't force push so this shouldn't be an issue.Here is what I have configured

[hipstersmoothie]

@bbrinx Any update on this? Will probably close soon without a reproducible example

[bbrinx]

@hipstersmoothie I added a token with all permissions and it worked! Seems like I didn't set the right permissions the first time I tried. Thanks!

[hipstersmoothie]

Awesome!

[airtonix]

doesn't work if you have "required checks" ticked.