Token generated from GitHub App not working with push-to-fork

[AjayJagan]

Subject of the issue

GitHub App can be used as a service account to generate short-lived tokens in the workflows. While trying to use such a token to create a pull request in a remote repo + push-to-fork, it fails with the error: Resource not accessible by integration
The fork exists in the same org, where the workflow runs and has the GH app installed in the fork repo.

Steps to reproduce

name: "test"
on:
  workflow_dispatch:
jobs:
  test:
    name: Test gh app token pr creation
    runs-on: ubuntu-latest
    steps:
      - uses: tibdex/github-app-token@v1
        id: generate-token
        with:
          app_id: ${{ secrets.APP_ID }}
          private_key: ${{ secrets.APP_PRIVATE_KEY }}
      - name: Checkout remote repo
        uses: actions/checkout@v4
        with:
          token: ${{ steps.generate-token.outputs.token }}
          repository: <remote-repo-org>/<remote-repo-name>

     # Make changes to files

      - name: Create PR
        uses: peter-evans/create-pull-request@v6
        with:
          token: ${{ steps.generate-token.outputs.token }}
          push-to-fork: <fork-repo-org>/<fork-repo-name> # This repo exists in the same org as the workflow and has the GH App installed.
          commit-message: <commit-message>
          delete-branch: true
          title: <title>

If this issue is describing a possible bug please provide (or link to) your GitHub Actions workflow.

Any help would be much appreciated :)

[peter-evans]

Hi @AjayJagan

Firstly, you should check that generate-token is actually generating tokens.

The fork exists in the same org, where the workflow runs and has the GH app installed in the fork repo.

The GH app should be installed in the repo where the workflow that needs to generate tokens is running. So it should be installed where the workflow runs, not the fork.
Please see the docs here to make sure it's setup correctly: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens

By the way, are you manually triggering this workflow from the UI? Or are you triggering it in some other way?

[AjayJagan]

I can see that it is generating the tokens using gh auth status(I tried using the action -> tibdex/github-app-token@v1 as well. No luck :()
The above step is when I tried to create a pr directly using a shell script + gh cli.(The same works with a PAT)

  ✓ Logged in to github.com account aj-gh-app[bot] (GH_TOKEN)
  - Active account: true
  - Git operations protocol: https
  - Token: ghs_************************************

Also, I tried using this token for updating repo variables, creating pr in the same repo etc and it worked well 😅
To make sure, I gave the option to install in All repositories and gave all the available permissions to the app.
For this case, I am manually triggering the workflow from UI

[peter-evans]

This issue might be related: https://github.com/orgs/community/discussions/69154#discussioncomment-7191057
Could be worth trying that action with the owner input set.

There might be similar settings on tibdex/github-app-token to give wider permissions. See the installation_retrieval_mode and installation_retrieval_payload inputs here.

I don't know anything further to help you, but I think this use case is possible. It's just a matter of finding the right permissions and setup of the GH app.

Please let me know if you manage to solve this.

[AjayJagan]

tried both, still the same issue :(

[peter-evans]

Hi @AjayJagan

For the upcoming v7 release I've been doing lots of testing and I think I understand why this wasn't working for you. I've managed to get GitHub App generated tokens working with push-to-fork, but there are limitations, which may make it not viable for your particular case.

Please read the new documentation for the v7 release at the following link. If it's not clear and you don't understand how it applies to your case, please let me know.
https://github.com/peter-evans/create-pull-request/blob/signed-commits/docs/concepts-guidelines.md#pushing-to-a-fork-with-fine-grained-permissions

You can try the release candidate for v7 like this:

- uses: peter-evans/create-pull-request@v7-rc

[AjayJagan]

Sorry for the late reply but thanks for this @peter-evans :)