peaceiris/actions-gh-pages

About limitation of GITHUB_TOKEN

peaceiris opened this issue Β· 40 comments

GitHub Actions v2 is still beta and deploying to GitHub Pages with GITHUB_TOKEN has some problems. Until it is fixed, I provide ACTIONS_DEPLOY_KEY to deploy with ssh from peaceiris/actions-gh-pages@v2.0.0

Does this cause the fatal: could not read Username for 'https://github.com': No such device or address error?

No, your case seems to be new. Please create a new issue and tell me more details.

I ran into the same issue. The manual way to fix it is from settings, flip your branch to master and then back to gh-pages.

A better way to fix it is to create a personal access token and use that in secrets instead.

Thanks @thefringeninja

I will release v2.1.0 soon. It supports GITHUB_TOKEN and ACTIONS_DEPLOY_KEY. ACTIONS_DEPLOY_KEY is for deploying with ssh.

A better way to fix it is to create a personal access token and use that in secrets instead.

Ok. v2.2.0 will have PERSONAL_TOKEN for setting up with a personal access token.

v2.1.0 is released.

@peaceiris : Do you know if there is a support ticket for this problem ?

This problem is a known issue. I have faced the same issue on GitHub Actions v1 and some people have reported this to GitHub support. As we see at the JamesIves/github-pages-deploy-action#5, GitHub should already know this. If this issue is not fixed for a long time, we probably
should report this in the GitHub Community Forum as well.

I found the post on the GitHub Community Forum.

Github action not triggering gh-pages upon push - GitHub Community Forum

Community Manager said:

The GITHUB_TOKEN that is provided as a part of GitHub Actions doesn't have authorization to create any successive events, such as GitHub Pages builds. So while you can push to the gh-pages branch using the GITHUB_TOKEN, it won't spawn a GitHub Pages build. You'll need to create a personal access token and supply it to your GitHub Action as a secret.

Yes, it seems like that's not a bug but a normal behavior in the context of the security rule imposed in Github Actions which is "A workflow can not trigger another workflow".

I posted an answer to ask if they could re-consider this limitation in this precise use case due to the obvious usability issue it creates. I propose that we wait their answer and if it's negative we could just close this issue as "not a bug" and adapt the documentation of this project to explain it will never be possible to use GITHUB_TOKEN. (And that we are doomed to create a personal access token each time we want to use anything other than Jekyll to publish on Github Pages :-) )

Thank you @nicolas-van

Yes, it seems like that's not a bug but a normal behavior in the context of the security rule imposed in Github Actions which is "A workflow can not trigger another workflow".

I got it clearly. I will update the README following your suggestion.

Hmmm, according to the most recent answer of this thread it might not be by design in the end. I'm gonna test what is proposed to see if it works when I have some time.

Yes, I am also following that thread.

Here's an example that should work:

# pushes using the user that kicked off the action. Requires `jq` in the builder
git config user.name $(jq .pusher.username $GITHUB_PAYLOAD)
git config user.email $(jq .pusher.email $GITHUB_PAYLOAD)

git add --all
git commit -m "Publish to gh-pages branch"
git remote add pages https://x-access-token:$GITHUB_TOKEN@github.com/:owner/:repo.git
git push pages gh-pages -f

This action already supports the above and I tested at peaceiris/hugo-test-project. I could push to gh-pages branch using GITHUB_TOKEN but GitHub Pages building did not start.

I found it. The following step works well for only private repo. For private repositories,GITHUB_TOKEN works well but public repositories failed.

    - name: Deploy
      uses: peaceiris/actions-gh-pages@v2.4.0
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        PUBLISH_BRANCH: gh-pages
        PUBLISH_DIR: ./public

I have a private repo setup and GITHUB_TOKEN still isn't working. I see someone else above had the same issue as me: #13 but he just moved to a deploy key. Do we know if there's a actual solution to that above?

This problem is about permissions of the default token between GitHub Pages and GitHub Actions. GitHub team is investigating it and we are waiting for a good reply from them. Currently, there is no actual solution.

I was using the PERSONAL_TOKEN env variable and passing in a GITHUB_TOKEN, oops :) Switching that to a GITHUB_TOKEN env variable with a GITHUB_TOKEN, everything worked perfectly :) Thanks!

I had a chat with someone at GitHub today about this very issue (calling Actions from other Actions) and found out that, while GitHub Actions won’t trigger push events for other actions, they do trigger repo events, so if you listen for a repo event instead of a the push event you avoid this issue.

Thank you @mikeal

Do you mean that the default GITHUB_TOKEN does not have permission for repo events on a public repository? I think the token has repo events access. Why cannot we trigger the GitHub Pages build event with the default GITHUB_TOKEN on a public repository? (On a private repository, we can do that.)

Hello,

In my case I am added as a collaborator (full admin access) to an Organization. I am trying to setup a simple static site push to gh-pages. I have setup using ACTIONS_DEPLOY_KEY. The deploy succeeds but the site changes are not reflected. In-fact if I manually delete gh-pages branch and re-run the action, it succeeds again, but the site is never published. All the code seems okay in gh-pages. What am I doing wrong? here' s my action yaml

name: Publish Site

on:
  push:
    branches:
      - master

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Master Branch
        uses: actions/checkout@v1

      - name: Build
        run: |
          rm -rf dist
          rsync -rv --exclude=.git --exclude=.github . dist

      - name: Deploy to gh-pages
        uses: peaceiris/actions-gh-pages@v2.5.0
        env:
          ACTIONS_DEPLOY_KEY: ${{ secrets.ACTIONS_DEPLOY_KEY }}
          PUBLISH_BRANCH: gh-pages
          PUBLISH_DIR: ./dist

@shaunakv1 Please go to #52

@peaceiris I miss-interpreted the issue a little bit. This is going to be an issue unless github moves their internal event signal for gh-pages to this, there’s no much we can do on the outside 😰

The deployment key option is still a current workaround better than a personal access token (PAT has too large scope). I hope that GitHub Pages build event can be triggered by GITHUB_TOKEN on a public repository. (GITHUB_TOKEN can trigger the event on a private repository.)

v3 has been released. But we cannot use GITHUB_TOKEN on a public repository.

Hi, all!

Now, I tested deployment with github_token on some repositories. It looks working well...

I do not know any official announcement of the GitHub starts to support triggering the GitHub Pages build event using GITHUB_TOKEN on public repositories...

I can also confirm it works. Demonstration on this repository: https://github.com/nicolas-van/hugotest

Hurray !

Also having success with secrets.DEPLOY_KEY deploying to GitHub Pages on a public repo in manubot/rootstock#310 (does not use this action). Thanks @peaceiris for monitoring this. Hopefully, the fix is permanent!

Unfortunately, the build with GITHUB_TOKEN sometimes fails... Be careful.

Didn't had a problem personally.

The only strange behavior I encountered was that, when I created this repository (which is a reusable boilerplate for Parcel I was hoping to create for a long time by the way), I had to kind of "confirm" to Github in the settings of the repository that I really wanted to deploy that web site from the gh-pages branch.

Then I made 40+ commits that all triggered a publish without problem.

@nicolas-van Thank you for telling me your log and the boilerplate looks very useful.

In my case, when I push two commits with shorter intervals, the first one fails.

Screen Shot 2020-02-19 at 0 59 26

Commits master branch Β· peaceiris/peaceiris.github.io

From another point of view, that behavior also sounds good. When the second event starts in the middle of the first one, the first one may be canceled. It is my expectation.

See #104 (comment)

I am attempting to use secrets.GITHUB_TOKEN on a public repository. The one commit that did get generated and pushed to gh-pages, does not seem to have triggered a GitHub Pages build, despite reports this is now working at #9 (comment).

I addition to the quote above. I've also experienced inconsistent triggering of GitHub Pages build at https://github.com/dhimmel/rootstock-branchless-setup/commits/gh-pages:

image

See how the first commit did not trigger a build. In Settings, I switched GitHub Pages to build master and then switched back to gh-pages and that seemed to resolve the issue. Note that the master branch build for the commit that did not trigger Pages has previously failed. In both cases, the failed deployment followed a master commit whose workflow previously failed and now passed. Not sure if this has any relevance.

I had to kind of "confirm" to Github in the settings of the repository that I really wanted to deploy that web site from the gh-pages branch.

Yeah, I think this is the case for me too. Initially upon going to the settings after there is a GITHUB_TOKEN created commit on gh-pages branch:

image

And then after re-selecting "gh-pages" branch for source:

image

Subsequently, I make a dummy commit like git commit --allow-empty --message "rebuild". The gh-pages commit from now does trigger a pages build.

Yeah, I had exactly the same behavior in the Settings page.

Another problem I had additionally was that adding a empty commit after fixing the settings didn't seemed sufficient. It triggered the Gihub Actions workflow but not the Github Pages workflow. It seemed necessary to really alter the content of the gh-pages branch in order to publish. It may be useful that say that I'm using Parcel, which generates exactly the same content byte-per-byte given the same source files to optimize caches, and that I use a .nojekyll file to avoid problems.

I think Github has some mechanism to avoid publishing if the content of gh-pages didn't changed, at least when using the .nojekyll file.

By the way, this is completely unrelated but it could be a good idea to add that .nojekyll file by default in your action. 99% of the users will need it, will probably not read the whole documentation so they won't know, and will inevitably encounter a hard to debug problem sooner or later. (I'm convinced all serious users of Github Pages already lost at least one hour of their time because of that damn file like I did ^^ )

Another problem I had additionally was that adding a empty commit after fixing the settings didn't seemed sufficient

If using an empty commit with this action, you would have to set allow_empty_commit: true in the YAML. Could that have been the issue?

I've read this thread three times, but couldn't quite understand - does deployment work with GITHUB_TOKEN at the end or not? README now states that it doesn't does, but this issue is still open.

My experients show that it does work.

@slonopotamus Yes, the deployment with GITHUB_TOKEN has worked well on public repositories since a week ago. But, we have no official announcement by GitHub. I opened #115 to update the README. Maybe, we need more time to check whether GITHUB_TOKEN is stable, or not, before merging that pr.

Finally, I put the github_token as a first example on the README. πŸŽ‰ #115

If the deployment with GITHUB_TOKEN in public repositories fails again, we can reopen this issue.

Thanks!

This issue has been LOCKED because of it being resolved!

The issue has been fixed and is therefore considered resolved.
If you still encounter this or it has changed, open a new issue instead of responding to solved ones.