[Feature Request] Allow github actions to bypass branch protection rules in certain specific circumstances #13836

philomory · 2022-03-30T03:18:19Z

philomory
Mar 30, 2022

There are workflows in which it is desirable to have the workflow itself make changes (such as updating a pom.xml, packages.json, CHANGELOG.md, etc.) on a branch which is otherwise protected from direct changes.

Some things that don't work (or don't work well):

Simply disabling branch protection rules entirely for the branch in question isn't a feasible solution, because there are plenty of legitimate reasons to want branch protection rules in place.
It's not possible to add the pseudo-user represented by the GITHUB_TOKEN to the "Restrict who can push to matching branches" list, but even if it were this wouldn't be a useful solution, because then any action from any branch could bypass the branch protection rules, making them too easily circumventable.
You can create a "service user", add that service user to the "Restrict who can push to matching branches" list, create a Personal Access Token (PAT) for that service user, store the PAT in an environment secret, assign the relevant environment to your protected branch, and then have the workflow get the PAT from the environment, and then set up extra rules in all of your workflows triggerd by push events to make sure that they ignore any commits pushed by the service user (the way they'd ignore commits pushed using GITHUB_TOKEN). This more-or-less works, but it's a lot of work to replicate this set up across dozens of repositories, and it's really abusing a bunch of unrelated functionality for something that should be available out of the box.

My proposed solution is to add a checkbox under Branch Protection rules, "Allow Github Actions workflows run from matching branches to push commits back to the same branch". Checking this box would have two effects:

Workflows triggered by push events to the protected branch (which, given the branch is protected, will generally represent pull-request merges rather than remote pushes) will be allowed to push additional commits back to the protected branch as if they were being pushed by an individual user who was listed under "Restrict who can push to matching branches".
Workflows triggered by a workflow_dispatch event, where the workflow was dispatched from the protected branch (i.e. the workflow YAML file being executed is read from the protected branch) will be allowed to push additional commits back to the protected branch as if they were being pushed by an individual who was listed under "Restrict who can push to matching branches".

Note that in both cases, the workflow should only be permitted to push commits back to the same branch that the workflow is being executed from (or other, unprotected branches, as is already possible). A workflow should not be able to push commits to any other protected branch, not even a distinct branch that matches the same branch protection rule.

This feature request is inspired by a long-running discussion in the Github Community discussion boards; I felt it was worth bringing a concrete feature request to this Feedback repository, at this point.

NOTE: If you want to show your support for this feature request, please upvote it using the upvote button

rather than replying with a "+1". Replies like that just result in sending spam to everyone else interested in the issue, and importantly, don't even "count" when it comes to how much GitHub will prioritize the issue. They're just spam, they're not spam that also counts as a vote in any way.

xakraz · 2022-04-11T21:45:31Z

xakraz
Apr 11, 2022

Also mentioned and requested here: https://github.community/t/allowing-github-actions-bot-to-push-to-protected-branch/16536

0 replies

brightshine1111 · 2022-05-26T17:34:57Z

brightshine1111
May 26, 2022

Even though it wouldn't work in all use cases for all people, treating the github-actions bot as a full-fledged app so we can add it to protected branch pushers would be immensely useful in a number of situations.

E.g. at my company the main branch is gated by PRs; once a PR is merged that triggers the deploy workflow, and part of that workflow is simply pushing fast-forward commits to a minor version branch (e.g. if the current release should be v2.3.4, deploy will update the v2.3 branch to be even with main). We want to protect these minor versions branches so humans can't accidentally push to them and get them out of sync with main. The minor branches aren't critical to any other parts of our CI/CD pipeline otherwise, so simply being able to add the github-actions bot to that branch protection rule would be perfect in our situation.

1 reply

treeder Oct 30, 2024

This is the way.

Just let us add GitHub actions to this list:

solarmosaic-kflorence · 2022-06-07T21:44:38Z

solarmosaic-kflorence
Jun 7, 2022

FYI: https://github.blog/changelog/2022-05-17-consistently-allow-github-apps-as-exceptions-to-branch-protection-rules

16 replies

timothyjlaurent Aug 2, 2023

Thank you @daniel-res 👏 👏

This is the internet's only source for this information

b3nk3 Jan 10, 2024

I was able to add the App to the bypass list under branch protection with lesser permissions than @daniel-res.

Namely:

Action
PR
Contents

DoisKoh Mar 19, 2024

When I try to Allow specified actors to bypass required pull requests, I don't see any 'apps' to choose from. How do I allow GitHub actions to bypass this?

christian-benseler-farm Mar 24, 2024

Same for me @DoisKoh

ghost Mar 24, 2024

Did you previously install required app on your repository?

https://github.com/<usernam>e/<repository>/settings/installations
GitHub --> Repository --> Settings --> Integrations --> GitHub Apps
Installing your own GitHub App

We use a own app for that and bellow is an example with a public one.

screenshots

agaertner · 2022-10-01T18:56:57Z

agaertner
Oct 1, 2022

Just encountered this exact issue. This is certainly great to have for smaller hobby teams as well where you don't really want nor need to setup whole delivery pipelines.
I have setup simple automatic deployment on main which commits some changes like assembly version bumps, changelog, etc. However, I have to remove the branch protection for it to function which is bad for collaborations.

0 replies

Camuvingian · 2022-10-18T09:37:54Z

Camuvingian
Oct 18, 2022

Yes, GitHub, let's get this feature in please.

0 replies

cunhap · 2022-11-03T11:07:03Z

cunhap
Nov 3, 2022

Would also like this implemented. 👍

0 replies

rael-b · 2022-11-03T11:40:38Z

rael-b
Nov 3, 2022

That would be a great GA to implement!

0 replies

u-ways · 2022-11-03T12:13:16Z

u-ways
Nov 3, 2022

+1 I had to implement a walkaround to cater for such requirements which I do not encourage following...

Update: If you're very keen, you can see multiple ideas/solutions posted across the board linking to this issue.

2 replies

andreaagudo3 Nov 7, 2022

how did you do it?

maazmmd Nov 9, 2022

Can you please post the workaround

madhifallah · 2022-12-02T15:13:49Z

madhifallah
Dec 2, 2022

does this fit your need ? https://github.blog/changelog/2022-08-18-bypass-branch-protections-with-a-new-permission/

6 replies

dedece35 Dec 20, 2022

+1 for our open-source organization (not GitHub Entreprise :( )

philomory Jan 5, 2023
Author

I don't think this fits the full need even for Github Enterprise customers. This is basically somewhere between non-solution number two and number three from the original post; that custom role can't be applied to the GITHUB_TOKEN psuedo-user, you have to assign it to an actual user; if you could assign it to the GITHUB_TOKEN psuedo-user, it wouldn't solve the problem acceptably because then anyone who could push to any branch, could push a workflow that interfered with protected branches; and if you instead assign the custom role to a "service account" user and make different service account users for workflows on different branches, well, that's non-solution number three: it works, more or less, but it's way too complicated to scale.

frankinspace Jan 5, 2023

If you have an organization (on public github); you should be able to use the solution proposed in https://github.com/orgs/community/discussions/13836#discussioncomment-2901138

That's how we solved it; we have a custom dummy "CICD" github App and our workflows that make commits back to protected branches use the CICD github app credentials when committing. Then in the repository settings we allow the CICD App to skip status checks.

I still agree though it would be better if we didn't have to create our own app and we could just allow the GITHUB_TOKEN to skip status checks directly.

philomory Jan 5, 2023
Author

@frankinspace Doesn't that solution still fail in that someone could e.g. push a new workflow to a non-protected branch, that workflow would run with the credentials of the app, and could therefore push to a protected branch? Essentially meaning that the protected branch is not protected?

frankinspace Jan 5, 2023

@philomory Yes, that is still a problem. IMO that's something I can tell my developers to not do. I still agree with your feature request and consider what I described an acceptable workaround until GH can resolve it properly.

bigman73 · 2022-12-29T15:52:41Z

bigman73
Dec 29, 2022

Also interested in a solution - I'm trying to auto bump the version but the branch protection rule I have on main branch doesn't allow it.

0 replies

Kav-K · 2023-01-01T06:41:40Z

Kav-K
Jan 1, 2023

Also looking for a solution! I have a python-black formatter that pushes code to the main branch but the protection rules won't allow it

1 reply

airtonix Feb 6, 2023

in your case, you should do that on your PRs: do auto formatting commits to PRs only.

thislooksfun · 2023-01-04T03:40:01Z

thislooksfun
Jan 4, 2023

I'm running into this issue as well. I use semantic-release to automatically update my package whenever my main branch is updated, and I use @semantic-release/git to commit the updated version and changelog back to the branch. However, I also want to enable required status checks so I can have that peace-of-mind (and also use auto-merge). But I can't, because if I turn it on the action can't push the version update anymore. Having a setting (either in the branch protection rules as suggested above, or in the action itself using the new permissions setting) would be a huge help for getting my setup clean and efficient.

1 reply

GuySartorelli Aug 7, 2024

+1 for this being part of the permissions in the workflow/action itself. There are some workflows where we want to be able to bypass branch protection rules - but we don't want to just blanket allow all workflows to bypass those protections.

satonotdead · 2023-01-05T15:46:38Z

satonotdead
Jan 5, 2023

Can we bypass the permission rules with Gitbook?

We are facing the same issue but within the same company (!)

0 replies

vagenas · 2023-01-06T07:59:55Z

vagenas
Jan 6, 2023

As a simplification of the "service user" approach outlined by the OP: for the commit(s) pushed by the "service user", one can consider using [skip ci] to suppress status checks without adding any extra rules in the workflows (see https://docs.github.com/en/actions/managing-workflow-runs/skipping-workflow-runs).

5 replies

bigman73 Jan 6, 2023

As a simplification of approach number three, one can consider using [skip ci] in the respective commit message(s) to suppress status checks without adding extra rules in the workflows (see https://docs.github.com/en/actions/managing-workflow-runs/skipping-workflow-runs).

Not sure I'm following you. The idea is to have CI workflows run, not skipped, for example to auto increment versions.

thislooksfun Jan 6, 2023

This isn't actually about getting workflows to run or not run at all, is about being able to have workflows push directly to a push-protected branch. [skip-ci] doesn't skip branch protection rules.

vagenas Jan 6, 2023

I am referring to the third approach outlined by the OP, i.e. enabling pushing to the protected branch by explicitly allowing a "service user" to do so in the branch protection rules and then using the "service user" via a PAT accessed through an environment secret.

My comment was that, in this context, you do not necessarily have to (copying from the OP):

[...] set up extra rules in all of your workflows triggerd by push events to make sure that they ignore any commits pushed by the service user [...]

but you could rather just use [skip-ci] in those commits instead.

ohmantics Jan 7, 2023

[skip ci] would work for the case mentioned above of @semantic-release/git trying to push release-related changes (package.json, CHANGELOG, etc.)

+1

(also i love you GitHub people. stay beautiful <3)

0 replies

scheying · 2025-09-18T07:28:01Z

scheying
Sep 18, 2025

+1

0 replies

eggduzao · 2025-09-19T15:26:20Z

eggduzao
Sep 19, 2025

Your critique of the common workarounds is fair: PATs and bot users are clunky; letting raw GITHUB_TOKEN bypass would be dangerous.

The checkbox idea is good in spirit-it expresses the least-privilege intent you want-but it would need a few guardrails (see below), otherwise it recreates the very risks branch protection exists to mitigate.

First, I can think of some issues with the raw idea:

Self-escalation via workflow edits: if a PR can change a workflow on that branch and then gets merged, the new workflow could immediately push arbitrary commits. Any "auto-allow push-back" needs guardrails (example is: "only allow after required checks", "only on workflow_run triggered from a trusted ref").
Supply-chain surface: permitting writes from CI is a classic escalation vector without strong scoping and logging (see numerous advisories and discussions urging caution).

If GitHub would be designing such checkbox, I'd insist on all of these guardrails:

Same-ref Only: workflow must run from commit already on the protected branch; can only push to that same branch. (No cross-branch writes.)
Post-merge Trigger Only: allow on workflow_run where the triggering workflow was on the protected branch and all required checks passed for that commit.
Ephemeral, Branch-bound Token: write permission limited to contents: write on that branch only, bound to the "run ID"/"attempt"; expires at job end.
No-ops on Workflow files: disallow pushes that modify files under ".github/workflows/" in the same operation (avoid "grant -> rewrite workflow -> widen power").
Audit and Provenance: require signed commits with OIDC provenance, and show "bypass via workflow" in the branch protection audit log.
Repo Opt-in, Rule-scoped: toggle lives inside the specific branch protection rule, off by default.

So, I can see why this isn't Github priority ATM. But I'd vouch for it.

0 replies

cjnoname · 2025-10-03T09:03:23Z

cjnoname
Oct 3, 2025

+1

0 replies

Zetjen · 2025-10-06T10:03:14Z

Zetjen
Oct 6, 2025

+1

0 replies

schmocker · 2025-10-09T14:59:37Z

schmocker
Oct 9, 2025

+1

0 replies

GigiusB · 2025-10-10T07:47:29Z

GigiusB
Oct 10, 2025

+1

0 replies

[Feature Request] Allow github actions to bypass branch protection rules in certain specific circumstances #13836

Uh oh!

Uh oh!

Replies: 89 comments · 84 replies

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

philomory Jan 5, 2023 Author

Uh oh!

Uh oh!

philomory Jan 5, 2023 Author

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Replies: 89 comments 84 replies

philomory Jan 5, 2023
Author

philomory Jan 5, 2023
Author