The short term mitigation for this would be to get en exception from CNCF for this as suggested by Nikhita and Bob For a long term, more sustainable solution, the suggestion from Bob and Ben seems prudent, i.e. converting the action into a prow job.
This seems to be an extremely common problem with extensive discussion happening in the GitHub community [1][2]. Unfortuately, there doesn't seem to be a viable workaround for this. In the Kubernetes community, folks have gotten around this by disabling branch protection for the branches that need to be pushed to from actions [3].
There are workarounds to this such as https://github.com/CasperWA/push-protected, but these require a Personal Access Token and still don't handle the fact that the CLA needs to be signed, which cannot be done by the actions runner.
There is a prow cmd called generic-autobumper which creates a PR with the author as k8s-ci-robot and automerges it.
This is however largely meant for config bumps and tag updates and we can't really run custom commands here.
It would be simpler to have a presubmit for this.
We can have a presubmit for the repo which looks like:
name: pull-aws-file-cache-csi-driver-helm-chart-release
cluster: eks-prow-build-cluster
decorate: true
run_if_changed: '^charts\/aws-file-cache-csi-driver\/'
path_alias: sigs.k8s.io/aws-file-cache-csi-driver
always_run: false
optional: true
extra_refs:
- org: kubernetes-sigs
repo: aws-file-cache-csi-driver
spec:
containers:
- image: quay.io/helmpack/chart-releaser
command:
- /bin/bash
args:
- -c
- |
git config user.name "Kubernetes Prow Robot"
git config user.email "k8s.ci.robot@gmail.com"
# Do things similar to: https://github.com/helm/chart-releaser-action/blob/main/cr.sh
# cr config can be found in .github/cr.yaml
env:
- name: CR_TOKEN
valueFrom:
secretKeyRef:
name: # need to think a little here based on what we are using CR_TOKEN for.[1] https://github.com/orgs/community/discussions/13836
[2] https://github.com/orgs/community/discussions/25305
[3] kubernetes/test-infra#20291