Unable to push assets to a gitlab protected branch

[bolrock]

I have a protected master branch on my gitlab project

I'm using that Docker image

FROM node:21-alpine
RUN apk --update --no-cache add git
ENV JAVA_HOME /usr/lib/jvm/java-17-openjdk
ENV PATH $PATH:$JAVA_HOME/bin
ENV MAVEN_HOME /usr/share/maven
ENV MAVEN_VERSION 3.9.6
RUN apk --no-cache add openjdk17-jdk --repository=https://adoptopenjdk.jfrog.io/adoptopenjdk/alpine/
RUN wget -q "https://archive.apache.org/dist/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz" -O /tmp/apache-maven.tar.gz && \
  tar xzf /tmp/apache-maven.tar.gz -C /usr/share/ && \
  ln -s /usr/share/apache-maven-${MAVEN_VERSION}/bin/mvn /usr/bin/mvn && \
  rm -f /tmp/apache-maven.tar.gz
RUN npm install -g semantic-release conventional-changelog-conventionalcommits @semantic-release/git @semantic-release/gitlab @semantic-release/exec
CMD ["mvn"]

and I'm using that config

{
  "branches": ["master"],
  "plugins": [
    [ "@semantic-release/commit-analyzer", {
      "preset": "conventionalcommits",
    }],
    "@semantic-release/release-notes-generator",
    [ "@semantic-release/exec", {
      "verifyReleaseCmd": 'mvn versions:set -DnewVersion="${nextRelease.version}" && echo "NEXT_VERSION=${nextRelease.version}" >> build.env',
    }],
    ["@semantic-release/git", {
      "assets": ["pom.xml"],
      "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
    }],
    "@semantic-release/gitlab"
  ]
}

Without the @semantic-release/git module it is working fine. The tag is created and pushed to the master branch.
But it seems the module cannot push the assets to the master branch.

[1:04:43 PM] [semantic-release] [@semantic-release/git] › ℹ  Found 1 file(s) to commit
[1:04:44 PM] [semantic-release] › ✘  Failed step "prepare" of plugin "@semantic-release/git"
[1:04:44 PM] [semantic-release] › ✘  An error occurred while running semantic-release: Error: Command failed with exit code 1: git push --tags https://gitlab-ci-token:[secure]@mygitlab.com/myproject.git HEAD:master
remote: GitLab: You are not allowed to push code to protected branches on this project.

Adding a printenv in the script I can see my GITLAB_TOKEN variable with my token.

But I don't understand if it's really possible to push to master with a personal access token ?
I also tried removing the GITLAB_TOKEN from the project variable and adding

before_script:
  - export GITLAB_TOKEN="$CI_JOB_TOKEN"
  - export GITLAB_URL="$CI_SERVER_URL"

Now the printenv still show me the variable

GITLAB_TOKEN=[MASKED]

But it is still not working (with another reason).

The GitLab token (https://github.com/semantic-release/gitlab/blob/master/README.md#gitlab-authentication) configured in the GL_TOKEN or GITLAB_TOKEN environment variable must be a valid personal access token

I don't want to unprotect my master branch. So what's the solution ?

[travi]

I also tried removing the GITLAB_TOKEN from the project variable and adding

before_script:
  - export GITLAB_TOKEN="$CI_JOB_TOKEN"
  - export GITLAB_URL="$CI_SERVER_URL"

unfortunately, the CI_JOB_TOKEN does not provide the ability to push code. see semantic-release/semantic-release#1729 for more discussion about that situation

Without the @semantic-release/git module it is working fine. The tag is created and pushed to the master branch. But it seems the module cannot push the assets to the master branch.

you need to verify the permissions you've granted to your token. you need to use a token that provides the appropriate level of access. it appears that the one you are using does not provide the ability to push code to a protected branch

[dhoppe]

I have the same problem and it has nothing to do with the GitLab token or its permissions.

The branch protection rule ensures that developers have to create a merge request and cannot push directly to the default branch. However, this also means that semantic-release cannot push a generated CHANGELOG.md.

According to the GitLab documentation, it is possible to push to a protected branch with a deploy key. As far as I know, semantic-release only supports tokens, not keys.

https://docs.gitlab.com/user/project/repository/branches/protected/#allow-deploy-keys-to-push-to-a-protected-branch

Here is my config:

{
  "branches": ["main"],
  "ci": false,
  "plugins": [
    [
      "@semantic-release/commit-analyzer",
      {
        "preset": "conventionalcommits"
      }
    ],
    [
      "@semantic-release/release-notes-generator",
      {
        "preset": "conventionalcommits"
      }
    ],
    [
      "@semantic-release/gitlab",
       {
         "successComment": "This issue has been resolved in version ${nextRelease.version} :tada:",
         "labels": false
       }
    ],
    [
      "@semantic-release/changelog",
      {
        "changelogFile": "CHANGELOG.md",
        "changelogTitle": "# Changelog\n\nAll notable changes to this project will be documented in this file."
      }
    ],
    [
      "@semantic-release/git",
      {
        "assets": ["CHANGELOG.md"],
        "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
      }
    ]
  ]
}