[BUG] file: Not Found. Make sure the branch where signatures are stored is NOT protected.

[couto]

Describe the bug
We're trying to store signatures in a different repository.

To Reproduce

1. Create a private repository inside an organization (<cla-repo-name>) (Default settings)
2. In the repository that you want the contributor-assistant/github-action to run (<repo-name>), add the following file to .github/workflows/on-pull-request-cla.yml

name: "CLA Assistant"
on:
  issue_comment:
    types: [created]
  pull_request_target:
    types: [opened, closed, synchronize]

# explicitly configure permissions, in case your GITHUB_TOKEN workflow permissions are set to read-only in repository settings
permissions:
  actions: write
  contents: write # this can be 'read' if the signatures are in remote repository
  pull-requests: write
  statuses: write

jobs:
  CLAAssistant:
    runs-on: ubuntu-latest
    steps:
      - name: "CLA Assistant"
        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
        uses: contributor-assistant/github-action@v2.6.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # the below token should have repo scope and must be manually added by you in the repository's secret
          # This token is required only if you have configured to store the signatures in a remote repository/organization
          PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
        with:
          path-to-signatures: "<repo-name>/signatures/version1/cla.json"
          path-to-document: "https://github.com/<org-name>/<repo-name>/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT.md" # e.g. a CLA or a DCO document
          # branch should not be protected
          branch: "main"
          allowlist: bot*

          # the followings are the optional inputs - If the optional inputs are not given, then default values will be taken
          remote-organization-name: <org-name>
          remote-repository-name: <cla-repo-name>
          suggest-recheck: false
          #create-file-commit-message: 'For example: Creating file for storing CLA Signatures'
          #signed-commit-message: 'For example: $contributorName has signed the CLA in $owner/$repo#$pullRequestNo'
          #custom-notsigned-prcomment: 'pull request comment with Introductory message to ask new contributors to sign'
          #custom-pr-sign-comment: 'The signature to be committed in order to sign the CLA'
          #custom-allsigned-prcomment: 'pull request comment when all contributors has signed, defaults to **CLA Assistant Lite bot** All Contributors have signed the CLA.'
          #lock-pullrequest-aftermerge: false - if you don't want this bot to automatically lock the pull request after merging (default - true)
          #use-dco-flag: true - If you are using DCO instead of CLA

3. Open a Pull Request from a fork (or a normal Pull Request for that matter)
4. Sign the CLA by adding the required comment
   
5. Github Action fails with the following error:

Run contributor-assistant/github-action@v2.6.1
  with:
    path-to-signatures: <repo-name>/signatures/version1/cla.json
    path-to-document: https://github.com/<org-name>/<repo-name>/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT.md
    branch: main
    allowlist: bot*
    remote-organization-name: <org-name>
    remote-repository-name: <cla-repo-name>
    suggest-recheck: false
    use-dco-flag: false
    lock-pullrequest-aftermerge: true
  env:
    GITHUB_TOKEN: ***
    PERSONAL_ACCESS_TOKEN: ***
CLA Assistant GitHub Action bot has started the process
Error: Error occurred when creating the signed contributors file: Not Found. Make sure the branch where signatures are stored is NOT protected.
Error: Committers of pull request [2](https://github.com/<org-name>/<repo-name>/actions/runs/12393606425/job/34598991416?pr=28#step:2:2)8 have to sign the CLA

Expected behavior
I was expecting the action to create the following folder structure in <cla-repo-name>: <repo-name>/signatures/version1/ with the cla.json file inside.

Screenshots
If applicable, add screenshots to help explain your problem.

Questions

Github has a new Personal Token System (Fine-grained tokens), could anyone clearly state which permissions are required to assign to that token?

Also, since now, developers can create tokens owned by an organization (Resource owner), are those compatible? And if so, which permissions do they require?

Thank you

[couto]

Ok, for future reference.

The problem was a spelling mistake in the name of the remote repository.

Nevertheless it would be really useful to know the answers to the questions at the bottom for better documentation of the process. Thank you <3

[filmaj]

+1, very confusing debugging issues with this action when it comes to GitHub API errors. Do we need a classic token or a fine-grained one? What Resource Owner should be set on the token if a fine-grained token needs to be used? What permissions should be assigned to such a token?

[filmaj]

For the record: in our situation, if we used a fine-grained token with a Resource Owner that is an org, we would get a variety of problems such as an HTTP 500 response from the repos.getContents GitHub API.

We had to swap to a classic personal access token to get this to work in the enhance-dev org.