semantic-release: "Cannot push the version tag to the branch

Current behavior

Semantic-release had been working for a while, but suddenly started failing for me. The error message I get is:

SemanticReleaseError: Cannot push to the Git repository.
    at module.exports (/home/runner/work/Oranges/Oranges/node_modules/semantic-release/lib/get-error.js:6:10)
    at run (/home/runner/work/Oranges/Oranges/node_modules/semantic-release/index.js:98:11)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async module.exports (/home/runner/work/Oranges/Oranges/node_modules/semantic-release/index.js:269:22)
    at async module.exports (/home/runner/work/Oranges/Oranges/node_modules/semantic-release/cli.js:55:5) {
  code: 'EGITNOPERMISSION',
  details: '**semantic-release** cannot push the version tag to the branch `main` on the remote Git repository with URL `http://x-access-token:[secure]@github.com/benthevining/Oranges.git`.\n' +
'\n' +
'This can be caused by:\n' +
' - a misconfiguration of the [repositoryUrl](https://github.com/semantic-release/semantic-release/blob/master/docs/usage/configuration.md#repositoryurl) option\n' +
' - the repository being unavailable\n' +
' - or missing push permission for the user configured via the [Git credentials on your CI environment](https://github.com/semantic-release/semantic-release/blob/master/docs/usage/ci-configuration.md#authentication)',
  semanticRelease: true
}

The GitHub access token being used for this workflow has every single permission enabled, so I’m not sure what the problem is.

Expected behavior

Semantic-release should be able to push to my repository.

`semantic-release` version

19.0.3

CI environment

GitHub actions

Plugins used

No response

`semantic-release` configuration

https://github.com/benthevining/Oranges/blob/411228effca09cd1cc826ed6f2fd5098375150a9/package.json#L22

CI logs

https://github.com/benthevining/Oranges/runs/6989956263?check_suite_focus=true

About this issue

Original URL
State: open
Created 2 years ago
Reactions: 11
Comments: 16

Commits related to this issue

feat(release.yml): fixed ci/cd error The action was failing on the release step for this job, searched on internet and found that it's a known problem in the semantic-release proyect as per this issu... — committed to F2BEAR/jwtier by F2BEAR a year ago
chore: fixing the actions permissions More info here: https://github.com/semantic-release/semantic-release/issues/2481#issuecomment-1409780688 Also using the locally installed version of semantic-r... — committed to smoak/teamcowboy.js by smoak 9 months ago

Most upvoted comments

I was encountering this as well on semantic-release v20.1.0, using default configuration, and a custom token.

I was also able to fix this by adding the following to my workflow job:

    permissions:
      contents: write

This seemed strange because I use a custom token with all repository permissions enabled. I manually verified the token is valid, and to make matters even more strange, semantic-release worked expectedly in my other projects.

I found the failing command in the semantic-release codebase and noticed it doesn’t actually use the provided token, but just the default Git permissions on the CI: https://github.com/semantic-release/semantic-release/blob/d170f73e0b2a8a853a7bc58977a6b4b0887d8f17/lib/git.js#L209

Since semantic-release hasn’t had any changes in that code in years, I imagine this is caused by an unannounced security improvement in GitHub Actions being rolled out. Since it worked without permissions on my other repositories, perhaps this is only happening in newer repositories.

In any case, I think the best action here is for semantic-release to pass in the provided token to all git commands (e.g. via https://[TOKEN]@github.com/....git). That way, all interactions could behave much more predictably.

+21

privatenumber on Jan 31, 2023

I ran into this issue using semantic-release v20.1.0 as well.

I did not explicitly generate a GITHUB_TOKEN for my repository, but rather, depend on Automatic token authentication:

At the start of each workflow run, GitHub automatically creates a unique GITHUB_TOKEN secret to use in your workflow. You can use the GITHUB_TOKEN to authenticate in a workflow run.

The default permissions for an auto generated token are read only.

Therefore, what worked to resolve this in my case was to grant the token Read and write permissions in my repository settings as described here: Configuring the default GITHUB_TOKEN permissions.

With this, I did not need to add …

  permissions:
    contents: write

… to my workflow.

Perhaps either approach results in the same internal process.

+14

theurgi on Feb 7, 2023

I see. Thanks for your help so far, I’ll try some things out!

benthevining on Jan 27, 2023

I think it needs at least write permission on contents, but haven’t tried that

rienheuver on Jan 27, 2023

Finally found it! My workflow had a permissions block at the root of the .yml file like this:

permissions:
      contents: read
      pages: write
      id-token: write

Apparently this did an override on the GH_TOKEN I provided to semantic-release. I moved this permissions block to the specific job that needed it and now it works 😄