How to resolve "refusing to allow an OAuth App to create or update workflow" on git push

Question

Getting

refusing to allow an OAuth App to create or update workflow .github/workflows/cd.yml without workflow scope"

on git push. How to grant workflow scope?

Answer 1

I've literally just come across this problem when trying to use IntelliJ to push to a branch that contains a GitHub Action workflow (YAML file in .github/workflows). I didn't find existing resources on the Internet very helpful, so I hope this will help you fix it too.

TL;DR: Update your Personal Access Token with the workflow scope enabled in GitHub, or create a new one, and configure your application to use that.

Background: third-party tools with GitHub integrations like IntelliJ, Visual Studio Code, Github Desktop, etc use tokens to connect to your GitHub account so they can pull/push, etc on your behalf. In the case of IntelliJ, their instructions only say to include the repo, the gist, and the read:org scopes. But you need the workflow scope to modify GitHub Actions.

Here's how to fix it:

1. In your Github account, go to Settings (in your avatar dropdown in the top right-hand corner)
2. Go to Developer Settings > Personal Access Tokens
3. If your token is listed, update it to include the workflow scope:
   • Click on the token name.
   • Select workflow scope and save.
   • If the app you use won't re-fetch permissions for your token automatically, you may have to create a new one (step 4 below).
   • Click on Update Token to save the change. DONE!
4. If there's no token listed there, generate a new one:
   • Click on Generate Token.
   • Select the scopes you need, including workflow.
   • Read the information carefully, then click OK to continue.
   • Copy the new token that Github shows you.
   • Apply the new token to your application. For example, for the Intellij IDE, go to Settings > Version Control > GitHub, remove the existing integration and re-add it, pasting in the new token.

Answer 2

For Windows 10: Go to Settings -> Credentials Manager -> Windows Credentials -> Remove github.com credentials -> git pull/push your github project from git-bash console -> Reconnect GitHub Account in your IDE/Source control. You don't need create Personal Access Token with "workflow", you don';t need create secret GITHUB_TOKEN (it creates auto and can't created manual)

Answer 3

I have one personal GitHub account (Spragucm) and two non-enterprise GitHub organizations (HoverDroids and tCubedStudios).

GitKraken was seeing repos for Spragucm and HoverDroids but not tCubedStudios.

HoverDroids Third-party application access policy was:

tCubedStudios Third-party application access policy was:

Notice tCubedStudios didn't list GitKraken and there is no option in the organization to manually add the application.

Signing in/out of GitKraken did not allow me to select and approve another organization, nor did uninstalling/re-installing.

The Solution:

1. Open Applications in my personal account (Spragucm)

2. Select GitKraken settings and click the grant button for the organization (clearly a bad photoshop job in my image, but that's where the button was)

3. Go to the tCubedStudios Third-party application access policy and verify it now shows GitKraken and GitKraken Services

Answer 4

I solved my issue by simply deleting the file <my-project>\.github\workflows\pre-release-build.yml and then commiting and pushing

I faced this issue while trying to push a brand new repo. I was surrised to see this as it was brand new but then I realised my .github was copied from another hence it needed to be removed.

Answer 5

On Windows 10 Here is step by step how I was able to fix the issue

I've included lots of screenshots `cause this was way harder to resolve then it should have been.

In hind sight, what @CSRedRat said is right but as I was having the problem I couldn't understand that because the answer was so terse.

Ultimately what led me to the solution was this article which makes the situation more clear.

Here's the deal. While you can work around this issue using the GitHub Developer Settings Menu to generate a new token and then pasting that into the Windows Credential Manager, you shouldn't because eventually that token will expire and then you will be having this issue again since nothing will know how to refresh the token since you set it manually.

Instead, this token privs issue needs fixed via Git for Windows. So the deal is the "old" Git Credential Manager for Windows didn't ask for privs to create or update workflows but now you need them. The good news is there is a new version our called Git Credential Manager Core and it does ask for these privs and more.

The new credential manager ships with Git 2.28 and later, but isn't enabled by default. If you already have Git for Window of this version or later installed then you already have the software even. In my case I had version 2.30.2 so I already had the new software.

But it was still using my old Git for Windows credentials which don't carry the privs needed. That may be your case as well or if you don't have a version older 2.28 then you need to first install a newer version. Either way, once you have a new enough version of Git for Windows on your machine the next step is to remove the old credentials by typing "windows credential manager" in the windows search box.

Then find each git credential, click on it and click the remove button.

Now next time you try to access your get account from git bash Visual Studio or whatever git client you use, you will be prompted for new credentials because the old ones are gone. Click the Sign in with your browser button in the dialog below:

Then you will see a web page like this one below, and if you expand the workflow drop down you will see it is asking for the privs you need this time. Then click Authorize button.

Once you do that, you will see a page like this for providing your github password:

Now you have a new credential in your windows credential manager that has the privs you need and your operation that use to fail will now succeed. Yea!

Answer 6

Running macOS. I am pushing my .yml workflow file from my text editor.

1. Go to github personal access tokens settings and generate a new token. Make sure you select both repo and workflow access scope.

2. Go to Keychain Access app on Mac, and search for github. I found an entry (shown below) named github.com, of Internet password kind, which was previously filled with a seemingly random token. Replace the password entry with the generated token (the one begins with ghp_) from step 1.

Answer 7

Fixed this by using the Desktop Github App for pushing my changes (it seems to have full permissions vs. the limited scope of vs code).

After getting that one commit with the modified workflow file pushed through, I was able to make push commits normally again in vs code.

Answer 8

You also can change from using https to using SSH.

1. Create your SSH key, you can follow the docs.
2. Change your remote from https to SSH, also you can follow the docs.

Answer 9

1. Find your token, should be here https://github.com/settings/tokens
2. Grant workflow as showing below

Answer 10

This happened to me on GitKraken. I simply disconnected and reconnected GitHub from GitKraken and it worked.

Answer 11

In my case, I had stale GitHub credentials in macOS Keychain. I was modifying a workflows file and pushing the changes from the command line, hence I didn't think of checking the Keychain at all. The Updating credentials from the macOS Keychain explained how to use git credential-osxkeychain to erase the Keychain:

$ git credential-osxkeychain erase
host=github.com
protocol=https
> [Press Return]

I then had to enter my username and password again. This time I generated a new personal access token and used that token for the password. Then I could finally push the workflows changes.

Answer 12

This issue also happens simply because your current token is not allowed to work with workflow on Github. Do the following steps to fix

For people using Android Studio on MacOS:

1. Delete your current token (Preferences -> Version Control -> GitHub):

remember to hit the "Ok" button.

2. Try to push/pull again from Android Studio, an popup now will appear.

3. Hit Use Token... button, another popup will appear.

4. Click on Generate, you will be sent to GitHub website to generate a new token. Remember to select the workflow permission.

5. Click generate Button to get a new token and paste it to Android Studio in step 3. It's all set now.

Answer 13

This happened to me on PHPStorm. I was trying to use the IDE to commit and push my alterations, so when i got the error, i tried to push with command line on IDE console and i got it.

Answer 14

I followed this article to install Git Credential Manager Core to handle this automatically - and it works well for me (macOS):

Using homebrew:

brew tap microsoft/git
brew install --cask git-credential-manager-core

Answer 15

I had this issue with CLion 2020.2.3 while attempting to push a change to .\github\workflows\build.yml. CLion appears to use the "JetBrains IDE Integration" token (GitHub Settings -> Applications -> Authorized OAuth Apps) which does not include the "workflow" scope. There does not appear to be a way to change the scope of this token.

I created a new Personal Access Token with the correct permissions (GitHub Settings -> Developer settings -> Personal access tokens -> Generate new token), but I was unable to configure CLion to use it.

Ultimately I was able to push the commit using GitHub Desktop instead.

Answer 16

For IntelliJ IDE users, follow these simple steps:

1. Go to Files > Settings > Version Control > Github and remove the Github account by clicking on the account and then on the '-' button.
2. Then Sign in to Github.com in your default browser & then click on the '+' button on the same IDE window we opened in step 1. Then select 'Login with token'.
3. Click on the Generate Button.
4. This will open a GitHub page in your browser with all the permission prefilled. All you have to do is click on 'Generate Token' at the bottom of the page. Then use that token to fill it in the IDE pop-up window.
5. Close the settings window & push your code again. This always works for me.

Answer 17

It may be unexpected but, in my particular case this error was caused by a custom ~/.netrc file I created for GitHub (private Golang packages installation)

You can go there and check if you have one.

machine github.com login {username} password {github_token}

Answer 18

Issue can be solved without PAT token by cloning repository with SSH key.

Answer 19

I encountered this problem in VS Code after configuring the hosting of my site with Firebase and giving it permission to perform updates directly from my github repos.

Evidently this configuration changed some settings of github itself.

To solve it, I simply logged out of the account and logged back in to VS Code.

Answer 20

This error occurs when your local environment is configured using the github cli. It's not immediately clear what's needed to update the permissions. In the case of the CLI, though, you can run the below command to enable it and then proceed forward.

gh auth login --scopes workflow

Answer 21

I run into the same issue after pushing my initial commit for an nbdev project. This did the the trick for me:

1. deleting all .yaml files under .github/workflows
2. git add ., git commit -m "CommitMessage" and git push
3. adding the .yaml files directly on GitHub (under Actions tab and then New workflow
4. git pull

Then you can keep on working on your local repo and should be able to push your changes to Github without any error messages.

Answer 22

I had to upgrade my Git For Windows to version 2.29.2.2. That allowed the git command line to sign in through the browser, which GitHub now requires.

I did this after trying a Windows Credential Manager reset and regenerating my Personal Access Token, which didn't resolve it. But it did cause GitHub to send me an email like this:

[GitHub] Action required - Password authentication in Git for Windows is no longer supported

We have detected that you recently attempted to authenticate to GitHub using an older version of Git for Windows. GitHub has changed how users authenticate when using Git for Windows, and now requires the use of a web browser to authenticate to GitHub. To be able to login via web browser, users need to update to the latest version of Git for Windows.

Answer 23

If you push to a repo and see:

(refusing to allow a Personal Access Token to create or update workflow .github/workflows/docker_build_push.yml without workflow scope)

It means the GitHub Personal Access Token (PAT) you're using doesn't have 'Workflows' permissions.

To fix

1. Go here: https://github.com/settings/tokens
2. Create a new Personal Access Token (PAT) and be sure to check the 'workflows' box
3. Copy the resulting PAT to clipboard
4. Delete or revoke any existing PAT(s) (this is done at the same GitHub link)
5. Since the existing PAT was revoked/deleted, next time you push/pull from a private repo you'll be prompted for a github username (your actual github username or email will work) and a password (paste the PAT into the password field).

That's it! It should push and the error should be gone now.