Context
I'm trying to make some project management automations on a project, linked to a repo (or more later) which seem basic to me, but not implemented in GitHub yet (moving a card to a certain column when a commit mentioning a certain issue is pushed, move to another column when a pull request is open, adding labels automatically, etc.).
To do so, I use:
- octokit/graphql-action : As I use projects in an anization, I need access to projectV2, which is not accessible with rest API.
- actions/scripts : To process responses of graphql queries or make various things such as multiple mutations in a row.
- basic run : for debug OR git actions.
In this context, I need to use a token to access the graphql API.
Current situation
PAT settings in anization
- Allow Access via fine-grained personal access token
- Do not require administration approval
- Fine grained personal access token mustn't expire
General policies of Actions
Allow all actions and reusable workflows
Workflow permission of GITHUB_TOKEN
- Read and Write permissions
- Allow GitHub Actions to create and approve pull requests
PAT settings on my side
Organization permissions
- Read access to anization API insights, anization events, and anization plan
- Read and Write access to custom anization roles, custom repository roles, members, anization actions variables, anization administration, anization announcement banners, anization codespaces, anization codespaces secrets, anization codespaces settings, anization copilot seat management, anization dependabot secrets, anization hooks, anization knowledge bases, anization secrets, anization self hosted runners, anization user blocking, and team discussions
- Read, Write, and Admin access to anization custom properties and anization projects
Repository permissions
- Read access to codespaces metadata and metadata
- Read and Write access to Dependabot alerts, actions, actions variables, administration, attestations api, code, codespaces, codespaces lifecycle admin, codespaces secrets, commit statuses, dependabot secrets, deployments, discussions, environments, issues, merge queues, pages, pull requests, repository advisories, repository custom properties, repository hooks, secret scanning alerts, secrets, security events, and workflows
My permissions in workflow
permissions: write-all
Problems
1. GraphQL
When I use my PAT token, both in postman and GitHub action, to make queries involving nodes (ex: projectV2), everything works fine ! BUT when I try to do the same thing with the GITHUB_TOKEN, nodes is now and empty list and I can't access to the data I need. No errors, nothing, just an empty list.
here is the query I use:
query ($repo: String!, $anisation: String!) {
anization(login: $anisation) {
repository(name: $repo, followRenames: true) {
projectsV2(first: 100) {
nodes {
id
number
}
}
}
}
}
there is the response to my request via postman
{
"data": {
"anization": {
"repository": {
"projectsV2": {
"nodes": [
{
"id": "PVT_kwDOCva0384ArM0P",
"number": 7
}
]
}
}
}
}
}
and here is the response to the same request via GitHub action when using GITHUB_TOKEN
{
"anization": {
"repository": {
"projectsV2": {
"nodes": []
}
}
}
};
WHY?! In the end, I could have just used my PAT token, but I want to understand why it doesn't work with GITHUB_TOKEN... And there is a second problem.
2. Git push.
For... Reasons, I need to push some files to the repo. Tired of pushing for testing, I decided to use act to test my workflow locally... and when I tried, everything worked fine !
But when I tried it with GitHub action... I got the following error:
! [remote rejected] setting_update_data -> setting_update_data (refusing to allow a GitHub App to create or update workflow `.github/workflows/data/data.json` without `workflows` permission)
error: failed to push some refs to
no matter the token I try to use: PAT or GITHUB_TOKEN... SAME RESULT. AND I HAVE ALL PERMISSIONS WITH BOTH.
by the way, I can't make pushes with an "anonymous" user, I need to use my own account. (so far)
Concrete code
My requests and scripts are in separated files, but I gave you the only query so far so you have everything you need to understand. (And scripts are not the problem... because they work with the good outputs)
Last precision : the current triggers are push, workflow_dispatch and repository_dispatch. But it will be manual later.
It will be hard for me to cover all different configurations of g token, pat, permissions, etc. so here is the current workflow I'm using, and then I will try your suggestions and give you resuls:
name: Set/Update Datas
on:
workflow_dispatch:
repository_dispatch:
push:
permissions: write-all
env:
anisation: ${{ github.repository_owner }}
PERSONNAL_TOKEN: "###"
GITHUB_TOKEN: ${{ github.token }}
jobs:
init_setup:
permissions: write-all
runs-on: ubuntu-latest
outputs:
need_init: ${{ steps.check_data_file.outputs.need_init }}
requests: ${{ steps.read_requests.outputs.result }}
repo: ${{ steps.get_repo_name.outputs.repo }}
steps:
- uses: actions/checkout@v4
- name: Check if data file exists
id: check_data_file
run: |
if [ -f .github/workflows/data/data.json ]; then
echo "::set-output name=need_init::true"
else
echo "::set-output name=need_init::false"
fi
- name: Check github token
id: check_github_token
run: |
echo "PERSONNAL_TOKEN=${PERSONNAL_TOKEN}"
echo "GITHUB_TOKEN=${GITHUB_TOKEN}"
- name: Read Requests
id: read_requests
uses: actions/[email protected]
with:
script: |
const script = require('./.github/workflows/read_requests.js');
path = './.github/workflows/manual/';
return script({path});
- name: Get Repo Name
id: get_repo_name
run: echo "repo=${GITHUB_REPOSITORY#*/}" >> $GITHUB_OUTPUT
initialisation_basic_settings:
permissions: write-all
runs-on: ubuntu-latest
needs: [init_setup]
if : ${{ needs.init_setup.outputs.need_init == 'false' }}
steps:
- uses: actions/checkout@v4
- name: Get Project ID and Number
id: get_project_id_and_number
uses: octokit/[email protected]
env:
GITHUB_TOKEN: ${{ env.PERSONNAL_TOKEN }}
with:
query: ${{ fromJson(needs.init_setup.outputs.requests).get_project_id_and_number }}
variables: |
{
"anisation": "${{ envanisation }}",
"repo": "${{ needs.init_setup.outputs.repo }}"
}
- name: Modify first settings
id: modify_first_settings
uses: actions/[email protected]
with:
github-token: ${{ env.PERSONNAL_TOKEN }}
script: |
const script = require('./.github/workflows/write_json.js');
const path = './.github/workflows/data/data.json';
const request_response = ${{ steps.get_project_id_and_number.outputs.data }};
console.log("request_response",JSON.stringify(request_response));
const node = request_responseanization.repository.projectsV2.nodes[0];
const settings = {
project_id: node.id,
project_number: node.number,
};
console.log("settings",settings);
const json_data = {
settings: settings
};
const data = JSON.stringify(json_data);
console.log("json_data",json_data);
script({path, data});
- name: Store first settings
id: store_first_settings
env:
GITHUB_TOKEN: ${{ env.PERSONNAL_TOKEN }}
run: |
git config --local user.name "###"
git config --local user.email "###"
git add .
git commit -m "Set first settings"
git push