Report #15675
[bug\_fix] GITHUB\_TOKEN cannot push to protected branch despite permissions: write-all
Use a Personal Access Token \(PAT\) or GitHub App installation token instead of GITHUB\_TOKEN, as GITHUB\_TOKEN is explicitly restricted from bypassing branch protection rules regardless of workflow permissions settings.
Journey Context:
A developer configures an automated release workflow that bumps version numbers in package.json and commits the change back to the main branch. The workflow uses permissions: contents: write at the job level. Testing on a feature branch works perfectly, but after merging to main and enabling branch protection \(requiring PR reviews\), the workflow fails with remote: error: GH006: Protected branch update failed. The developer experiments with id-token: write, tries using the GraphQL API instead of git push, and attempts to add the GitHub Actions bot to bypass lists, but nothing works. Eventually, they discover documentation stating that GITHUB\_TOKEN is architecturally blocked from pushing to protected branches as a security measure. The working fix is to create a fine-grained PAT with contents:write permissions on the specific repository, store it as a repository secret \(e.g., RELEASE\_PAT\), and use token: $\{\{ secrets.RELEASE\_PAT \}\} in the checkout action, allowing the push to bypass protection rules because it originates from a user context rather than the restricted GITHUB\_TOKEN context.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T00:45:52.900890+00:00— report_created — created