Summary
The scheduled Bump & Release workflow (run #25152140201, job 73725009637) fails consistently at the Commit and tag step with two errors.
Errors
1. Protected branch rejects direct push
remote: error: GH006: Protected branch update failed for refs/heads/main.
remote:
remote: - Changes must be made through a pull request.
remote: - Required status check "check" is expected.
To https://github.com/andresharpe/dotbot
! [remote rejected] main -> main (protected branch hook declined)
The workflow calls git push origin main --tags directly, but the main branch has protection rules that require:
- All changes go through a pull request
- The
check status check must pass before merging
2. Tag v3.5.1 already exists
! [rejected] v3.5.1 -> v3.5.1 (already exists)
hint: Updates were rejected because the tag already exists in the remote.
A previous (failed) run already created the v3.5.1 tag locally and partially pushed it, so the tag now conflicts on re-runs.
Context
- Workflow:
.github/workflows/bump-release.yml (scheduled, runs daily)
- Failing step:
Commit and tag
- Runner: Ubuntu 24.04, runner image
20260413.86.1
- Version bumped:
3.5.0 → 3.5.1 (patch)
- Exit code: 1
Root Cause
The Bump & Release workflow was designed to push a version bump commit directly to main, but branch protection rules have since been tightened to require PRs and a passing check status check. The GITHUB_TOKEN used by the action does not have the repository admin scope needed to bypass protection rules.
Suggested Fixes
Option A — Use a PAT with bypass rights
Replace ${{ secrets.GITHUB_TOKEN }} with a PAT that has the bypass branch protections permission scoped to this repo. Add the PAT as a repository secret (e.g. RELEASE_BOT_TOKEN) and update the checkout step to use it.
Option B — Open a PR for the version bump
Refactor the workflow to push the version commit to a short-lived branch (e.g. chore/bump-v3.5.1), open a PR, and merge it — or use the GitHub GraphQL mergePullRequest mutation with admin merge.
Option C — Exempt the github-actions[bot] from branch protection
In Settings → Branches → main → Protection rules, add github-actions[bot] to the "Allow specified actors to bypass required pull requests" list and exempt it from the check status check requirement for bot commits.
Also: once the push issue is resolved, any stale tag (e.g. v3.5.1) that was partially created by a failed run will need to be deleted before the workflow can succeed: git push origin :refs/tags/v3.5.1.
Additional Warning
The workflow also triggers a Node.js 20 deprecation warning for actions/checkout@v4:
Node.js 20 actions are deprecated … Actions will be forced to run with Node.js 24 by default starting June 2, 2026. Node.js 20 will be removed from the runner on September 16, 2026.
Consider upgrading to actions/checkout@v5 (or later) before June 2026.
Summary
The scheduled Bump & Release workflow (run #25152140201, job 73725009637) fails consistently at the Commit and tag step with two errors.
Errors
1. Protected branch rejects direct push
The workflow calls
git push origin main --tagsdirectly, but themainbranch has protection rules that require:checkstatus check must pass before merging2. Tag
v3.5.1already existsA previous (failed) run already created the
v3.5.1tag locally and partially pushed it, so the tag now conflicts on re-runs.Context
.github/workflows/bump-release.yml(scheduled, runs daily)Commit and tag20260413.86.13.5.0 → 3.5.1(patch)Root Cause
The
Bump & Releaseworkflow was designed to push a version bump commit directly tomain, but branch protection rules have since been tightened to require PRs and a passingcheckstatus check. TheGITHUB_TOKENused by the action does not have the repository admin scope needed to bypass protection rules.Suggested Fixes
Option A — Use a PAT with bypass rights
Replace
${{ secrets.GITHUB_TOKEN }}with a PAT that has thebypass branch protectionspermission scoped to this repo. Add the PAT as a repository secret (e.g.RELEASE_BOT_TOKEN) and update the checkout step to use it.Option B — Open a PR for the version bump
Refactor the workflow to push the version commit to a short-lived branch (e.g.
chore/bump-v3.5.1), open a PR, and merge it — or use the GitHub GraphQLmergePullRequestmutation with admin merge.Option C — Exempt the
github-actions[bot]from branch protectionIn Settings → Branches → main → Protection rules, add
github-actions[bot]to the "Allow specified actors to bypass required pull requests" list and exempt it from thecheckstatus check requirement for bot commits.Also: once the push issue is resolved, any stale tag (e.g.
v3.5.1) that was partially created by a failed run will need to be deleted before the workflow can succeed:git push origin :refs/tags/v3.5.1.Additional Warning
The workflow also triggers a Node.js 20 deprecation warning for
actions/checkout@v4:Consider upgrading to
actions/checkout@v5(or later) before June 2026.