Protected branch with PR requirement prevents release

For anybody using GitHub Actions, you need to set the token option of the actions/checkout action so that GitHub would authorize local Git with the necessary push permissions.

- name: Checkout
  uses: actions/checkout@v3
  with:
    fetch-depth: 0
    token: ${{ secrets.CI_GITHUB_TOKEN }}

Your CI_GITHUB_TOKEN secret should equal your GitHub Personal Access Token with the repo permissions scope. That scope would authorize pushes to protected branches, given you don’t have “Include administrators” set in the protected branch’s settings.

• Creating encrypted secrets on GitHub

@Ninerian, the situation we have which I think it’s similar to yours is this one:

• We have protected branch rules enabled (like having 2 reviewers per each commit and do not commit directly to master if it’s not via a PR). The protected branch is, at the same time, the release branch for semantic-release. (i.e: master)

• We want semantic-release to update files when the new version is calculated. (In our case we do update package.json and CHANGELOG.md file). In order to do this you need to provide a GITHUB_TOKEN with write permissions.

You will still get the issue you described before.

[9:32:50 AM] [semantic-release] › ✖  An error occurred while running semantic-release: { Error: Command failed: git push --tags https://[secure]@github.com/**/service.git HEAD:master
remote: error: GH006: Protected branch update failed for refs/heads/master.        
remote: error: At least 1 approving review is required by reviewers with write access.        
To https://github.com/**/service.git
 ! [remote rejected] HEAD -> master (protected branch hook declined)
error: failed to push some refs to 'https://[secure]@github.com/**/service.git'

In the perfect world, we would be able to tell Github, please bypass this type of checking for specific non-admin users (like a bot) but that’s something Github doesn’t support so far. I have confirmed it with support:

The way we workaround this was by assigning the bot as Owner. By doing this it do has the power to bypass the protected branch rules (because it’s considered an admin).

The good thing is that the GITHUB_TOKEN we generated for doing this kind of commit doesn’t have any crazy permission like deleting repo or such so we should be OK.

Hope this is useful to you too and helps u with semantic-release integration on your protected branch.