-
Select Topic AreaQuestion BodyI have a deployment script that uses actions/github-script@v7, which at one point calls I've confirmed that I have specified Here's what the action logs with
I've even checked that The only way it works is if I pass in a PAT via |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 1 reply
-
So it turns out that Indeed I can reproduce the problem by simply calling Any ideas? |
Beta Was this translation helpful? Give feedback.
-
Careful testing of PAT fine-grained permissions has cleared this up somewhat. A PAT limited to Assuming that this distinction is intentional, it's now clear why it fails with GITHUB_TOKEN: those can't have the |
Beta Was this translation helpful? Give feedback.
-
Has Github recently changed this required permission? I believe we've been tagging non-head commits for quite a long time and only recently saw this problem pop up. Having to generate a PAT for this is very frustrating. |
Beta Was this translation helpful? Give feedback.
Careful testing of PAT fine-grained permissions has cleared this up somewhat.
A PAT limited to
contents:write
can ONLY tag the head commit. Other hashes fail. A PAT withcontents:write + workflows:write
can tag anything. Documentation for POST to https://api.github.com/repos/OWNER/REPO/git/refs mentions these two sets of permissions without explaining what the difference is.Assuming that this distinction is intentional, it's now clear why it fails with GITHUB_TOKEN: those can't have the
workflows
permission. So at this stage I believe it's impossible for GITHUB_TOKEN to tag anything except the head commit, and that this is probably intentional, but not clearly documented.