Github protected branch hook declined even with allow force pushes

Question

I have a branch protection to my test branch, but i need to execute every pull request merged a action to update the version of the software and commit in the test branch.

Even with the tag --force the error appear:

INPUT_TAGGING_MESSAGE: 
No tagging message supplied. No tag will be added.
INPUT_PUSH_OPTIONS: --force
remote: error: GH006: Protected branch update failed for refs/heads/test.        
remote: error: Changes must be made through a pull request.        
 ! [remote rejected] HEAD -> test (protected branch hook declined)
error: failed to push some refs to 'https://github.com/***/***'
Error: Invalid status code: 1
    at ChildProcess.<anonymous> (/home/runner/work/_actions/stefanzweifel/git-auto-commit-action/v4/index.js:17:19)
    at ChildProcess.emit (node:events:390:28)
    at maybeClose (node:internal/child_process:1064:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5) {
  code: 1
}
Error: Invalid status code: 1
    at ChildProcess.<anonymous> (/home/runner/work/_actions/stefanzweifel/git-auto-commit-action/v4/index.js:17:19)
    at ChildProcess.emit (node:events:390:28)
    at maybeClose (node:internal/child_process:1064:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)

I allowed everyone to push with force in this branch:

My workflow action:

name: Version Update

on:
  pull_request:
    branches: 
      - master
      - test
    types: [closed]

jobs:
  version_update:
    runs-on: ubuntu-latest
    if: github.event.pull_request.merged == true
    steps:
    - uses: shivammathur/setup-php@15c43e89cdef867065b0213be354c2841860869e
      with:
        php-version: '8.1'
    - name: Get branch name
      id: branch-name
      uses: tj-actions/branch-names@v6
    - uses: actions/checkout@v3
      with:
        ref: ${{ steps.branch-name.outputs.base_ref_branch }}
    - name: Copy .env
      run: php -r "file_exists('.env') || copy('.env.example', '.env');"
    - name: Install Dependencies
      run: composer install -q --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist
    - name: Generate key
      run: php artisan key:generate
    - name: Update Patch Version
      if: steps.branch-name.outputs.current_branch != 'test'
      run: php artisan version:patch
    - name: Update Minor Version
      if: steps.branch-name.outputs.current_branch == 'test'
      run: php artisan version:minor
    - name: Update Timestamp
      run: php artisan version:timestamp
    - name: Update Commit
      run: php artisan version:absorb
    - name: Commit changes
      uses: stefanzweifel/git-auto-commit-action@v4
      with:
        commit_message: "version: update patch"
        branch: ${{ steps.branch-name.outputs.base_ref_branch }}
        push_options: '--force'

Answer 1

If the branch protection is active and the option "Require a pull request before merging" is marked, this will prevent any push even with --force to go to your protected branch.

In the github is impossible to push in a branch with option "Require a pull request before merging"

My solution for this problem is to work without this option.

Answer 2

There is a "Allow specified actors to bypass required pull requests" option nested under "Require a pull request before merging". Enable that and put in the user used to run the actions as exception worked for me.

Note that we created a GitHub App identity as "the exception user", added that to the exception list and use that to run the workflow (we use https://github.com/getsentry/action-github-app-token to load token from GitHub App to run workflow) because we don't know how to reference the "default user used to run action workflows".