问题
When executing a build for git repository giantswarm/docs-content
in CircleCI, I'd like to push a commit to another repository giantswarm/docs
.
I have this in the deployment
section of circle.yml
:
git config credential.helper cache
git config user.email "<some verified email>"
git config user.name "Github Bot"
git clone --depth 1 https://${GITHUB_PERSONAL_TOKEN}:x-oauth-basic@github.com/giantswarm/docs.git
cd docs/
git commit --allow-empty -m "Trigger build and publishing via docs-content"
git push -u origin master
This fails in the very last command with this error message:
ERROR: The key you are authenticating with has been marked as read only.
fatal: Could not read from remote repository.
The GITHUB_PERSONAL_TOKEN
environment variable is set to a user's personal access token, which has been created with repo
scope to access the private repo giantswarm/docs
. In addition, I added the user to a team that has admin permissions for that repo.
That series of commands works just fine when I execute it in a fresh Ubuntu VM. Any idea why it doesn't on CircleCI?
回答1:
I've used
git push -q https://${GITHUB_PERSONAL_TOKEN}@github.com/<user>/<repo>.git master
and it worked. Update it to be:
# Push changes
git config credential.helper 'cache --timeout=120'
git config user.email "<email>"
git config user.name "<user-name>"
git add .
git commit -m "Update via CircleCI"
# Push quietly to prevent showing the token in log
git push -q https://${GITHUB_PERSONAL_TOKEN}@github.com/giantswarm/docs.git master
回答2:
Thanks to the hint by Ali Amin I now have this working solution:
version: 2
jobs:
build:
machine: true
steps:
- run:
name: Clone docs
working_directory: ~/workdir
command: |
git clone --depth 1 https://${DOCS_GITHUB_TOKEN}@github.com/giantswarm/docs.git
- deploy:
name: Trigger docs deployment
working_directory: ~/workdir/docs
command: |
git config credential.helper 'cache --timeout=120'
git config user.email "<email>"
git config user.name "Deployment Bot"
git commit --allow-empty -m "Trigger deployment"
# Push quietly to prevent showing the token in log
git push -q https://${DOCS_GITHUB_TOKEN}@github.com/giantswarm/docs.git master
Some notes:
- The
git clone
is first. - All subsequent
git
commands have to be executed in the clone directory.working_directory
simplifies this a great deal. - The token
DOCS_GITHUB_TOKEN
is a personal access token withrepo
scope for the target repository.
回答3:
Although embedding the token into the command works for this case it might not work for all cases and doesn't answer the question.
Other cases would include scripts that dont expose direct access to the
git
command. They rely on theGH_TOKEN
variable being set and you wouldn't be able to inject it as in the example.It doesn't answer the question:
Any idea why it doesn't on CircleCI?
On CircleCI support forum there is an answer about this:
https://support.circleci.com/hc/en-us/articles/360018860473-How-to-push-a-commit-back-to-the-same-repository-as-part-of-the-CircleCI-job
Running git push results in "ERROR: The key you are authenticating with has been marked as read only."
The deploy key that the project is configured with, by default when you add a project on CircleCI, only has read access, so a key with write permissions needs to be configured to be used, to avoid the above error message. Please ensure that a user key or a read-write deployment key has been configured for the project
https://circleci.com/docs/2.0/gh-bb-integration/#creating-a-github-deploy-key
After going through this process you should have a deploy key with write permissions that allows the push.
来源:https://stackoverflow.com/questions/44773415/how-to-push-a-commit-to-github-from-a-circleci-build-using-a-personal-access-tok