Fails to push tags to protected main branch

[parnavh]

The github action is configured using this workflow file:

name: Release

on:
  push:
    branches:
      - main

concurrency: ${{ github.workflow }}-${{ github.ref }}

jobs:
  release:
    name: Release
    runs-on: ubuntu-latest

    steps:
      - name: Checkout Repo
        uses: actions/checkout@v4

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 9

      - name: Setup Node.js 20
        uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: "pnpm"

      - name: Install Dependencies
        run: pnpm install

      - name: Create Github Release
        uses: changesets/action@v1
        with:
          commit: "chore(release): 📦 version packages"
          title: "chore(release): 📦  version packages"
          publish: pnpm changeset tag
        env:
          GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}

I am not publishing to npm, so just running changeset tag so that the github release is created.

The tags gets generated but fail to push to the main citing git error 128 insufficient permissions.

The log for the action:

Run changesets/action@v1
  with:
    commit: chore(release): 📦 version packages
    title: chore(release): 📦  version packages
    publish: pnpm changeset tag
    setupGitUser: true
    createGithubReleases: true
  env:
    PNPM_HOME: /home/runner/setup-pnpm/node_modules/.bin
    GITHUB_TOKEN: ***
setting git user
/usr/bin/git config user.name "github-actions[bot]"
/usr/bin/git config user.email "github-actions[bot]@users.noreply.github.com"
setting GitHub credentials
No changesets found, attempting to publish any unpublished packages to npm
No user .npmrc file found, creating one
/home/runner/setup-pnpm/node_modules/.bin/pnpm changeset tag
🦋  New tag:  v0.1.3
/usr/bin/git push origin --tags
remote: Permission to parnavh/gregmat-buddy.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/parnavh/gregmat-buddy/': The requested URL returned error: 403
Error: Error: The process '/usr/bin/git' failed with exit code 128
Error: The process '/usr/bin/git' failed with exit code 128

I have given the PAT write permission to content, issues and PRs.

I have a ruleset that has the following branch rules: Restrict deletions and Block force pushes. This ruleset was initially enabled which caused this error and the action was successful when the ruleset was disabled. I dont see any force pushes happening in the logs, is there a particular reason why this fails, and will I have to add myself as an exception to the ruleset in order to make it work?

refs:
failing action
successful action after disabling ruleset
tree at the time of discovery

[almahdi404]

Did you find any solution?

[parnavh]

No, but I did find a workaround, I just added the PAT owner (myself) to the exception list and it works now

[almahdi404]

I am also adding a repo scoped PAT.

And i don't know how it's working for everyone else.

[parnavh]

Maybe we made some mistake, but this works till the devs get a chance to check this out

[almahdi404]

Found the correct solution

permissions:
  id-token: write
  contents: write
  pull-requests: write

Not sure if id-token is necessary.

[parnavh]

Works on a protected main branch? Strange... didn't work for me

[almahdi404]

I am not using protect rules. But that is what i needed.

Anyways, permissions should be added in the Usage examples.

[almahdi404]

One more thing

You are probably using an organization, which means you must first enable this behavior on the organization level and then on the repository level

Go to https://github.com/organizations/YOUR_ORG/settings/actions and check Allow GitHub Actions to create and approve pull requests
Then go to https://github.com/YOUR_ORG/YOUR_REPO/settings/actions and check the box that previously was grayed out