It looks like this package doesn't take protected branches into account yet

[danielh-official]

If you have a ruleset which prevents direct contributions to main (i.e., not via pull request), then the action will fail, telling you:

 INPUT_TAGGING_MESSAGE: 
No tagging message supplied. No tag will be added.
INPUT_PUSH_OPTIONS: 
remote: error: GH013: Repository rule violations found for refs/heads/main.        
remote: Review all repository rules at https://github.com/danielh-official/ynab-sdk-laravel/rules?ref=refs%2Fheads%2Fmain        
remote: 
remote: - Cannot update this protected ref.        
remote: 
remote: - Changes must be made through a pull request.        
remote: 
To https://github.com/danielh-official/ynab-sdk-laravel
 ! [remote rejected] HEAD -> main (push declined due to repository rule violations)
error: failed to push some refs to 'https://github.com/danielh-official/ynab-sdk-laravel'
Error: Invalid status code: 1
    at ChildProcess.<anonymous> (/home/runner/work/_actions/stefanzweifel/git-auto-commit-action/v5/index.js:17:19)
    at ChildProcess.emit (node:events:519:28)
    at maybeClose (node:internal/child_process:1105:16)
    at ChildProcess._handle.onexit (node:internal/child_process:305:5) {
  code: 1
}

According to https://stackoverflow.com/questions/69263843/how-to-push-to-protected-main-branches-in-a-github-action, you can create a deploy key and then run your action with it as a secret.

My current update-changelog.yml is written like this:

name: "Update Changelog"

on:
  release:
    types: [released]

permissions:
  contents: write

jobs:
  update:
    runs-on: ubuntu-latest
    timeout-minutes: 5

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          ref: main

      - name: Update Changelog
        uses: stefanzweifel/changelog-updater-action@v1
        with:
          latest-version: ${{ github.event.release.name }}
          release-notes: ${{ github.event.release.body }}

      - name: Commit updated CHANGELOG
        uses: stefanzweifel/git-auto-commit-action@v5
        with:
          branch: main
          commit_message: Update CHANGELOG
          file_pattern: CHANGELOG.md

If I add the secret, I'm hoping I will be able to keep my branch protection while the action bypasses it.

name: "Update Changelog"
with:
    ssh-key: ${{secrets.YOUR_SECRET_KEY}}

on:
  release:
    types: [released]

permissions:
  contents: write

jobs:
  update:
    runs-on: ubuntu-latest
    timeout-minutes: 5

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          ref: main

      - name: Update Changelog
        uses: stefanzweifel/changelog-updater-action@v1
        with:
          latest-version: ${{ github.event.release.name }}
          release-notes: ${{ github.event.release.body }}

      - name: Commit updated CHANGELOG
        uses: stefanzweifel/git-auto-commit-action@v5
        with:
          branch: main
          commit_message: Update CHANGELOG
          file_pattern: CHANGELOG.md

[danielh-official]

Getting an error when I try to implement. My research tells me that GitHub Apps are the recommended way to go, but I have little experience with those.

[danielh-official]

Found this: https://github.com/stefanzweifel/git-auto-commit-action/tree/v5/?tab=readme-ov-file#push-to-protected-branches

[stefanzweifel]

This is the right link to the solution. Using a personal access token to push the commit to the repo is the easiest solution to bypass protected branch rules.

[danielh-official]

@stefanzweifel Can I use fine-grained tokens for this, or am I limited to classic tokens?

[danielh-official]

I was able to get this to work by creating a Fine Grained Token and setting Contents (Repository Permissions) to Read & Write.

Nothing else is needed other than adding the resulting token to my repository's secrets (https://github.com/{your repository}/settings/secrets/actions) and changing the action to use the PAT variable.

name: "Update Changelog"

on:
  release:
    types: [released]

permissions:
  contents: write

jobs:
  update:
    runs-on: ubuntu-latest
    timeout-minutes: 5

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          ref: main
          token: ${{ secrets.PAT }}

      - name: Update Changelog
        uses: stefanzweifel/changelog-updater-action@v1
        with:
          latest-version: ${{ github.event.release.name }}
          release-notes: ${{ github.event.release.body }}

      - name: Commit updated CHANGELOG
        uses: stefanzweifel/git-auto-commit-action@v5
        with:
          branch: main
          commit_message: Update CHANGELOG
          file_pattern: CHANGELOG.md

I hope this added information helps anyone struggling with this problem.