The last post showed how we created an easy process to update a web-page using a GitHub Issue and two GitHub Actions.
Protecting the repository
I opened the repository in the browser and GitHub and was provided with a warning that said
Clicking on the protect this branch button gave the reasoning.
Protect your most important branches Branch protection rules define whether collaborators can delete or force push to the branch and set requirements for any pushes to the branch, such as passing status checks or a linear commit history.
So I changed the settings so that a Pull Request is required and needs to be reviewed.
Breaks the workflow
I had already altered the workflow trigger for the workflow to generate the speaker-list.json so that it would run when changes to the speakers directory were pushed to the main branch by adding
on: workflow_call: workflow_dispatch: push: branches: - main paths: - speakers/*
I then approved a PR with a change to that directory and saw that the workflow had started.
Then it failed :-(.
The error message could be seen in the codespaces with the extension cschleiden.vscode-github-actions
This is the error message
Error: To https://github.com/dataplat/DataSpeakers ! refs/heads/main:refs/heads/main [remote rejected] (protected branch hook declined) Done Pushing to https://github.com/dataplat/DataSpeakers POST git-receive-pack (604 bytes) remote: error: GH006: Protected branch update failed for refs/heads/main.
remote: error: At least 1 approving review is required by reviewers with write access.
error: failed to push some refs to ‘https://github.com/dataplat/DataSpeakers’
Of course, because I have now protected my branch, I cannot automatically push changes into the main branch.
To fix this, I had to create a new PAT token with
public_repo scope and save it as a secret for the workflow to access and update the checkout to use this token.
Create a new PAT token
The instructions to do this are found in the docs here
- In the upper-right corner of any page, click your profile photo, then click Settings.
- In the left sidebar, click Developer settings.
- In the left sidebar, click Personal access tokens.
- Click Generate new token.
- Give your token a descriptive name.
- To give your token an expiration.
- Select the scopes, or permissions, you’d like to grant this token.
For this scenario just choose
- Click Generate token.
- Save the generated token somewhere safe like your password manager. ( You do have a password manager? - Our family use 1Password)
Save it as a secret in the repository
You do not ever ever ever want to store secrets in source control. When using GitHub like this you can store your secrets in the settings of the repository by following this guide
- navigate to the main page of the repository.
- Under your repository name, click on the “Settings” tab.
- In the left sidebar, click Secrets.
- On the right bar, click on “Add a new secret”
- Type a name for your secret in the “Name” input box. I used
- Type the value for your secret.
- Click Add secret.
Use it in your workflow
Now that you have saved your secret, you can use it your workflows. To get rid of the protected branch error it is used in the
actions/checkout action like this
- uses: actions/[email protected] with: fetch-depth: 0 ref: main token: $
I remembered to do for both workflows!!
I then created a PR to test it and this time it was able to successfully push changes to the main branch
But thats not all folks
This will work correctly for a PR and it will work for the initial workflow that has been called.
It will not work for the reusable workflow. When the reusable workflow is called from another workflow it is unable to pick up the token from the secrets. In that scenario we get this error
Input required and not supplied: token
In the calling workflow add a
secrets entry and pass in the token secret.
createSpeakerListJson: needs: addNewSpeaker uses: dataplat/DataSpeakers/.github/workflows/[email protected] secrets: REPO_TOKEN: $
and then at the top of the reusable workflow define the secrets
on: workflow_call: secrets: REPO_TOKEN: required: true