GitHub Action that updates the workflow file of another Action

Question

I have two GitHub Actions in the same repo. I'm trying to update one from the other, but I get the following error when trying to commit and push the changes:

! [remote rejected] HEAD -> some-branch (refusing to allow a GitHub App to create or update workflow .github/workflows/the-other-action.yml without workflows permission)

This is a simplified version of the GH Action I'm trying to run:

name: my-action

on:
  workflow_dispatch:
  schedule:
    - cron: "0 9 * * *"

jobs:
  components:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout the code
        uses: actions/checkout@v2

      - name: Update the other Action
        run: |
          # Do something to .github/workflows/the-other-action.yaml here

      - name: Create Pull Request
        uses: peter-evans/create-pull-request@v3
        with:
            token: ${{ secrets.GITHUB_TOKEN }}
            branch: some-branch
            commit-message: Updated stuff

I'm trying to figure out how to give the workflows permission to the GITHUB_TOKEN, but not sure how to?

(For context: I'm running this action once per day to check if a new version of a tool used in the other action has been released. If so, it creates a PR updating the other action to use the newer version instead)

Answer 1

You need to use a Personal Access Token with workflows permission here, instead of the GITHUB_TOKEN which has a defined scope.

Actually, this just changed (Sept. 8th, 2022) with:

GitHub Actions: Use the GITHUB_TOKEN with workflow_dispatch and repository_dispatch

Customers will now be able to use the GITHUB_TOKEN with workflow_dispatch and repository_dispatch events to trigger workflows.

Prior to this change, events triggered by GITHUB_TOKEN would not create a new workflow run. This was done to prevent the accidental trigger of endless workflows.

This update makes an exception for workflow_dispatch and repository_dispatch events since they are explicit calls made by the customer and not likely to end up in a loop.

name: Create Workflow Dispatch

on:   workflow_dispatch:

jobs:   build:
    runs-on: ubuntu-latest
    steps:
      - name: Trigger Workflow
        uses: actions/github-script@v6
        with:
          script: |
            github.rest.actions.createWorkflowDispatch({
              owner: context.repo.owner,
              repo: context.repo.repo,
              workflow_id: 'test.yml',
              ref: 'main',
            })

For more details see
Triggering a workflow from a workflow.

So GITHUB_TOKEN might now work.

---

In the context of the OP's question: the primary task here is to modify a workflow file from within another workflow.

The recent GitHub change that I mention above allows for triggering workflows with the GITHUB_TOKEN, but it does not explicitly mention whether the token can be used to push changes to workflow files directly. That ability would solve the original issue.

You will still need to modify your workflow to commit and push the changes to the workflow file. The step in the action where you are trying to update the workflow file would look something like this:

- name: Update the other Action
  run: |
    # Do something to .github/workflows/the-other-action.yaml here
    git config --local user.email "action@github.com"
    git config --local user.name "GitHub Action"
    git add .github/workflows/the-other-action.yaml
    git commit -m "Update the other Action"
    git push

You need to use a token that has the necessary permissions to push the changes, and you can test it with the updated abilities of the GITHUB_TOKEN:

With the peter-evans/create-pull-request@v3 action, that would be:

- name: Create Pull Request
  uses: peter-evans/create-pull-request@v3
  with:
    token: ${{ secrets.GITHUB_TOKEN }}
    branch: some-branch
    commit-message: Updated stuff

Answer 2

You need to use a Personal Access Token with workflows permission here, instead of the GITHUB_TOKEN which has a defined scope.

Moreover, if this ${{ secrets.GITHUB_TOKEN }} is your PAT, there might be a problem because you can't add secrets with the GITHUB_ prefix. So you would have to rename the secret following this syntax.