Protected branch update failed for refs/heads/main. How to handle it?

[shaobeichen]

Current behavior

One of my organizational repositories is using semantic-release, this is the first use, my main branch has protection rules turned on, and then this happens, how do I deal with it? Can you pull request instead of push?

The Github token has all the permissions except the deletion permission.

Expected behavior

I hope I can pass ci normally

semantic-release version

19.0.5

CI environment

github actions

Plugins used

No response

semantic-release configuration

{
    "branches": [
        {
            "name": "main"
        }
    ],
    "plugins": [
        "@semantic-release/commit-analyzer",
        "@semantic-release/release-notes-generator",
        "@semantic-release/changelog",
        "@semantic-release/npm",
        [
            "@semantic-release/git",
            {
                "assets": [
                    "package.json",
                    "CHANGELOG.md"
                ],
                "message": "release: v${nextRelease.version} [skip ci] \n\n${nextRelease.notes}"
            }
        ],
        "@semantic-release/github"
    ]
}

CI logs

[3:30:55 PM] [semantic-release] [@semantic-release/git] › ℹ  Found 2 file(s) to commit
[3:30:56 PM] [semantic-release] › ✖  Failed step "prepare" of plugin "@semantic-release/git"
[3:30:56 PM] [semantic-release] › ✖  An error occurred while running semantic-release: Error: Command failed with exit code 1: git push --tags https://github.com/make3waves/makaka HEAD:main
remote: error: GH006: Protected branch update failed for refs/heads/main.        
remote: error: Changes must be made through a pull request.        
To https://github.com/make3waves/makaka
 ! [remote rejected] HEAD -> main (protected branch hook declined)
error: failed to push some refs to 'https://github.com/make3waves/makaka'
    at makeError (/home/runner/work/makaka/makaka/node_modules/execa/lib/error.js:60:11)
    at handlePromise (/home/runner/work/makaka/makaka/node_modules/execa/index.js:[118](https://github.com/make3waves/makaka/actions/runs/3426537159/jobs/5715209876#step:6:119):26)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async push (/home/runner/work/makaka/makaka/node_modules/@semantic-release/git/lib/git.js:51:3)
    at async module.exports (/home/runner/work/makaka/makaka/node_modules/@semantic-release/git/lib/prepare.js:69:5)
    at async prepare (/home/runner/work/makaka/makaka/node_modules/@semantic-release/git/index.js:28:3)
    at async validator (/home/runner/work/makaka/makaka/node_modules/semantic-release/lib/plugins/normalize.js:34:24)
    at async /home/runner/work/makaka/makaka/node_modules/semantic-release/lib/plugins/pipeline.js:37:34
    at async /home/runner/work/makaka/makaka/node_modules/semantic-release/lib/plugins/pipeline.js:31:3
    at async pluginsConf.<computed> [as prepare] (/home/runner/work/makaka/makaka/node_modules/semantic-release/lib/plugins/index.js:80:11) {
  shortMessage: 'Command failed with exit code 1: git push --tags https://github.com/make3waves/makaka HEAD:main',
  command: 'git push --tags https://github.com/make3waves/makaka HEAD:main',
  escapedCommand: 'git push --tags "https://github.com/make3waves/makaka" "HEAD:main"',
  exitCode: 1,
  signal: undefined,
  signalDescription: undefined,
  stdout: '',
  stderr: 'remote: error: GH006: Protected branch update failed for refs/heads/main.        \n' +
    'remote: error: Changes must be made through a pull request.        \n' +
    'To https://github.com/make3waves/makaka\n' +
    ' ! [remote rejected] HEAD -> main (protected branch hook declined)\n' +
    "error: failed to push some refs to 'https://github.com/make3waves/makaka'",
  failed: true,
  timedOut: false,
  isCanceled: false,
  killed: false,
  pluginName: '@semantic-release/git'
}
Error: Command failed with exit code 1: git push --tags https://github.com/make3waves/makaka HEAD:main
remote: error: GH006: Protected branch update failed for refs/heads/main.        
remote: error: Changes must be made through a pull request.        
To https://github.com/make3waves/makaka
 ! [remote rejected] HEAD -> main (protected branch hook declined)
error: failed to push some refs to 'https://github.com/make3waves/makaka'
    at makeError (/home/runner/work/makaka/makaka/node_modules/execa/lib/error.js:60:11)
    at handlePromise (/home/runner/work/makaka/makaka/node_modules/execa/index.js:118:26)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async push (/home/runner/work/makaka/makaka/node_modules/@semantic-release/git/lib/git.js:51:3)
    at async module.exports (/home/runner/work/makaka/makaka/node_modules/@semantic-release/git/lib/prepare.js:69:5)
    at async prepare (/home/runner/work/makaka/makaka/node_modules/@semantic-release/git/index.js:28:3)
    at async validator (/home/runner/work/makaka/makaka/node_modules/semantic-release/lib/plugins/normalize.js:34:24)
    at async /home/runner/work/makaka/makaka/node_modules/semantic-release/lib/plugins/pipeline.js:37:34
    at async /home/runner/work/makaka/makaka/node_modules/semantic-release/lib/plugins/pipeline.js:31:3
    at async pluginsConf.<computed> [as prepare] (/home/runner/work/makaka/makaka/node_modules/semantic-release/lib/plugins/index.js:80:11) {
  shortMessage: 'Command failed with exit code 1: git push --tags https://github.com/make3waves/makaka HEAD:main',
  command: 'git push --tags https://github.com/make3waves/makaka HEAD:main',
  escapedCommand: 'git push --tags "https://github.com/make3waves/makaka" "HEAD:main"',
  exitCode: 1,
  signal: undefined,
  signalDescription: undefined,
  stdout: '',
  stderr: 'remote: error: GH006: Protected branch update failed for refs/heads/main.        \n' +
    'remote: error: Changes must be made through a pull request.        \n' +
    'To [https://github.com/make3waves/makaka\n](https://github.com/make3waves/makaka/n)' +
    ' ! [remote rejected] HEAD -> main (protected branch hook declined)\n' +
    "error: failed to push some refs to 'https://github.com/make3waves/makaka'",
  failed: true,
  timedOut: false,
  isCanceled: false,
  killed: false,
  pluginName: '@semantic-release/git'
}

[KaiSchwarz-cnic]

+1

[travi]

first, consider whether you really need to make commits during your release workflow. semantic-release works well without doing so, which is a big reason we do not include the git plugin in our default configuration.

if you decide that you still want to make commits as part of your release workflow, you need to use a token from a user that has permissions to bypass your branch protection rules. your options for doing so depend on how youve configured your branch protection

[KaiSchwarz-cnic]

We noticed that using a fine grained PAT isn't possible even with

permissions:
    contents: write,
    issues: write,
    deployments: write

activated (we tried also with all permissions activated), still the tag push isn't working. On our end we need the git plugin as we push assets.

A classic token made this again possible. Not sure about the exact difference between classic and [beta] fine grained tokens, but that's what we noticed ...

[seebeen]

If you have protected branches, you need to use a PAT. (Classic or fine grained).

PAT user needs to be exempt from branch protection rules. You also need to define ENV Vars in the release step so everything matches up.

For an example workflow see this repo.