I want to add a manual jobs to my Pull Request to tag my source branch when i run the manual jobs. This tag will trigger a build on my bitrise configuration.
However, when i'm trying to push my tag, i am facing this issue. NB: The branch i'm trying to push my tag to is NOT protected.
$ git checkout $CI_COMMIT_REF_NAME
Switched to a new branch 'feature/gitlab-ci'
Branch feature/gitlab-ci set up to track remote branch feature/gitlab-ci from origin.
$ git tag build-bitrise
$ git push --tags
remote: You are not allowed to upload code.
fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gitlab.com/my-app/my-app.git/': The requested URL returned error: 403
Cleaning up file based variables
00:01
ERROR: Job failed: exit code 1
My job is doing so :
- git remote show origin
- git fetch
- git checkout $CI_COMMIT_REF_NAME
- git tag build-bitrise
- git push --tags
In my "before_scripts" step, i do :
before_script:
# Install ssh-agent through openssh-client if not present
- 'which ssh-agent || ( apt-get update -qy && apt-get install openssh-client -qqy )'
# Add the private key to this user
- eval $(ssh-agent -s) && ssh-add <(echo "$SSH_PRIVATE_KEY") && mkdir -p ~/.ssh
# Config git to avoid first usage questions. Set the identity
- git config --global user.email "my-secret-email@gmail.com" && git config --global user.name "Louis Lecocq"
Where SSH_PRIVATE_KEY is a variable that is a copy/paste of my GITLAB profile in the ENV.
Thanks for reading and your time
I think your current method is not working because it is still using https
rather than ssh
for doing the git tag
as per the error message, so isn't using your SSH_PRIVATE_KEY
:
fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gitlab.com/my-app/my-app.git/': The requested URL returned error: 403
You might be able to get this working (untested) by updating the git remote
manually before you do git push --tags
, ie with:
git remote set-url origin git@gitlab.com:my-group/my-app/my-app
An alternative to using an SSH_PRIVATE_KEY
is to use an API key. You can create an personal access token with API access from https://gitlab.com/-/profile/personal_access_tokens, and then add the key to the CI/CD Variables
as API_KEY
for example.
Then in your script section, you can have something similar to:
script:
- # something to do before pushing the tag
# sometimes the remote might already exist (if using the same runner), let's just remove it and don't fail
- git remote remove https-origin || true
# add new https-origin remote which uses the API_KEY
- git remote add https-origin https://gitlab-ci-token:${API_KEY}@gitlab.com/my-group/my-app.git
# tag your build
- git tag build-bitrise
# push only the build-bitrise tag using the https-origin ref, and skip CI build
- git push https-origin -o ci.skip refs/tags/build-bitrise
NB, would recommend using a bot account for the API_KEY, otherwise the API_KEY would have the same permissions as your user, and could be leaked by other Maintainers who would be able to see the key in CI/CD Variables, etc.