Cascading Merge Fails with v2.0.0+ Due to “Bad Credentials” Error

[snps-annaku]

Hello team,

I encountered an issue when attempting to upgrade from ActionsDesk/cascading-downstream-merge@v1.2.0 to v2.0.0 (and higher). While v1.2.0 works perfectly in my current setup, using v2.0.0 consistently fails with a 401 Bad Credentials error.

Run ActionsDesk/cascading-downstream-merge@v2.0.0 GET /repos/[org]/[repo]/branches - 401 file:///home/runner/_work/_actions/ActionsDesk/cascading-downstream-merge/v2.0.0/dist/index.js:31973 throw new RequestError(toErrorMessage(octokitResponse.data), status, { ^ RequestError [HttpError]: Bad credentials - https://docs.github.com/rest at fetchWrapper (index.js:31973:11) at async cascadingBranchMerge (index.js:34707:22) status: 401, authorization: 'token [REDACTED]'

What I’ve tried:
• Removed all branch protection rules to ensure they’re not interfering.
• Re-tested the workflow with the exact same configuration and token used in v1.2.0 (which works without issues).
• Still receiving the same error in v2.0.0.

Questions:
• Is there a change in how token permissions are handled in v2.0.0?
• Are there any additional scopes or configuration changes required starting from this version?

Any insights would be greatly appreciated!

Thanks,
Anna

[ncalteen]

Can you tell me what the permissions are of the token you are using? Is this the default token provided by the GitHub Actions workflow, or a separate PAT?

[ncalteen]

I ran through a few different tests to try to isolate this issue. Notes below! Do you by chance have a public repo where you were able to reproduce this behavior?

1. No branch protection, using default GITHUB_TOKEN: Success (Workflow Run)
2. No branch protection, using merge_token input (PAT with repo scope only): Success (Workflow Run)
3. No branch protection, using merge_token input (GitHub App with repository contents permissions only): Failure (Workflow Run)

The only one I was able to reproduce the error on was when using a GitHub App that only has read/write permissions to repository contents. However, the error I received is a bit different from yours:

PUT /repos/ncalteen-avocado/cascade-test/pulls/11/merge - 401 with id 40A9:D46AA:5CA185:B73FBD:68011232 in 55ms
Error: HttpError: Bad credentials - https://docs.github.com/rest

I updated the GitHub App permissions to include read/write access to pull requests, which seemed to do the trick (Workflow Run).

Are you able to reproduce this error in a sample repo I can review? Additionally, can you provide information about the permissions of the workflow token you are using?

[snps-annaku]

Hi @ncalteen,

Thank you for the follow-up.

Unfortunately, we are using GitHub Enterprise Server (3.12.13) within a private environment, so I can't reproduce this issue in a public repository.

I have tested all three options you listed (default GITHUB_TOKEN, PAT with repo scope, and GitHub App with repository contents permissions), but none of them made a difference. I still encountered the same "Bad credentials" error in all cases.

Additionally, I can confirm that our GitHub App permissions include read/write access to pull requests.

We also use the create-github-app-token action to generate credentials. Here is the relevant part of our workflow:

- name: Generate Dynamic Credentials
  id: app-token
  uses: actions/create-github-app-token@v1
  with:
    app-id: ${{ vars.CUSTOM_GITHUB_MERGE_APP_ID }}
    private-key: ${{ secrets.CUSTOM_GITHUB_MERGE_KEY }}

- name: Execute Automatic Merge
  uses: ActionsDesk/cascading-downstream-merge@v3
  with:
    github_token: ${{ secrets.GITHUB_TOKEN }}
    merge_token: ${{ steps.app-token.outputs.token }}
    prefixes: release/
    ref_branch: master

Thanks, Anna

[ncalteen]

Can you try using the latest version of the actions/create-github-app-token action?

- name: Get GitHub App Token
  id: app-token
  uses: actions/create-github-app-token@v2
  with:
    app-id: ${{ var.CUSTOM_GITHUB_MERGE_APP_ID }}
    private-key: ${{ secrets.CUSTOM_GITHUB_MERGE_KEY }}
    owner: ${{ github.repository_owner }}

[ncalteen]

Also, if possible, would you be able to provide redacted run logs from the latest attempt?

[snps-annaku]

Hi @ncalteen,

Thank you for your suggestion. I have tried using the latest version of the actions/create-github-app-token.

Unfortunately, I am still encountering the same issue. For reference, the latest version of actions/create-github-app-token works correctly with ActionsDesk/cascading-downstream-merge@v1.2.0.

The logs from the latest attempt are the same as those provided in the ticket description. If you need any additional information, please let me know.

Thanks,
Anna