How to make a GitHub workflow push a protected tag?

[Sevastyan]

Select Topic Area

Question

Body

I have created a workflow that deploys my app whenever a tag is created in the repository. Now, in order to avoid some randos deploying my app by pushing a tag, I want to protect the tag. I've protected the tag, but now my workflow fails (I use git push --follow-tags once I create a tag).

How do I make it work with the protected tag?

[1amkaizen]

When you protect a tag in a repository, it usually means that only specific individuals or roles have the necessary permissions to push or modify that tag. This is a good security practice to prevent unauthorized deployments or changes to important tags.

However, if you have protected the tag and your workflow is failing due to the tag being protected, there are a few steps you can take to address this issue:

1.Check Permissions and Access:
Ensure that the user or service account running the workflow has the necessary permissions to push tags, or that it is part of a role or group that has permissions to modify protected tags.

2.Using Personal Access Tokens:
If you're using a CI/CD system, like GitHub Actions, and it's failing to push a tag due to permissions, consider using a personal access token (PAT) with appropriate permissions. Create a PAT in your GitHub account with the necessary permissions (e.g., repo, write:packages, etc.) and use it in your workflow instead of relying on the default credentials.

3.Modify Workflow to Authenticate:
Modify your workflow to use the personal access token or appropriate credentials to authenticate the push operation. This may involve updating the way you use git push --follow-tags in your workflow, making sure to provide the required authentication information.

For example:

git push origin --tags --follow-tags -u your_username:your_token

Replace your_username with your GitHub username and your_token with the personal access token.

4.Use Deployments or Releases:
Instead of pushing tags directly, you could use GitHub Deployments or Releases, which can be more controlled and managed. You can create a GitHub release or deployment using the GitHub API or UI, triggering your workflow when a release or deployment is created.

The workflow can then pull the necessary code and deploy it based on the release or deployment event.

By carefully managing permissions, utilizing personal access tokens, and considering alternative approaches like using GitHub Deployments or Releases, you can work around the issue of protected tags while still maintaining a secure and controlled deployment process.

[Sevastyan]

Thank you for the answer.

[1amkaizen]

You're welcome, hope that helps.

[varun-seth]

The answer from @1amkaizen seems AI generated. Let me ask this question again with more constraints. How to let github actions push a protected tag?

1. Github action bot is running the action, there is no service account here and no way to assign a role to this bot.
2. PAT are personal and should be used in personal projects, not when working in an organisation.
3. Same issue as mentioned above.
4. Suggesting not to push protected tags is not a solution.

[mhemani-reach]

I would use a custom Github App, add the app in the ruleset as a bypass actor. Use something like this in your workflow to get a token

      - name: Generate Github App Token
        id: generate-token
        uses: actions/create-github-app-token@v3.0.0
        with:
          app-id: ${{ vars.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}

The token is then available at ${{ steps.generate-token.outputs.token }}, which you can use with whatever action or script to actually push the tag.