semantic-release: "Cannot push the version tag to the branch
Current behavior
Semantic-release had been working for a while, but suddenly started failing for me. The error message I get is:
SemanticReleaseError: Cannot push to the Git repository.
at module.exports (/home/runner/work/Oranges/Oranges/node_modules/semantic-release/lib/get-error.js:6:10)
at run (/home/runner/work/Oranges/Oranges/node_modules/semantic-release/index.js:98:11)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async module.exports (/home/runner/work/Oranges/Oranges/node_modules/semantic-release/index.js:269:22)
at async module.exports (/home/runner/work/Oranges/Oranges/node_modules/semantic-release/cli.js:55:5) {
code: 'EGITNOPERMISSION',
details: '**semantic-release** cannot push the version tag to the branch `main` on the remote Git repository with URL `http://x-access-token:[secure]@github.com/benthevining/Oranges.git`.\n' +
'\n' +
'This can be caused by:\n' +
' - a misconfiguration of the [repositoryUrl](https://github.com/semantic-release/semantic-release/blob/master/docs/usage/configuration.md#repositoryurl) option\n' +
' - the repository being unavailable\n' +
' - or missing push permission for the user configured via the [Git credentials on your CI environment](https://github.com/semantic-release/semantic-release/blob/master/docs/usage/ci-configuration.md#authentication)',
semanticRelease: true
}
The GitHub access token being used for this workflow has every single permission enabled, so I’m not sure what the problem is.
Expected behavior
Semantic-release should be able to push to my repository.
semantic-release
version
19.0.3
CI environment
GitHub actions
Plugins used
No response
semantic-release
configuration
CI logs
https://github.com/benthevining/Oranges/runs/6989956263?check_suite_focus=true
About this issue
- Original URL
- State: open
- Created 2 years ago
- Reactions: 11
- Comments: 16
Commits related to this issue
- feat(release.yml): fixed ci/cd error The action was failing on the release step for this job, searched on internet and found that it's a known problem in the semantic-release proyect as per this issu... — committed to F2BEAR/jwtier by F2BEAR a year ago
- chore: fixing the actions permissions More info here: https://github.com/semantic-release/semantic-release/issues/2481#issuecomment-1409780688 Also using the locally installed version of semantic-r... — committed to smoak/teamcowboy.js by smoak 9 months ago
I was encountering this as well on semantic-release v20.1.0, using default configuration, and a custom token.
I was also able to fix this by adding the following to my workflow job:
This seemed strange because I use a custom token with all repository permissions enabled. I manually verified the token is valid, and to make matters even more strange, semantic-release worked expectedly in my other projects.
I found the failing command in the semantic-release codebase and noticed it doesn’t actually use the provided token, but just the default Git permissions on the CI: https://github.com/semantic-release/semantic-release/blob/d170f73e0b2a8a853a7bc58977a6b4b0887d8f17/lib/git.js#L209
Since semantic-release hasn’t had any changes in that code in years, I imagine this is caused by an unannounced security improvement in GitHub Actions being rolled out. Since it worked without permissions on my other repositories, perhaps this is only happening in newer repositories.
In any case, I think the best action here is for semantic-release to pass in the provided token to all git commands (e.g. via
https://[TOKEN]@github.com/....git
). That way, all interactions could behave much more predictably.Related issue: https://github.com/semantic-release/semantic-release/issues/2464
I ran into this issue using semantic-release v20.1.0 as well.
I did not explicitly generate a GITHUB_TOKEN for my repository, but rather, depend on Automatic token authentication:
The default permissions for an auto generated token are read only.
Therefore, what worked to resolve this in my case was to grant the token Read and write permissions in my repository settings as described here: Configuring the default GITHUB_TOKEN permissions.
With this, I did not need to add …
… to my workflow.
Perhaps either approach results in the same internal process.
I see. Thanks for your help so far, I’ll try some things out!
I think it needs at least
write
permission oncontents
, but haven’t tried thatFinally found it! My workflow had a
permissions
block at the root of the.yml
file like this:Apparently this did an override on the
GH_TOKEN
I provided to semantic-release. I moved this permissions block to the specific job that needed it and now it works 😄