1

AIM: To modify one GitHub Actions .yaml file by running another GitHub Actions file. Specifically, I want to randomize the cron schedule of the other file.

PROBLEM: It gives error

 ! [remote rejected] main -> main (refusing to allow a GitHub App to create or update workflow `.github/workflows/main-runner.yaml` without `workflows` permission)

What I tried:

  1. Using a classic PAT with Workflows Permission (which is GH_CLASSIC_TOKEN in repo secrets): PAT Permissions Image

  2. Allowing Workflow Permissions in repo settings: Repo Workflow Permissions Image

  3. Deleting Repo and re-creating it.

Links to my repo:

  1. Seeker220/workflow-test-repo
  2. Failed GitHub Actions Logs

Relevant Code:

  1. trigger-creator.yaml
name: Trigger Creator

on:
  workflow_dispatch:  # Allows manual triggering of the workflow

jobs:
  update-cron:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4

      - name: Enable Main Workflow
        run: gh workflow enable main-runner.yaml
        env:
          GH_TOKEN: ${{ secrets.GH_CLASSIC_TOKEN }}

      - name: Generate Randomized Cron Time
        id: random-cron
        run: |
          # Generate a random hour between 0 and 23
          NEW_HOUR=$((RANDOM % 24))
          
          # Generate a random minute between 0 and 59
          NEW_MINUTE=$((RANDOM % 60))

          # Create new cron expression
          NEW_CRON="$NEW_MINUTE $NEW_HOUR * * *"
          echo "NEW_CRON=$NEW_CRON" >> $GITHUB_ENV

      - name: Update `main-runner.yaml` with New Cron
        run: |
          # Replace the old cron with the new one in main-runner.yaml
          sed -i "s/^    - cron: \".*\"/    - cron: \"${NEW_CRON}\"/" .github/workflows/main-runner.yaml

      - name: Commit and Push Changes
        run: |
          git config --global user.name "github-actions"
          git config --global user.email "[email protected]"
          git remote set-url origin https://x-access-token:${{ secrets.GH_CLASSIC_TOKEN }}@github.com/${{ github.repository }}.git
          git add .github/workflows/main-runner.yaml
          git commit -m "Update main-runner cron to: ${NEW_CRON}"
          git push origin main
        env:
          GH_CLASSIC_TOKEN: ${{ secrets.GH_CLASSIC_TOKEN }}
  1. main-runner.yaml
name: Main Runner

on:
  schedule:
    - cron: "0 15 * * *"  # Placeholder cron, gets updated dynamically

jobs:
  run-task:
    runs-on: ubuntu-latest
    steps:
      - name: Run Sample Command
        run: echo "Hello from Main Runner"

      - name: Disable Itself After Running
        run: gh workflow disable main-runner.yaml
        env:
          GH_TOKEN: ${{ secrets.GH_CLASSIC_TOKEN }}

So far, these didn't solve the issue. I have found similar questions on SE, in most of them, OP was using a GITHUB_TOKEN instead of PAT.

Thanks :)

Improve this question

1 Answer 1

Reset to default
1

You have to tell git commands to use your generated token. You can do so via the checkout actions at the top of you workflow and provide the token there (see here for docs example, omitted rest of your file for brevity):

...

jobs:
  update-cron:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.GH_CLASSIC_TOKEN }}

...

And afterward, you should be able to push with this token if you only define user.name and user.email via git config (once again irrelevant parts omitted):

...
jobs:
  update-cron:
    runs-on: ubuntu-latest
    steps:
      ...
      - name: Commit and Push Changes
        run: |
          git config --global user.name "github-actions[bot]"
          git config --global user.email "[email protected]"
          git add .github/workflows/main-runner.yaml
          git commit -m "Update main-runner cron to: ${NEW_CRON}"
          git push origin main

Also, please note:

  • Changed the email from github-actions to github-actions[bot] as that will register as GitHub Actions bot in the GitHub GUI (which I assume you want?)
  • You should use fine-grained tokens with minimal scope (contents: write and workflows: write should do I think), read more about them here (you could do this after the initial testing that this works with personal token) as this approach is more secure
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.