Bioconda workflow failed with push error due to insufficient permissions

[corneliusroemer]

+ git push nextstrain upstream/master:master
To https://github.com/nextstrain/bioconda-recipes
 ! [remote rejected]       upstream/master -> master (refusing to allow a Personal Access Token to create or update workflow `.github/workflows/Bulk.yml` without `workflow` scope)
error: failed to push some refs to 'https://github.com/nextstrain/bioconda-recipes'
Error: Process completed with exit code 1.

https://github.com/nextstrain/nextclade/actions/runs/9884976601/job/27302228960

[corneliusroemer]

I've seen this before in a different repo, I think this might be due to some changes on our fork vs the bioconda master.

[corneliusroemer]

Seems to happen stochastically, e.g. last time here.

Maybe we can just retry he action 3 times before failing eventually?

https://github.com/nextstrain/nextclade/actions/runs/9577731744/job/26406514723

[corneliusroemer]

Alternatively the issue could be that the nextstrain fork isn't up to date, we might want to sync it first?

[corneliusroemer]

A manual sync of our nextstrain fork fixed it. We should probably do this every time automatically before pushing at the start of the workflow. Or we give the PAT workflow permissions.

[ivan-aksamentov]

Context: https://bedfordlab.slack.com/archives/C01LCTT7JNN/p1683672353211379

This thing fails every time bioconda touches their GHA workflows. Me and Tom tried different ways to update the fork, but nothing seems to be working.

Current thing:

nextclade/scripts/publish_bioconda

Lines 67 to 71 in 4d62bb7

	## Add Nextstrain fork (https://github.com/nextstrain/bioconda-recipes) as a remote
	git remote add nextstrain "https://github.com/nextstrain/bioconda-recipes" >/dev/null
	# Update master branch of the fork
	git push nextstrain upstream/master:master

I just do this manually every time it fails. But forgot to check this time.

The problem is nonsensical. Would be nice to find a solution.

[ivan-aksamentov]

I've been thinking lately (in general) what is the value proposition of GitHub forks? That GitHub can fail things randomly and gather some intel on who is networking with whom? I mean, it could be just a standalone repo with periodic pushes from origin repo.

[tsibley]

@ivan-aksamentov There's not a compelling reason for the repo in its current state to be a GitHub fork, other than making it maybe slightly clearer in the GitHub UI what it's related to. I believe you can submit PRs to repos from arbitrary other repos, without them being marked as a GitHub fork. So we could disassociate it. But that wouldn't solve the issue of the token not being allowed to introduce new GitHub Actions workflow files, right?

(I followed up in Slack too.)