Environment secrets readable in a schedule event workflow?

[moritzschmitz-oviva]

I have a protected branch with required status checks and one required approver. The branch is also part of an environment which adds the secret REPO_SSH_WRITE.

My understanding is that the ssh deploy key 'user' however is treated like a repository admin when having write access.

Pushing to the branch however fails.

From https://docs.github.com/en/developers/overview/managing-deploy-keys#deploy-keys:

Deploy keys with write access can perform the same actions as an organization member with admin access, or a collaborator on a personal repository.

Run log:

remote: error: GH006: Protected branch update failed for refs/heads/main-nightly.        
remote: error: Required status check "version-validator" is expected. At least 1 approving review is required by reviewers with write access. You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information.        
To https://github.com/xxx/database-changes
 ! [remote rejected]   main-nightly -> main-nightly (protected branch hook declined)
error: failed to push some refs to 'https://github.com/xxx/database-changes'

workflow.yml:

name: Open nightly pull request

on:
  workflow_dispatch:
  schedule:
    - cron: '0 23 * * *'

jobs:
  update-branch:
    name: Update branch
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          ssh-key: ${{ secrets.REPO_SSH_WRITE }}
          fetch-depth: 0
          ref: main-nightly

      - name: Update branch
        run: |
          git config user.email "github-actions@oviva.internal"
          git config user.name "Github Actions"
          git merge origin/main -m "Automatic nightly merge"
          git push

EDIT: Add info about the environment.

[airtower-luna]

Does your branch protection rule allow admin overrides? That's optional, and if disabled even admins can't force-push a protected branch.

[moritzschmitz-oviva]

I cannot find that option. Only the other way around I can limit even admins from bypassing required checks.

[moritzschmitz-oviva]

Screenshot of the bottom section: https://imgur.com/a/ionjWXb

[airtower-luna]

I just checked, there are two settings that should be relevant:

The first one would have to be disabled to allow admins to skip protections, and the second one would have to be enabled – otherwise force-push is completely prohibited.

[moritzschmitz-oviva]

To be honest this doesn't make a lot of sense to me. Almost everywhere it says that an admin can do everything.

Admin can push to protected branches: https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization

[moritzschmitz-oviva]

Maybe I should add that the secret for the REPO_SSH_WRITE is only available in an environment. Perhaps that environment is not used when the job is run via the schedule event?

[moritzschmitz-oviva]

Aaaaand, I found the problem...

environment: main-branch was missing.