Thanks for the detailed answer! Unfortunately it does not work for us:
- We cannot give Admin access to a bot user because that means we would need to share that user’s personal access token with all of our users, which means essentially giving everyone in our org admin rights.
- I tried the two different workflows options and still get an access denied if I don’t also remove the need for approvals. Is this a bug?
So far, here are the options we have:
- Have a GitHub action open a PR to make the version bump commit and have it approved by a human. We have other actions to take after the version bump so the CI would need to wait for the approval of the PR before continuing,
- Create an internal API that has admin rights to our GitHub org and that exposes an endpoint that will temporarily disable branch protection. This has the benefit of only giving the rights to disable protection and not all of admin rights, but would be time consuming to implement
- Have the GitHub app open a PR for the version bump instead of pushing directly to the main branch and have a second app approve the PR and merge it. This would not work for repos which requires more than one approval. We also need the PR check in CI to approve the PR when it detects it is a version bump commit
- Just remove branch protections in repos where we want to use version bump commits
- Just make our bot user an admin and share the token
What would work for us is to have an option that allow a specific app or user to push to a branch bypassing all checks. Yes, that could still be used to bypass branch protection, but it is better than giving admin rights to everyone.
Any help appreciated, thank you!