Permission error on push action

[vetlekise]

Trying to accomplish

Disclaimer (if it matters): Repo is in an organization repo.
I am creating a workflow that runs on a PR in a specified directory and the workflow will lint my code by running terraform fmt -write=true. This lint should be committed and then pushed to the pull request branch. Is this not possible or am I doing it wrong?

The error is showing the correct branch and URL, and I am using GITHUB_TOKEN for the permissions. Does this token not work for this use case or is the permissions not correct?

Workflow error

Run ad-m/github-push-action@master
  with:
    branch: fmt-test11
    github_token: ***
    force: true
    github_url: https://github.com
    directory: .
  env:
    TF_LOG: INFO
    working-dir: ./LandingZones-Corp/Apport
    TERRAFORM_CLI_PATH: /home/runner/work/_temp/a13db8ba-c611-44b4-bdf4-e0c945dd6d14
    AZURE_HTTP_USER_AGENT: 
    AZUREPS_HOST_ENVIRONMENT: 
Push to branch fmt-test11
remote: Write access to repository not granted.
fatal: unable to access 'https://github.com/CorpAutomationOrg-NearShore/sg.git/': The requested URL returned error: 403
Error: Invalid exit code: 1[2](https://github.com/CorpAutomationOrg-NearShore/sg/actions/runs/6809858291/job/18516969236#step:9:2)8
    at ChildProcess.<anonymous> (/home/runner/work/_actions/ad-m/github-push-action/master/start.js:[3](https://github.com/CorpAutomationOrg-NearShore/sg/actions/runs/6809858291/job/18516969236#step:9:3)0:21)
    at ChildProcess.emit (node:events:51[4](https://github.com/CorpAutomationOrg-NearShore/sg/actions/runs/6809858291/job/18516969236#step:9:4):28)
    at maybeClose (node:internal/child_process:110[5](https://github.com/CorpAutomationOrg-NearShore/sg/actions/runs/6809858291/job/18516969236#step:9:5):1[6](https://github.com/CorpAutomationOrg-NearShore/sg/actions/runs/6809858291/job/18516969236#step:9:6))
    at ChildProcess._handle.onexit (node:internal/child_process:305:5) {
  code: 12[8](https://github.com/CorpAutomationOrg-NearShore/sg/actions/runs/6809858291/job/18516969236#step:9:8)
}

Workflow used

name: "Pull Request - Apport"

on:
  pull_request:
    branches:
      - master
    paths:
      - LandingZones-Corp/Apport/**

env:
  TF_LOG: INFO
  working-dir: ./LandingZones-Corp/Apport

permissions:
      id-token: write
      issues: write
      pull-requests: write
      contents: read
jobs: 
  pr-infra-check:
    runs-on: ubuntu-latest
    
    defaults:
      run:
        shell: bash

    steps:
    # Checkout the repository to the GitHub Actions runner
    - name: Checkout
      uses: actions/checkout@v4
      with:
        fetch-depth: 0

    # Install the latest version of Terraform CLI 
    - name: HashiCorp - Setup Terraform
      uses: hashicorp/setup-terraform@v3
      
    # Log into Azure with OIDC integration
    - name: 'Az CLI Login'
      uses: azure/login@v1
      with:
        client-id: ${{ secrets.CLIENT_ID }}
        tenant-id: ${{ secrets.TENANT_ID }}
        subscription-id: ${{ secrets.SUB_ID_APPORT }}

    # Run az commands to confirm sub access
    - name: 'Run Az Commands'
      run: |
        az account show

    # Run Terraform init
    - name: Terraform Init
      id: init
      env:
        STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }}
        CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }}
        RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }}
        ARM_CLIENT_ID: ${{ secrets.CLIENT_ID }}
        ARM_SUBSCRIPTION_ID: ${{ secrets.SUB_ID_APPORT }}
        ARM_TENANT_ID: ${{ secrets.TENANT_ID }}
      working-directory: ${{env.working-dir}}
      run: terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP_NAME"
    
    # Format TF configuration
    - name: Terraform Format
      id: fmt
      working-directory: ${{env.working-dir}}
      run: terraform fmt -write=true
      
    # Commit formatting changes
    - name: Commit Formatting Changes
      run: |
        git config --local user.email "github-actions[bot]@users.noreply.github.com"
        git config --local user.name "github-actions[bot]"
        git add .
        git commit -a -m "Add changes"

    # Push commits
    - name: Push Formatting Changes
      uses: ad-m/github-push-action@master
      with:
        branch: ${{ github.head_ref }}
        github_token: ${{ secrets.GITHUB_TOKEN }}
        force: true
  
      # Run a Terraform fmt -check
    - name: Terraform Format Check
      id: fmt_check
      working-directory: ${{env.working-dir}}
      run: terraform fmt -check

    # Run a Terraform validate
    - name: Terraform Validate
      id: validate
      if: success() || failure()
      env:
        ARM_CLIENT_ID: ${{ secrets.CLIENT_ID }}
        ARM_SUBSCRIPTION_ID: ${{ secrets.SUB_ID_APPORT }}
        ARM_TENANT_ID: ${{ secrets.TENANT_ID }}
      working-directory: ${{env.working-dir}}
      run: terraform validate -no-color

    # Run a Terraform plan
    - name: Terraform Plan
      id: plan
      env:
        ARM_CLIENT_ID: ${{ secrets.CLIENT_ID }}
        ARM_SUBSCRIPTION_ID: ${{ secrets.SUB_ID_APPORT }}
        ARM_TENANT_ID: ${{ secrets.TENANT_ID }}
      working-directory: ${{env.working-dir}}
      run: terraform plan -no-color

    # Add a comment to pull requests with plan results
    - name: Add Plan Comment
      id: comment
      uses: actions/github-script@v6
      env:
        PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
      with:
        github-token: ${{ secrets.GITHUB_TOKEN }}
        script: |
          const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
          #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
          #### Terraform Validation 🤖${{ steps.validate.outputs.stdout }}
          #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
      
          <details><summary>Show Plan</summary>
          
          \`\`\`${process.env.PLAN}\`\`\`
          
          </details>
          
          *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`;
            
          github.rest.issues.createComment({
            issue_number: context.issue.number,
            owner: context.repo.owner,
            repo: context.repo.repo,
            body: output
          })

[vetlekise]

If I change the Push commits step to not use your action and run a git command instead, I don't get a permission error and instead I get this:

Error

Run git push origin HEAD:fmt-test1[2](https://github.com/CorpAutomationOrg-NearShore/sg/actions/runs/6810250500/job/18518192132#step:9:2) --force-with-lease -u ***
  git push origin HEAD:fmt-test12 --force-with-lease -u ***
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    TF_LOG: INFO
    working-dir: ./LandingZones-Corp/Apport
    TERRAFORM_CLI_PATH: /home/runner/work/_temp/aac644ef-2077-4e9e-9801-5d1fe194441[3](https://github.com/CorpAutomationOrg-NearShore/sg/actions/runs/6810250500/job/18518192132#step:9:3)
    AZURE_HTTP_USER_AGENT: 
    AZUREPS_HOST_ENVIRONMENT: 
error: src refspec *** does not match any
error: failed to push some refs to 'https://github.com/CorpAutomationOrg-NearShore/sg'
Error: Process completed with exit code 1.

When searches this error, it looks like it is unable to find the branch, but the branch is 100% present.

Different step

    # Push previously commited changes
    - name: Push Formatting Changes
      run: |
        git push origin HEAD:${{ github.head_ref }} --force-with-lease -u ${{ secrets.GITHUB_TOKEN }}

[ZPascal]

Hi @vetlekise, could you please share your findings? What went wrong on your end?

From my end, it looks like your GH repository action settings are not configured properly.

[vetlekise]

I got it working by using a PAT (fine-grained) targeting the organization repo with the permissions; PullRequest:Read&Write and Contents:Read&Write, instead of the GITHUB_TOKEN.

New workflow that worked for me:

 # Commit formatting changes
    - name: Commit Formatting Changes
      run: |
        git config --local user.email "github-actions[bot]@users.noreply.github.com"
        git config --local user.name "github-actions[bot]"
        git branch -a
        git add .
        git commit -a -m "${{ github.event.pull_request.title }}"
      continue-on-error: true

    # Push previously commited changes
    - name: Push Formatting Changes
      run: |
        git push --force origin HEAD:${{ github.event.pull_request.head.ref }}
  
    # Update the pull request branch with new code
    - name: Update Pull Request Branch
      run: |
        git fetch origin ${{ github.event.pull_request.head.ref }}
        git merge origin/${{ github.event.pull_request.head.ref }}
      env:
        GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}

[ZPascal]

@vetlekise Thank you for sharing your solution, but in general, it should also work with the GH Action, and if you are pushing to the same repository as the origin content comes from also with the default token. I think you've maybe missed to set-up the GitHub Action push settings beforehand.