1

TL;DR: What is the correct workflow to use both sot-release plugin with GitHub protected branch?

I'm using sot-release plugin in order to auto-increment the project version files, and to commit it to the main branch. In addition, I would like to set the main branch as a GitHub protected branch.

In order to do it, I've created a GitHub token for the CI flow and grant it with push permissions.

The flow works as follows: once a PR is reviewed and merged to main (the protected branch), more tests are executed in GitHub Actions and the final step is to call sbt task for creating a release. This task is using sot-release plugin in order to push changes of version file in the repository.

However, the CI flow is not able to push the changes to the protected branch:

[info] remote: error: GH006: Protected branch update failed for refs/heads/master.        
49
[info] remote: error: 3 of 3 required status checks are expected.        
50
[info] To https://github.com/piplcom/dap-test
51
[info]  ! [remote rejected] master -> master (protected branch hook declined)

What is the correct workflow? What am I missing in here?

Matan
  • 21
  • 2

1 Answers1

1

As described in "How to resolve GH006 Protected Branch Update Failed" from Paul Mowat, a solution would be to use a dedicated account with a token:

  • Create a new Github user specifically for building.
  • Create a new personal access token for that user with access to repo.
  • Add the personal access token as a Github secret e.g. BUILD_SVC_PAT.
  • Update your branch protection and add your new build user to 'Restrict who can push to matching branches'.
  • Update your Github action to check out the code using the Github secret.
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checking out...
        uses: actions/checkout@v2
        with:
          token: ${{ secrets.BUILD_SVC_PAT }}

The OP matan has already done that, but adds in the comments:

it was my bad: We use the sbt-github-actions plugin and missed setting the GitHub token in the publish stage as well.
It now works as expected!

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Thank you @VonC for your response. I've already tried that but still getting the same error. Anything else to share? – Matan May 09 '22 at 09:32
  • @Matan Strange. maybe the token is not correctly created? Or for a user without proper access? If not, check if this might have any effect on your situation: https://github.blog/changelog/2022-05-03-github-actions-prevent-github-actions-from-creating-and-approving-pull-requests/ – VonC May 09 '22 at 09:37
  • Solved this issue, it was my bad. We use `sbt-github-actions` plugin and missed setting the github token in the publish stage as well. It now works as expected! Thanks for your help :) – Matan May 09 '22 at 11:37
  • 1
    @Matan Great, well done! I have edited the answer to include your comment as well as relevant link. – VonC May 09 '22 at 12:45