Kzu's Today I Learned
GitHubX/TwitterBlog
  • Today I Learned
  • dotnet
    • How to emit descriptions for exported JSON schema using JsonSchemaExporter
    • NuGet
      • Suppress dependencies when packing
      • Hide contentFiles from your nuget packages
      • Packaging transitive analyzers with NuGet
      • How to add search to static nuget feed
      • Populate RepositoryBranch in CI for NuGet Pack
    • Ignore folder from dotnet-format
    • Accessing Tor .onion URLs via HttpClient with .NET6
    • Installing .NET 5.0 on Raspberry Pi 4
    • Quickly check C# compiler and language version
    • Disable diagnostic analyzers for entire folder/submodules
    • Persisting output files from source generators
    • Use C# 9 records in non-net5.0 projects
    • AsyncLocal never leaks and is safe for CallContext-like state
    • Using HashCode in .NETFramework
    • How to locate dotnet
  • testing
    • Conditional unit tests
    • Skip tagged scenarios in SpecFlow with Xunit
  • msbuild
    • How to get user home dir ~ cross-platform
    • Modifying the build for every solution in a repository
    • Detect CI builds for every CI system
    • Modify all command-line builds in entire repo
    • Write entire XML fragments in MSBuild with XmlPoke
    • How to select first item in an ItemGroup
    • How to include commit URL in nuget package description
    • How to include package reference files in your nuget
    • How to build project when content files change
  • azure
    • How to launch multiple Azure Functions apps on different ports
    • C# script function apps beyond Azure portal
    • Publishing function app from GitHub folder
    • Exploring Azure Data with Kusto and Dashboards
    • Shared secret authorization with Azure SignalR Service
    • Using Azure File Copy from DevOps yaml pipeline
    • Code-less redirection with serverless Azure Functions
  • DevOps/CI/CD
    • How to run Azure Storage unit tests in CI
    • How to skip steps or jobs in GitHub Actions for PRs from forks
    • Update version and publish npm from GH
    • Push to protected branch from GitHub actions
Powered by GitBook
On this page
  1. DevOps/CI/CD

Push to protected branch from GitHub actions

PreviousUpdate version and publish npm from GH

Last updated 3 years ago

It turns out that you really can't just git push from your GitHub actions or required checks before merging. Sorta makes sense, but still a PITA.

The solution that worked for me was to . Since the awesome GitHub CLI named GH_TOKEN (since depending on the command you use, you might need a different one than GITHUB_TOKEN), I decided to (ab)use the same:

An that uses this to generate a full changelog and push it to main on releases looks like this:

name: changelog
on:
  release:
    types: [released]

env:
  GH_TOKEN: ${{ secrets.GH_TOKEN }}

jobs:
  changelog:
    runs-on: ubuntu-latest
    steps:
      - name: 🔍 GH_TOKEN
        if: env.GH_TOKEN == ''
        env: 
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: echo "GH_TOKEN=${GITHUB_TOKEN}" >> $GITHUB_ENV

      - name: 🤘 checkout
        uses: actions/checkout@v2
        with:
          fetch-depth: 0
          ref: main
          token: ${{ env.GH_TOKEN }}

      - name: ⚙ changelog
        uses: faberNovel/github-changelog-generator-action@master
        with:
          options: --token ${{ secrets.GITHUB_TOKEN }} --o changelog.md

      - name: 🚀 changelog
        run: |
          git config --local user.name github-actions
          git config --local user.email github-actions@github.com
          git add changelog.md
          git commit -m "🖉 Update changelog with ${GITHUB_REF#refs/*/}"
          git push

Important parts:

  • I default the GH_TOKEN envvar to a same-name secret, if present

  • If it's not present, I default it to GITHUB_TOKEN

  • Checkout always uses GH_TOKEN, which now may be a higher-permissions PAT than the default

  • I do the defaulting since the push will succeed if the repository doesn't use branch protection for main and in that case I don't want to always force the presence of a GH_TOKEN secret.

if the repository has branch protection turned on
use a different token on checkout
allows using a separate, higher-permissions token
example workflow