pushing to protected doesn't work even when provided with administrator PAT

[scarf005]

git-auto-commit Version

v5.0.1

Machine Type

Ubuntu (eg. ubuntu-latest)

Bug description

auto commit action is not working despite repository being checked out with organization administrator's PAT.

Steps to reproduce

action: https://github.com/cataclysmbnteam/Cataclysm-BN/actions/runs/11172262688/job/31058436246
workflow: https://github.com/cataclysmbnteam/Cataclysm-BN/blob/6219fa3f81418eb28d7efe26a7622388573ee1a8/.github/workflows/pull-translations.yml

applied https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#push-to-protected-branches in: https://github.com/cataclysmbnteam/Cataclysm-BN/blob/6219fa3f81418eb28d7efe26a7622388573ee1a8/.github/workflows/pull-translations.yml#L21-L25

Tried solutions

• tried recreating PAT with adminstrator rights yet the output did not change.
• gave no scope to PAT (e.g repo:status) as the docs did not mention them

Example Workflow

name: "Pull translations from Transifex"

on:
  workflow_dispatch:
  schedule:
    - cron: "42 1 * * 6"

jobs:
  pull-translations:
#   if: github.repository == 'cataclysmbnteam/Cataclysm-BN'
    runs-on: ubuntu-latest

    permissions:
      contents: write

    steps:
#      - name: "Install Transifex CLI"
#        run: |
#          curl -sL https://github.com/transifex/cli/releases/download/v1.6.7/tx-linux-amd64.tar.gz | sudo tar zxvf - -C /usr/bin tx

      - name: "Checkout"
        uses: actions/checkout@v4
        with:
          # https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#push-to-protected-branches
          # AUTO_COMMIT_PAT is a PAT made from personal account with organization admin rights
          # with no scope given
          token: ${{ secrets.AUTO_COMMIT_PAT }}

      - name: "Get current date"
        id: get-timestamp
        run: echo "time=$(date -u "+%F")" >> $GITHUB_OUTPUT

#      - name: "Pull translations"
#        run: tx pull --force
#        env:
#          TX_TOKEN: ${{ secrets.TX_TOKEN }}

      - run: echo foo >> foo.txt

      - name: Show Changes
        run: |
          git status
          git diff --numstat

      - name: Create Commit
        uses: stefanzweifel/git-auto-commit-action@v5
        with:
          branch: main
          commit_message: "feat(i18n): routine i18n updates on ${{ steps.get-timestamp.outputs.time }}"
          commit_user_name: "github-actions[bot]"
          commit_user_email: "github-actions[bot]@users.noreply.github.com"
          commit_author: "github-actions[bot] <github-actions[bot]@users.noreply.github.com>"

Relevant log output

remote: Permission to cataclysmbnteam/Cataclysm-BN.git denied to scarf005.
fatal: unable to access 'https://github.com/cataclysmbnteam/Cataclysm-BN/': The requested URL returned error: 403
Error: Invalid status code: 128
    at ChildProcess.<anonymous> (/home/runner/work/_actions/stefanzweifel/git-auto-commit-action/v5/index.js:17:19)
    at ChildProcess.emit (node:events:519:28)
    at maybeClose (node:internal/child_process:1105:16)
    at ChildProcess._handle.onexit (node:internal/child_process:305:5) {
  code: 128
}
Error: Invalid status code: 128
    at ChildProcess.<anonymous> (/home/runner/work/_actions/stefanzweifel/git-auto-commit-action/v5/index.js:17:19)
    at ChildProcess.emit (node:events:519:28)
    at maybeClose (node:internal/child_process:1105:16)
    at ChildProcess._handle.onexit (node:internal/child_process:305:5)

Repository

https://github.com/cataclysmbnteam/Cataclysm-BN

[reteps]

Hitting the exact same issue, at the exact same time!

[reteps]

Tested that I have this issue outside of this plugin, in any organizationally-scoped repo. I tried:

• classic PAT with admin
• scoped PAT will all repo perms

I did a simple

    steps:
      - name: Check out repository code
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.WORKFLOW_PAT }}
          submodules: true
          fetch-depth: 0
      # - name: Save scheduled discord pings
      #   if: github.ref_name == github.event.repository.default_branch
      #   env:
      #     WORKFLOW_PAT: ${{ secrets.WORKFLOW_PAT }}
      #   run: |
      #     git remote set-url origin "https://[email protected]/sigpwny/websites.git/"
      #     git config user.name sigpwny-uiuc
      #     git config user.email [email protected]
      #     git add .github
      #     git commit -m "chore: update workflow schedule"
      #     git push origin main

[reteps]

You can see a variety of failed attempts here: https://github.com/sigpwny/websites/commits/main/

[reteps]

Started a discussion here: https://github.com/orgs/community/discussions/140561

[stefanzweifel]

Thanks for reporting and thanks @reteps for doing the investigative work. Looks like this is more of an issue – again – how GitHub handles protected branches and PATs. 🫠

[reteps]

Ok, I found my issue. I had a composite action between the points in which I commit and check out, that did another checkout.

checkout w/token
<composite action> checkout wo/token
push

failed

[scarf005]

succeeded with fine grained PAT with Content permission. keeping it open as it needs better documentation.