@rootfs , I need your help on ad-m/github-push-action#96

I suppose so far we fixed in CI at PR action. as I suppose in this action, we don't need github action create commit and update in specific branch for test coverage. the test coverage should be refreshed by a commit once after code been merged.

but, the permission issue still there, I am not sure if we should use a specific configured github token?
https://docs.github.com/cn/actions/security-guides/automatic-token-authentication

permissions:
  pull-requests: write
  contents: write
  repository-projects: write

if those permission doesn't works for our project. @rootfs , I suppose we may need to consider a personal access token (PAT)

You can use the permissions key to add and remove read permissions for forked repositories, but typically you can't grant write access. The exception to this behavior is where an admin user has selected the Send write tokens to workflows from pull requests option in the GitHub Actions settings. For more information, see "Managing GitHub Actions settings for a repository."

ref https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token

https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-default-github_token-permissions

otherwise, I suppose we may need a https://docs.github.com/en/actions/security-guides/automatic-token-authentication#granting-additional-permissions

@rootfs, please help investigate.

or I find another sample as https://github.com/step-security/secure-workflows/blob/main/.github/workflows/test.yml#L43 @rootfs , do you mind we use codecov ?

or otherwise, we have to ... suffered from github token permissions.

this is the new error

Run ad-m/github-push-action@master
Push to branch main
Pushing to https://github.com/sustainable-computing-io/kepler.git
POST git-receive-pack (553 bytes)
remote: error: GH00[6](https://github.com/sustainable-computing-io/kepler/actions/runs/3074454697/jobs/4967251894#step:9:7): Protected branch update failed for refs/heads/main.        
remote: error: At least 1 approving review is required by reviewers with write access.        
To https://github.com/sustainable-computing-io/kepler.git
 ! [remote rejected] HEAD -> main (protected branch hook declined)
error: failed to push some refs to 'https://github.com/sustainable-computing-io/kepler.git'
Error: Invalid exit code: 1
    at ChildProcess.<anonymous> (/home/runner/work/_actions/ad-m/github-push-action/master/start.js:29:21)
    at ChildProcess.emit (events.js:314:20)
    at maybeClose (internal/child_process.js:1022:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:28[7](https://github.com/sustainable-computing-io/kepler/actions/runs/3074454697/jobs/4967251894#step:9:8):5) {
  code: 1
}
Error: Invalid exit code: 1
    at ChildProcess.<anonymous> (/home/runner/work/_actions/ad-m/github-push-action/master/start.js:29:21)
    at ChildProcess.emit (events.js:314:20)
    at maybeClose (internal/child_process.js:1022:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:2[8](https://github.com/sustainable-computing-io/kepler/actions/runs/3074454697/jobs/4967251894#step:9:9)7:5)

or I find another sample as https://github.com/step-security/secure-workflows/blob/main/.github/workflows/test.yml#L43 @rootfs , do you mind we use codecov ?

or otherwise, we have to ... suffered from github token permissions.

codecov looks promising: The latest release of this Action adds support for tokenless uploads from GitHub Actions!

Can you try it on?

this is the new error

Run ad-m/github-push-action@master
Push to branch main
Pushing to https://github.com/sustainable-computing-io/kepler.git
POST git-receive-pack (553 bytes)
remote: error: GH00[6](https://github.com/sustainable-computing-io/kepler/actions/runs/3074454697/jobs/4967251894#step:9:7): Protected branch update failed for refs/heads/main.        
remote: error: At least 1 approving review is required by reviewers with write access.        
To https://github.com/sustainable-computing-io/kepler.git
 ! [remote rejected] HEAD -> main (protected branch hook declined)
error: failed to push some refs to 'https://github.com/sustainable-computing-io/kepler.git'
Error: Invalid exit code: 1
    at ChildProcess.<anonymous> (/home/runner/work/_actions/ad-m/github-push-action/master/start.js:29:21)
    at ChildProcess.emit (events.js:314:20)
    at maybeClose (internal/child_process.js:1022:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:28[7](https://github.com/sustainable-computing-io/kepler/actions/runs/3074454697/jobs/4967251894#step:9:8):5) {
  code: 1
}
Error: Invalid exit code: 1
    at ChildProcess.<anonymous> (/home/runner/work/_actions/ad-m/github-push-action/master/start.js:29:21)
    at ChildProcess.emit (events.js:314:20)
    at maybeClose (internal/child_process.js:1022:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:2[8](https://github.com/sustainable-computing-io/kepler/actions/runs/3074454697/jobs/4967251894#step:9:9)7:5)

yea... it blocks by default branch protection rule?
@rootfs you have set the rule as at least one approve right?

https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule @rootfs could you please try to find a way to skip approve validation for github action?

Optionally, to allow specific actors to push code to the branch without creating pull requests when they're required, select Allow specified actors to bypass required pull requests. Then, search for and select the actors who should be allowed to skip creating a pull request.

@SamYuan1990 We need an actor from our organization for that, github-action is not an actor.

@SamYuan1990 We need an actor from our organization for that, github-action is not an actor.

I suppose some thing we can do:

1. remove push back to main in CI to avoid break CI ? (optional)

for moving next,
2. open ticket to github action/github support for help. (optional)
3. personal access token (PAT) (optional)
4. try to find another test cover badge. (optional)

the wired thing is, if we take action for item 1, then we lost chance for option 2 to debug and lost test chance for option 3...

@SamYuan1990 We need an actor from our organization for that, github-action is not an actor.

but, wait a min... if github action is not an actor, where the token???
or I mean, a github token ideally represent for a specific user.
if there is no user for github action, then ... what's the token represent for?

yes, something worth keeping learning 👯

yes, something worth keeping learning 👯

https://github.com/actions-user
mvangent/go-http-client@fec740f

cool, do you want to give it a try?
https://github.com/vpofe/go-http-client/blob/main/.github/workflows/go.yml#L50-L53

https://github.com/vpofe/go-http-client/blob/main/.github/workflows/go.yml#L50-L53

no, as already there. https://github.com/sustainable-computing-io/kepler/blob/main/.github/workflows/unit_test.yml#L32
@rootfs , https://github.com/actions-user I just give you the sample of the user I found.

and https://github.com/vpofe/go-http-client/blob/main/.github/workflows/go.yml#L62-L75 that's the reason I am worried about....

I hope you can help check with user and github action's support.
if it won't work, for example github action confirmed that they will no allow https://github.com/actions-user to push commits any more.
we should move to other solution.

questioned to github action at https://github.com/orgs/community/discussions/33423