Skip to content
Latchkey

How to Push to a Protected Branch With a GitHub App Token

Add the App to the branch protection bypass list, then push with its installation token so the rule stays enforced for humans.

Commits made with the default GITHUB_TOKEN are blocked by branch protection just like anyone else. Mint an App token and add the App as an allowed bypass actor so only that automation can push.

Steps

  • Add the App to the branch protection rule's bypass / allowed-actors list.
  • Mint an App token with contents: write.
  • Configure git to use the token and push.

Workflow

.github/workflows/ci.yml
steps:
  - uses: actions/create-github-app-token@v1
    id: app-token
    with:
      app-id: ${{ vars.APP_ID }}
      private-key: ${{ secrets.APP_PRIVATE_KEY }}
  - uses: actions/checkout@v4
    with:
      token: ${{ steps.app-token.outputs.token }}
  - run: |
      git config user.name  "release-bot[bot]"
      git config user.email "release-bot[bot]@users.noreply.github.com"
      git commit -am "chore: bump version"
      git push origin main

Gotchas

  • Without the App in the bypass list, the push is rejected even with a valid token.
  • Keep bypass scoped to the App only; do not disable the protection rule.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →