Skip to content

CI: Bump & Release workflow fails — protected branch blocks direct push to main #393

Description

@bbolek-ap

Summary

The scheduled Bump & Release workflow (run #25152140201, job 73725009637) fails consistently at the Commit and tag step with two errors.

Errors

1. Protected branch rejects direct push

remote: error: GH006: Protected branch update failed for refs/heads/main.
remote:
remote: - Changes must be made through a pull request.
remote: - Required status check "check" is expected.
To https://github.com/andresharpe/dotbot
 ! [remote rejected] main -> main (protected branch hook declined)

The workflow calls git push origin main --tags directly, but the main branch has protection rules that require:

  • All changes go through a pull request
  • The check status check must pass before merging

2. Tag v3.5.1 already exists

 ! [rejected]        v3.5.1 -> v3.5.1 (already exists)
hint: Updates were rejected because the tag already exists in the remote.

A previous (failed) run already created the v3.5.1 tag locally and partially pushed it, so the tag now conflicts on re-runs.

Context

  • Workflow: .github/workflows/bump-release.yml (scheduled, runs daily)
  • Failing step: Commit and tag
  • Runner: Ubuntu 24.04, runner image 20260413.86.1
  • Version bumped: 3.5.0 → 3.5.1 (patch)
  • Exit code: 1

Root Cause

The Bump & Release workflow was designed to push a version bump commit directly to main, but branch protection rules have since been tightened to require PRs and a passing check status check. The GITHUB_TOKEN used by the action does not have the repository admin scope needed to bypass protection rules.

Suggested Fixes

Option A — Use a PAT with bypass rights
Replace ${{ secrets.GITHUB_TOKEN }} with a PAT that has the bypass branch protections permission scoped to this repo. Add the PAT as a repository secret (e.g. RELEASE_BOT_TOKEN) and update the checkout step to use it.

Option B — Open a PR for the version bump
Refactor the workflow to push the version commit to a short-lived branch (e.g. chore/bump-v3.5.1), open a PR, and merge it — or use the GitHub GraphQL mergePullRequest mutation with admin merge.

Option C — Exempt the github-actions[bot] from branch protection
In Settings → Branches → main → Protection rules, add github-actions[bot] to the "Allow specified actors to bypass required pull requests" list and exempt it from the check status check requirement for bot commits.

Also: once the push issue is resolved, any stale tag (e.g. v3.5.1) that was partially created by a failed run will need to be deleted before the workflow can succeed: git push origin :refs/tags/v3.5.1.

Additional Warning

The workflow also triggers a Node.js 20 deprecation warning for actions/checkout@v4:

Node.js 20 actions are deprecated … Actions will be forced to run with Node.js 24 by default starting June 2, 2026. Node.js 20 will be removed from the runner on September 16, 2026.

Consider upgrading to actions/checkout@v5 (or later) before June 2026.

Metadata

Metadata

Assignees

Labels

Projects

Status
Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions