BUG: v2.1.4, update of auth-app.js is breaking, even if it claims not to be

[Brakistad]

Error when pushing workflows: "refusing to allow a GitHub App to create or update workflow without workflows permission"

Issue Reference

This issue relates to version v2.1.4

Problem Description

We recently encountered the following error when attempting to push changes:

! [remote rejected] <redacted:branch ref> -> <redacted:branch ref> (refusing to allow a GitHub App to create or update workflow `.github/workflows/<redacted:file ref>` without `workflows` permission)
error: failed to push some refs to '<redacted:repo ref>'

Investigation

We investigated possible causes and discovered that this action was updated between our last successful workflow run and when the error occurred. I'm unsure if this affects specific scopes only.

Workaround

Pinning to v2.1.1 resolved the issue for us. It's likely that v2.1.3 would have also worked, as a relevant update occurred in octokit/auth-app.js specifically in PR #712, which claims to be non-breaking.

Additional Context

Our current setup isn't perfect or recommended, but we are using a private key for this app stored in the repository environment secrets.

I don't know exactly how this maps to our specific problem, but I wanted to share that pinning to an earlier version than v2.1.4 resolved the issue for us, in case others encounter the same problem in their workflows.

[gr2m]

can you provide a reproducible test case? The error message your are getting suggests that your app lacks the workflow permission, everything seems to be working as expected. I don't see how a recent update might have broken anything in that regard