How to commit and push to a protected branch
fredericbahr opened this issue · 5 comments
Hi,
first of all great github actions.
I would like to commit and push to a protected branch (e.g. development). But can not get it working, even using the push configuration:
Currently my github actions looks like this:
- name: Extract branch name
shell: bash
run: echo "branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
id: extract_branch
- name: Commit Server Dist
uses: EndBug/add-and-commit@v9 # You can change this to use a specific version.
with:
add: "apps/server/dist --force"
default_author: user_info
message: "[deployment] add server dist"
push: origin ${{ steps.extract_branch.outputs.branch }} --force
It fails and says it cannot push to protected branch.
In the logs i cannot see that my custom push command is used.
I would appreciate some help or hints
Hi 👋🏻, can you post a link to the action run or, if in a private repo, a copy of the relevant logs?
Also, what protection rules did you apply to the branch? If the branch is protected against force pushes, for example, your only option to bypass that would be using your own PAT, provided that you can bypass that rule yourself.
Hi @EndBug ,
I am currently facing the same situation.
In my case, it is a branch that has required status checks.
Is there a way to bypass it with the action? 🙂
Hi @mirii1994, you can edit the git push command using the push input of the action.
If you're able to push and bypass branch protection rules from your machine on the terminal, using the same command + your PAT will do the trick.
I had the same issue, and was able to workaround by migrating the GitHub repo from Branch Protection Rules to Repository Rules.
More details here:
https://github.com/orgs/community/discussions/43460
https://github.blog/changelog/2023-04-17-introducing-repository-rules-public-beta/
Workaround with the legacy rules
If you create a [deploy key](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/managing-deploy-keys) you can use that key to avoid branch protection rules. Here are the steps:
-
Make a deployment SSH keypair
-
Upload the public key to github as a deployment key
-
Upload the private key to github as a repository level secret
- By convention, name this secret “DEPLOY_KEY”
- Anyone with “Admin” access to the repository can do this
- You do NOT need to be an admin for all of github.com/your-org, just your repository
-
Inside your workflow, check out the repository with the SSH key.
-
🛑 Github prevents two repositories from using the same deploy key. Your deploy key must be unique to your repo.
-
🛑 Remember to give the deploy key “write” access if you want to use it to push
-
🔴 Use empty passphrase when generating the key
Here was my bash history when I made the deploy key
mkdir keygen
cd keygen
# Generate the key. Remember to use empty passphrase
ssh-keygen -t ed25519 -C "someuser@company.com" -f id_ed25519
cat id_ed25519.pub # Put this inside github
cat id_ed25519 # Make this a repository level secretname: Try force pushing to master
jobs:
force-push:
name: Force push
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
with:
ssh-key: ${{ secrets.DEPLOY_KEY }}
- ...