Permission to create PR denied

[ben-laird]

Hello,

I'm using changesets in my monorepo along with the GitHub Action. Whenever I push code to the main branch (ie after a pull request from another branch or after changing configuration files) I'd like the changeset action to run as specified in the publishing to NPM example. I gave the action a working NPM token and a fine-grained GitHub token with full permissions to Contents and Pull Requests, as per issue #220. For some reason, when the action tries to run /usr/bin/git push origin HEAD:changeset-release/main --force, the API responds back with a 403 code and the process fails with a 128 exit code.

Running pnpm release on my machine works just fine, versioning the packages, making a changelog, building my libraries for release

Here's my .github/workflows/release.yml:

name: Release

on:
  push:
    branches:
      - main

concurrency: ${{ github.workflow }}-${{ github.ref }}

jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
    strategy:
      matrix:
        node-version: [16.x.x]
    steps:
      - uses: actions/checkout@v3
      - uses: pnpm/action-setup@v2
        with:
          version: 7
      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v3
        with:
          node-version: ${{ matrix.node-version }}
          cache: "pnpm"
      - name: Install Dependencies
        run: pnpm install

      - name: Create Release Pull Request or Publish to npm
        id: changesets
        uses: changesets/action@v1
        with:
          publish: pnpm run release # Runs: FORCE_COLOR=1 turbo run build --filter='!docs' --no-cache --color && changeset publish
        env:
          GITHUB_TOKEN: ${{ secrets.REPO_SCOPED_TOKEN }} # Fine-grained token
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

Call stack:

Error: The process '/usr/bin/git' failed with exit code 128
    at m._setResult (/home/runner/work/_actions/changesets/action/v1/dist/index.js:136:7258)
    at m.CheckComplete (/home/runner/work/_actions/changesets/action/v1/dist/index.js:136:6686)
    at ChildProcess.<anonymous> (/home/runner/work/_actions/changesets/action/v1/dist/index.js:136:5723)
    at ChildProcess.emit (node:events:527:28)
    at maybeClose (node:internal/child_process:1092:16)
    at Socket.<anonymous> (node:internal/child_process:451:11)
    at Socket.emit (node:events:527:28)
    at Pipe.<anonymous> (node:net:709:12)

Versions:

• @changesets/cli: 2.26.0
• OS: latest macOS

Am I using this workflow wrong and there's something I need to fix? Is there a set of permissions I need to add? Would using an older version of @changesets/cli work?

[timfee]

+1 to all of the above

[timfee]

With debug enabled, it tells me:

remote: Permission to timfee/appoint.git denied to github-actions[bot].

This is also after I told it to use a PAT that I gave every permission to:

        env:
          GITHUB_TOKEN: ${{ secrets.PA_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

[timfee]

Ah, I think it may have to do with project settings:

https://github.com/foo/bar/settings/actions

Mine is working using PA_TOKEN, plus these functions. I'll start walking some of the changes back to see what did it.

But might be good to add to the docs!

[ben-laird]

This would be very useful to add to the docs. I tried a workflow run again using the settings you suggested @timfee, and I got a different error but the same 403 status code. The error this time hinted at my access token not having the correct permission set to perform a pull request, which is interesting considering I added permission to make a PR (at least I think that's what the permission set in #220 allowed). Slimming down and codifying the permission set from "everything" to what's needed would be very helpful, and there's probably something more in #220 that I'm not seeing.

Error:

a [HttpError]: Resource not accessible by personal access token
    at /home/runner/work/_actions/changesets/action/v1/dist/index.js:192:1285
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async Object.w [as runVersion] (/home/runner/work/_actions/changesets/action/v1/dist/index.js:970:5099)
Error: Resource not accessible by personal access token
    at async /home/runner/work/_actions/changesets/action/v1/dist/index.js:972:2406 {
  status: 403,
  response: {
    url: 'https://api.github.com/repos/me/repo/pulls',
    status: 403,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      connection: 'close',
      'content-encoding': 'gzip',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: '<not included for security>',
      'github-authentication-token-expiration': '<not included for security>',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'GitHub.com',
      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
      'transfer-encoding': 'chunked',
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-api-version-selected': '2022-11-28',
      'x-github-media-type': 'github.v3; format=json',
      'x-github-request-id': '<not included for security>',
      'x-ratelimit-limit': '5000',
      'x-ratelimit-remaining': '4985',
      'x-ratelimit-reset': '1677695726',
      'x-ratelimit-resource': 'core',
      'x-ratelimit-used': '15',
      'x-xss-protection': '0'
    },
    data: {
      message: 'Resource not accessible by personal access token',
      documentation_url: 'https://docs.github.com/rest/reference/pulls#create-a-pull-request'
    }
  },
  request: {
    method: 'POST',
    url: 'https://api.github.com/repos/me/repo/pulls',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'octokit-core.js/3.6.0 Node.js/16.16.0 (linux; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: `{"base":"main","head":"changeset-release/main","title":"Version Packages","body":"This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.\\n\\n\\n# Releases\\n## <redacted, bump header>\\n\\n### Patch Changes\\n\\n-   <redacted, changes made>\\n"}`,
    request: { agent: [Agent], hook: [Function: bound bound r] }
  }
}

[ben-laird]

UPDATE: Evidently the Fine-Grained Token I made didn't have any permissions, I think they were reset. After giving the token access to my repository, along with read/write permissions to Contents and Pull Requests as in #220, the workflow ran beautifully. I think this issue can be closed, but I think adding the results of this issue to the docs to guide other users would be beneficial.

[alexaka1]

To be explicitly clear these are the required permissions, if you use default token:

permissions:
  pull-requests: write
  contents: write

Allow GitHub Actions to create and approve pull requests is set to true in my settings. Default workflow permissions are set to read only (which is overriden in yaml above).