Reputation: 4448
How to allow automated CI processes to push commits with Github branch protections?
Github added branch protections a while back and recently added another option for requiring reviews.
I tried out requiring reviews and status checks (except for administrators) and liked the workflow. But it has a negative impact on our CI/deployment tool.
For example, when we release a new version, there is an automated process in the CI environment that increments the version number in package.json, commits it, and pushes it to the repository. There are a few processes like this, such as clean up tasks.
These automated processes don't need reviews or passing status checks (the status checks have already been run at least twice as part of the deployment pipeline by that point). After enabling the branch protections, however, the CI "user" can't push.
remote: error: GH006: Protected branch update failed for refs/heads/master.
remote: error: Required status check "default" is expected. At least one approved review is required
Previously our CI "user" had "write" permissions. I tried giving it "admin" permissions to the repo I was trying this out on, but that's clearly not sufficient; even as an admin, the CI "user" can't push.
In the picture above I tried removing "reviews", hoping the status checks would be fine without further work. Nope!
What I'd ideally like is for the CI "user" to be exempted from these requirements. It doesn't look like that is a feature. Which may mean my only other option is turning most of the protections off, including some of the ones I want.
But there may be some update or change I could make to the existing CI pipeline--or some configuration of protections I could create--that would have this end result:
- Human users see that reviews and status checks are required before merging or pushing. (check)
- Only maintainers and CI can push directly to the branch. (check)
- Admins can override the requirements on a case by case basis. (check)
- CI can push directly to the branch without having to get a review or wait on a status check. (need help)
Anyone done a similar setups or know how to get around the CI "user" being blocked? Since obviously the CI "user" can't physically navigate to a pull request on Github.com and check box next to "Use your administrator privileges to merge this pull request." Is there a CLI flag for --usemyadminprivilegestopushthis?
Upvotes: 13
Views: 3929
Answers (1)
Reputation: 4448
I did not actually find out why I was getting the failures; I later couldn't reproduce the problem with the same configuration.
The next day, what worked is what I described.
Protect the branch
But do NOT include administrators for reviews/status checks
Ensure your CI "user" is an administrator
The nice thing about this is the Github UI still encourages administrators to wait for status checks and reviews. Useful in pull request workflows. CLI use, however, is unaffected for administrators aside from not being able to force push or delete--the desired outcome.
If anyone has tips for setups that only require write instead of admin access, or info on how status/review check success is tracked across multiple requests, please share them.
(I believe in my case the CI config was pointing to the wrong repo. It began working the next day, and someone mentioned resetting the config, though I unfortunately couldn't confirm that this applied to every single failure from the info in our logs.)
Upvotes: 5
Related Questions
- In GitHub how can I grant an app permissions to commit to a branch with protections?
- Authenticate Jenkins CI for Github private repository
- Push to GitLab repository within CI server (deploy keys)
- Gated check-ins / pre-tested commits for Git?
- Git post-commit hook x central CI system
- TeamCity push feature branches to master branch
- Is there a way to use Jenkins with Github Pull Requests?
- Workflow that enforces code review and keeps the integration branch pristine (git, Stash, TeamCity)
- GIT & Jenkins - how to dilemma
- Gated commits using git branches