How to give write permission only to bitbucket-pipelines user in bitbucket

Question

Before adding the branch protection to develop branch, bitbucket-pipelines user was automatically committing the version change into the develop branch at the end of release.

After adding the branch protection, release fails since bitbucket-pipelines doesn't have the permission to write to the branch. Here is the error:

+ git push && git push --tags
remote: Permission denied to update branch develop.To http://bitbucket.org/team_name/repo_name
 ! [remote rejected] develop -> develop (pre-receive hook declined)
error: failed to push some refs to 'http://bitbucket.org/team_name/repo_name'

Here is the bitbucket-pipelines.yml file:

pipelines:
  branches:
    develop:
      - step:
          name: test
          script:
            - npm install
            - npm run tsc
            - npm test
      - step:
          name: release
          trigger: manual
          caches:
            - node
          script:
            - npm install
            - npm run tsc
            - npm publish
            - npm version minor -m "Upgrade to %s [skip ci]"
            - git push && git push --tags

I tried to give bitbucket-pipelines user permission to write, however I am not able to do that, user name doesn't appear:

Is there a way to allow this user to commit even though there is a branch protection, or is it possible to give this user permission to write?

Thanks in advance.

Answer 1

Here are the steps:

In bitbucket, Settings > Workspace Settings > OAuth consumers and create temporary consumer with Admin permission to the repositories (This is only used in the following steps, just to make push back hack work for restricted branches)

1. Retrieve Access Token

export access_token=$(curl -s -X POST -u "<client_id>:<client_secret>" \ https://bitbucket.org/site/oauth2/access_token \ -d grant_type=client_credentials -d scopes="repository" | jq --raw-output '.access_token')

Replace <client_id> and <client_secret> with your OAuth consumer credentials.

2. Get Branch Restrictions

curl --request GET \ --url 'https://api.bitbucket.org/2.0/repositories///branch-restrictions' \ --header 'Authorization: Bearer '${access_token}'' \ --header 'Accept: application/json'

Replace <workspace> and <repo> accordingly. It will print out JSON response of all available branch restrictions for the repository. Find the branch and restriction_id for which to make the next changes.

3. Update Branch Restriction

curl --request PUT \ --url 'https://api.bitbucket.org/2.0/repositories///branch-restrictions/<restriction_id>' \ --header 'Authorization: Bearer '${access_token}'' \ --header 'Accept: application/json' \ --header 'Content-Type: application/json' \ --data '{ "type": "branchrestriction", "users": [ { "type": "user", "username": "" } ], "groups": [] }'

Replace <workspace>, <repo>, <restriction_id>, and <username> as needed.

Funny thing here is that, in username, you can actually specify the workspace name, which will add your workspace "user" to the restrictions and pushback will work as intended.

Answer 2

You need to create a "bot" user, then click on its avatar, choose a workspace, go to click Settings > OAuth consumers > Add consumer, then use the client ID and secret in your pipeline config:

# Get an oauth access token using the client credentials, parsing out the token with jq.
- apt-get update && apt-get install -y curl jq
- >
  export access_token=$(curl -s -X POST -u "${CLIENT_ID}:${CLIENT_SECRET}" \
    https://bitbucket.org/site/oauth2/access_token \
    -d grant_type=client_credentials -d scopes="repository"| jq --raw-output '.access_token')

# Configure git to use the oauth token.
- git remote set-url origin "https://x-token-auth:${access_token}@bitbucket.org/${BITBUCKET_REPO_OWNER}/${BITBUCKET_REPO_SLUG}"

# Make changes and commit back.
- echo "Made a change in build ${BITBUCKET_BUILD_NUMBER}" >> changes.txt
- git add changes.txt
- git commit -m "[skip ci] Updating changes.txt with latest build number."
- git push

More info: https://support.atlassian.com/bitbucket-cloud/docs/push-back-to-your-repository/