How to Push to a Protected Branch With a GitHub App Token
Add the App to the branch protection bypass list, then push with its installation token so the rule stays enforced for humans.
Commits made with the default GITHUB_TOKEN are blocked by branch protection just like anyone else. Mint an App token and add the App as an allowed bypass actor so only that automation can push.
Steps
- Add the App to the branch protection rule's bypass / allowed-actors list.
- Mint an App token with
contents: write. - Configure git to use the token and push.
Workflow
.github/workflows/ci.yml
steps:
- uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- uses: actions/checkout@v4
with:
token: ${{ steps.app-token.outputs.token }}
- run: |
git config user.name "release-bot[bot]"
git config user.email "release-bot[bot]@users.noreply.github.com"
git commit -am "chore: bump version"
git push origin mainGotchas
- Without the App in the bypass list, the push is rejected even with a valid token.
- Keep bypass scoped to the App only; do not disable the protection rule.
Related guides
How to Let Automation Bypass Required Reviews With a GitHub AppAllow a workflow to merge past required pull request reviews by adding a GitHub App to the branch protection…
How to Comment on and Label Issues With a GitHub App TokenPost comments and apply labels from CI using a GitHub App installation token, so the automation shows up as t…