Possible to use Github Apps tokens instead of PAT?

[alfieyfc]

I know in the docs it says that it's required a repo scoped Personal Access Token (PAT) is used, where GITHUB_TOKEN won't work.

Is it possible to use Github Apps instead of PAT, which seems more appropriate in organization projects?

I tried something like this and doesn't work, even with all permissions set to Read & Write for the App.

steps:
      - name: Generate token
        id: automerge_t
        uses: tibdex/github-app-token@v1
        with:
          app_id: ${{ secrets.APP_ID }}
          private_key: ${{ secrets.APP_PRIVATE_KEY }}
      - name: Enable Pull Request Automerge
        uses: peter-evans/enable-pull-request-automerge@v1
        with:
          token: ${{ steps.automerge_t.outputs.token }}
          pull-request-number: ${{ github.event.pull_request.number }}
          merge-method: "REBASE"

Error message isn't very informative:

Fetching pull request ID
##[debug]PullRequestId: 'MDExOlB1bGxSZXXXXXXXXjEyMTM0MTM2'
Enabling auto-merge on pull request ID MDExOlB1bGxSZXXXXXXXjEyMTM0MTM2
##[debug]AutoMergeRequest: { enabledAt: null, enabledBy: { login: 'my-github-app' } }
Error: Failed to enable auto-merge
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Enable Pull Request Automerge

[peter-evans]

Hi @alfieyfc

I haven't tested it, but I see no reason why it wouldn't work provided the GitHub Apps tokens have the correct scopes. I would guess that it didn't work because the other conditions weren't met.

Just in case, check your token has the correct scopes. I think it should be similar to this setup: https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens

[peter-evans]

@alfieyfc I've just tested it and you are right, it doesn't seem to work.
See #69

The scopes I'm using are:

• Contents - read/write
• Pull requests - read/write

The scopes look correct so I'm wondering if this is a bug on GitHub's side.

[alfieyfc]

It doesn't work for this similar repo either, fyi
alexwilson/enable-github-automerge-action#28

[peter-evans]

Good to know, thanks.

To clarify, GITHUB_TOKEN definitely won't work. That is expected because the default token doesn't have the scopes necessary to perform this action.

I think what is unexpected is that it doesn't work with GitHub App tokens. That should work because they are very similar to a PAT in the sense that you can define what scopes it has. I will make a request to GitHub support to ask them about it.

[peter-evans]

GitHub Support have confirmed our findings, that it works with a PAT but not with GitHub App tokens. An internal issue has been raised with the engineering team to determine if this behaviour is expected.

[peter-evans]

@alfieyfc GitHub Support responded to let me know this has been fixed. I've tested it in PR #69 and sure enough it works now! 🎉

[rodrigobrim]

Do they have a plan to add the necessary scopes to GITHUB_TOKEN, or this scopes will open security holes?

[peter-evans]

Do they have a plan to add the necessary scopes to GITHUB_TOKEN, or this scopes will open security holes?

I can't speak for GitHub, but I'm fairly confident that these scopes will not be added to the default GITHUB_TOKEN. It would be a security issue, yes.