2

I have configured my repository so that GitHub actions are able to approve PRs

Screenshot 2022-11-01 at 11 44 10 AM

I have branch protection rule, requiring 1 approval before merging.

enter image description here

However the following step fails

      - name: perform the merge if applicable
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        shell: bash
        run: |
            echo "Approving PR..."
            gh pr review --approve ${{ github.event.issue.number }}
            echo "Merging PR..."
            gh pr merge ${{ github.event.issue.number }} --admin --squash

(the PR is indeed approve but the merge fails)

Approving PR...
Merging PR...
Message: You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information., Locations: [{Line:1 Column:58}]

How can I allow github-actions bot to also merge the PR?

update 1

after removing the --admin flag, just in case

Approving PR...
Merging PR...
X Pull request #199 is not mergeable: the base branch policy prohibits the merge.
To have the pull request merged after all the requirements have been met, add the `--auto` flag.
To use administrator privileges to immediately merge the pull request, add the `--admin` flag.

update 2

I have added the following permissions to the GITHUB_ACTIONS token, without any effect whatsoever

permissions:
 contents: write
 pull-requests: write
 repository-projects: write
torek
  • 448,244
  • 59
  • 642
  • 775
pkaramol
  • 16,451
  • 43
  • 149
  • 324
  • Who is the creator of the pr you want to merge? The creator of a pr cannot approve his/her own pr - it the pr is created by an GH action, I guess it won't work. – tjarbo Nov 01 '22 at 10:08
  • The creator is me (not GH actions) and that's why `github-actions` bot is able to approve it (but for some reason, not to merge it) – pkaramol Nov 01 '22 at 10:13
  • Have you tried to remov the `--admin` flag from the `gh pr merge` command? As far as I know, GH action cannot perform admin tasks with their default GH_TOKEN. – tjarbo Nov 01 '22 at 10:15
  • just tried it. check my update in the question – pkaramol Nov 01 '22 at 10:19
  • Okey, great. I guess the first "permission denied" was related to the admin flag. As I cannot the the requirements you defined, could it be the case, that there are still required action running like for liniting or testing? Have you tried the `--auto` flag? – tjarbo Nov 01 '22 at 10:29
  • turns out `--auto` and `--admin` cannot be combined `specify only one of `--auto`, `--disable-auto`, or `--admin`` – pkaramol Nov 01 '22 at 10:49
  • Sure, please try only the `--auto` flag. In addition, what requirements do you have set for the branch policy? – tjarbo Nov 01 '22 at 12:11
  • disallowing direct pushes to the protected branch; I wouldn't expect this to affect it, since **it is not a direct push** – pkaramol Nov 01 '22 at 12:15

1 Answers1

0

The default GITHUB_TOKEN doesn't have admin rights. You need to change it with a custom token of the user with admin rights.

Example:

    jobs:
      Merge_PR_Example:
        runs-on: ubuntu-latest

        permissions:
          contents: write
          pull-requests: write
          repository-projects: write

        env:
          GH_TOKEN: ${{ secrets.ADMIN_RIGHTS_TOKEN }}

        steps:
          - uses: actions/checkout@v3

          - name: Merge PR
            run: gh pr merge ${{ github.event.issue.number }} --admin --squash
            env:
              GH_TOKEN: ${{ secrets.ADMIN_RIGHTS_TOKEN }}

Select all repo and wrokflow scopes for the token. These are enough.

Selected scopes for the token

denisq
  • 404
  • 4
  • 10