Login/Register
Allow GitHub actions to merge PRs on protected branch
Asked Answered
githubcontinuous-integrationgithub-actionsgithub-cli
K

1

6

I have configured my repository so that GitHub actions are able to approve PRs

Screenshot 2022-11-01 at 11 44 10 AM

I have branch protection rule, requiring 1 approval before merging.

enter image description here

However the following step fails

      - name: perform the merge if applicable
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        shell: bash
        run: |
            echo "Approving PR..."
            gh pr review --approve ${{ github.event.issue.number }}
            echo "Merging PR..."
            gh pr merge ${{ github.event.issue.number }} --admin --squash

(the PR is indeed approve but the merge fails)

Approving PR...
Merging PR...
Message: You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information., Locations: [{Line:1 Column:58}]

How can I allow github-actions bot to also merge the PR?

update 1

after removing the --admin flag, just in case

Approving PR...
Merging PR...
X Pull request #199 is not mergeable: the base branch policy prohibits the merge.
To have the pull request merged after all the requirements have been met, add the `--auto` flag.
To use administrator privileges to immediately merge the pull request, add the `--admin` flag.

update 2

I have added the following permissions to the GITHUB_ACTIONS token, without any effect whatsoever

permissions:
 contents: write
 pull-requests: write
 repository-projects: write
Kurzawa answered 1/11, 2022 at 9:54 Comment(8)
Who is the creator of the pr you want to merge? The creator of a pr cannot approve his/her own pr - it the pr is created by an GH action, I guess it won't work.Clotho
The creator is me (not GH actions) and that's why github-actions bot is able to approve it (but for some reason, not to merge it)Kurzawa
Have you tried to remov the --admin flag from the gh pr merge command? As far as I know, GH action cannot perform admin tasks with their default GH_TOKEN.Clotho
just tried it. check my update in the questionKurzawa
Okey, great. I guess the first "permission denied" was related to the admin flag. As I cannot the the requirements you defined, could it be the case, that there are still required action running like for liniting or testing? Have you tried the --auto flag?Clotho
turns out --auto and --admin cannot be combined specify only one of --auto, --disable-auto, or --admin``Kurzawa
Sure, please try only the --auto flag. In addition, what requirements do you have set for the branch policy?Clotho
disallowing direct pushes to the protected branch; I wouldn't expect this to affect it, since it is not a direct pushKurzawa
H
1

The default GITHUB_TOKEN doesn't have admin rights. You need to change it with a custom token of the user with admin rights.

Example:

    jobs:
      Merge_PR_Example:
        runs-on: ubuntu-latest

        permissions:
          contents: write
          pull-requests: write
          repository-projects: write

        env:
          GH_TOKEN: ${{ secrets.ADMIN_RIGHTS_TOKEN }}

        steps:
          - uses: actions/checkout@v3

          - name: Merge PR
            run: gh pr merge ${{ github.event.issue.number }} --admin --squash
            env:
              GH_TOKEN: ${{ secrets.ADMIN_RIGHTS_TOKEN }}

Select all repo and wrokflow scopes for the token. These are enough.

Selected scopes for the token

Heterogeneous answered 26/1, 2023 at 0:24 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.