Exploring the intersection between TypeScript, Ethereum, and other exciting technologies.

Bump Version on a protected branch with GitHub Actions

2nd Jun 2022

Doing an automatic version bump on every commit on main is very useful, and is easy to set up with Github Actions.

However, with protected branches also active, it fails because the action does not have the necessary permissions.

error: GH006: Protected branch update failed for refs/heads/main.

Recently, Github allowed apps to be added as exceptions to the rules, but actions are still left with hacky workarounds as the only option.

The most clean way to make this work right now is by temporarily disabling branch protection rules before the actions.

  1. Your action is kicked off
  1. Run branch-protection-bot to disable Include administrators
  1. Do the version bump with gh-action-bump-version
  1. Run branch-protection-bot to enable Include administrators

First we need to create a new bot user and get the PAT (personal access token)

This user needs to be created just like a normal user — with its own email address — and added to the organization with admin privileges.

Create a PAT for the bot user with at least repo access. Add the token as a secret to your repo with the key BOT_USER_TOKEN.

Test branch-protection-bot for disabling branch protection

Make a bump-version.yml file in .github/workflows.

For now, let’s test if it is possible to disable branch protection without doing anything else. This runs on pull_request so we can test it without actually merging to main.

name: "Bump Version"

on: [pull_request] # we'll change this to push to main later 🤞

jobs:
  bump-version:
    name: "Bump Version on main"
    runs-on: ubuntu-latest

    steps:
      - name: Temporarily disable "include administrators" branch protection
        uses: benjefferies/branch-protection-bot@master
        if: always()
        with:
          access_token: ${{ secrets.BOT_USER_TOKEN }}
          branch: ${{ github.event.repository.default_branch }}
          enforce_admins: false

This should result in an action on the PR (hopefully with a ✅).

And when you check your branch protection rules, this field should be unchecked. You’ll want to re-check this.

Bring it all together with gh-action-bump-version

We’ll keep on: [pull_request] for now so we can test the whole thing in a PR.

Adding gh-action-bump-version and re-enabling branch protection rules after, we get an action like this:

    steps:
      ...

			# bump version
      - name: "Checkout source code"
        uses: "actions/checkout@v2"
        with:
          ref: ${{ github.ref }}
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: "Automated Version Bump"
        id: version-bump
        uses: "phips28/gh-action-bump-version@master"
        with:
          tag-prefix: "v"
        env:
          GITHUB_TOKEN: ${{ secrets.BOT_USER_TOKEN }}

      - name: Enable "include administrators" branch protection
        uses: benjefferies/branch-protection-bot@master
        if: always()
        with:
          access_token: ${{ secrets.BOT_USER_TOKEN }}
          branch: ${{ github.event.repository.default_branch }}
          enforce_admins: true

When you push this to the PR, you should see an extra commit like ci: version bump to v0.1.2 being added to the pr.

Enable the action only for pushes to main

The final step before our action is ready is to run it only on pushes to main.

Change on: [pull_request] to a rule that matches main:

on:
  push:
    branches:
      - main

And it’s all good!

The whole workflow code

See the whole workflow code here in this gist.

Do I really want to do this?

There are some caveats:

  • There is a security risk in having a PAT with so high privileges. It could enable anyone to change the workflow as mentioned here .
  • Branch protection will be disabled for some seconds while the action runs

You need to decide yourself if this is a tradeoff you are willing to take, and if this is the right approach for your organization.

Read about other possible solutions in this thread.

When can GitHub fix this?

I hope GitHub can fix this and prevent the need for this hacky workaround. There is a feature request in the repo: [Feature Request] Allow github actions to bypass branch protection rules in certain specific circumstances.

See this highly active community thread on the topic: https://github.community/t/how-to-push-to-protected-branches-in-a-github-action/16101/13.


Tools