search

semantic-release / git

:twisted_rightwards_arrows: semantic-release plugin to commit release assets to the project's git repository
MIT License
295 stars 66 forks source link

Unable to push assets to a gitlab protected branch #504

Open bolrock opened 6 months ago

bolrock commented 6 months ago

I have a protected master branch on my gitlab project

2024-02-14 07_31_03-Window

I'm using that Docker image

FROM node:21-alpine
RUN apk --update --no-cache add git
ENV JAVA_HOME /usr/lib/jvm/java-17-openjdk
ENV PATH $PATH:$JAVA_HOME/bin
ENV MAVEN_HOME /usr/share/maven
ENV MAVEN_VERSION 3.9.6
RUN apk --no-cache add openjdk17-jdk --repository=https://adoptopenjdk.jfrog.io/adoptopenjdk/alpine/
RUN wget -q "https://archive.apache.org/dist/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz" -O /tmp/apache-maven.tar.gz && \
  tar xzf /tmp/apache-maven.tar.gz -C /usr/share/ && \
  ln -s /usr/share/apache-maven-${MAVEN_VERSION}/bin/mvn /usr/bin/mvn && \
  rm -f /tmp/apache-maven.tar.gz
RUN npm install -g semantic-release conventional-changelog-conventionalcommits @semantic-release/git @semantic-release/gitlab @semantic-release/exec
CMD ["mvn"]

and I'm using that config

{
  "branches": ["master"],
  "plugins": [
    [ "@semantic-release/commit-analyzer", {
      "preset": "conventionalcommits",
    }],
    "@semantic-release/release-notes-generator",
    [ "@semantic-release/exec", {
      "verifyReleaseCmd": 'mvn versions:set -DnewVersion="${nextRelease.version}" && echo "NEXT_VERSION=${nextRelease.version}" >> build.env',
    }],
    ["@semantic-release/git", {
      "assets": ["pom.xml"],
      "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
    }],
    "@semantic-release/gitlab"
  ]
}

Without the @semantic-release/git module it is working fine. The tag is created and pushed to the master branch. But it seems the module cannot push the assets to the master branch.

[1:04:43 PM] [semantic-release] [@semantic-release/git] › ℹ  Found 1 file(s) to commit
[1:04:44 PM] [semantic-release] › ✘  Failed step "prepare" of plugin "@semantic-release/git"
[1:04:44 PM] [semantic-release] › ✘  An error occurred while running semantic-release: Error: Command failed with exit code 1: git push --tags https://gitlab-ci-token:[secure]@mygitlab.com/myproject.git HEAD:master
remote: GitLab: You are not allowed to push code to protected branches on this project.

Adding a printenv in the script I can see my GITLAB_TOKEN variable with my token.

But I don't understand if it's really possible to push to master with a personal access token ? I also tried removing the GITLAB_TOKEN from the project variable and adding

before_script:
  - export GITLAB_TOKEN="$CI_JOB_TOKEN"
  - export GITLAB_URL="$CI_SERVER_URL"

Now the printenv still show me the variable

GITLAB_TOKEN=[MASKED]

But it is still not working (with another reason).

The GitLab token (https://github.com/semantic-release/gitlab/blob/master/README.md#gitlab-authentication) configured in the GL_TOKEN or GITLAB_TOKEN environment variable must be a valid personal access token

I don't want to unprotect my master branch. So what's the solution ?

travi commented 6 months ago

I also tried removing the GITLAB_TOKEN from the project variable and adding

before_script:
  - export GITLAB_TOKEN="$CI_JOB_TOKEN"
  - export GITLAB_URL="$CI_SERVER_URL"

unfortunately, the CI_JOB_TOKEN does not provide the ability to push code. see https://github.com/semantic-release/semantic-release/issues/1729 for more discussion about that situation

Without the @semantic-release/git module it is working fine. The tag is created and pushed to the master branch. But it seems the module cannot push the assets to the master branch.

you need to verify the permissions you've granted to your token. you need to use a token that provides the appropriate level of access. it appears that the one you are using does not provide the ability to push code to a protected branch