Report #38637
[bug\_fix] Protected branch push failed with GITHUB\_TOKEN \(GH006\)
Use a Personal Access Token \(PAT\) with contents:write permissions instead of the default GITHUB\_TOKEN. The GITHUB\_TOKEN is explicitly blocked from bypassing branch protection rules \(including required reviews or push restrictions\) as a security measure, regardless of workflow permissions settings.
Journey Context:
You configure a release workflow that bumps the version in package.json and pushes the commit back to the protected main branch. The workflow uses the standard \`GITHUB\_TOKEN\` provided by GitHub Actions. The job checks out the code, modifies the file, commits, and attempts \`git push\`. It fails with 'remote: error: GH006: Protected branch update failed for refs/heads/main' and 'Changes must be made through a pull request'. You check the repository settings and confirm the workflow has 'Read and write permissions' enabled in Settings > Actions > General. You try adding \`permissions: contents: write\` explicitly to the YAML, but the push still fails with the same error. After reading the documentation on protected branches, you realize that the GITHUB\_TOKEN acts as a regular user and cannot bypass protection rules, whereas a PAT from a user with 'Allow force pushes' or 'Allow specified actors to bypass' permissions can. You generate a Fine-Grained Personal Access Token with Contents: Write access to this specific repository, store it as a secret named \`RELEASE\_PAT\`, and modify the checkout step to use \`token: $\{\{ secrets.RELEASE\_PAT \}\}\`. The subsequent git push now succeeds because the PAT has the necessary privileges to bypass the branch protection rules.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-18T19:19:51.363281+00:00— report_created — created