Bitbucket Pipelines cannot push to protected master branch using repository access token

Bitbucket Development Bitbucket Cloud
1

Hi everyone,

I’m configuring Bitbucket Pipelines to perform automated semantic versioning and releases.

Context

  • Repository hosted on Bitbucket Cloud

  • master branch is protected:

    • Direct pushes are disabled

    • Changes must come through Pull Requests

  • This protection is intentional and should remain in place

What the pipeline does

After a PR is merged into master, the pipeline:

  1. Computes the next semantic version

  2. Updates a version file (e.g. __version__)

  3. Creates a new commit with the version bump

  4. Attempts to push that commit back to master

  5. Creates and pushes a Git tag

Authentication setup

  • Git operations use SSH (git@bitbucket.org:workspace/repo.git)

  • I’ve created a repository-level access token and exposed it to the pipeline

  • Token scopes include:

    • repository:write

    • pullrequest:write

    • pipeline:write

    • runner:write

Problem

The pipeline can:

  • Clone and fetch the repository successfully

But when it tries to push the version bump commit to master, it fails with:

remote: Permission denied to update branch master.
! [remote rejected] master -> master (pre-receive hook declined)

Questions

  1. Is it actually possible for Bitbucket Pipelines to push commits directly to a protected branch like master, even with a repository access token that has repository:write?

  2. Do repository access tokens bypass branch restrictions, or are branch restrictions always enforced regardless of token scopes?

  3. Is the intended solution to:

    • Explicitly allow the pipeline identity to bypass branch restrictions, or

    • Avoid direct pushes entirely and instead have the pipeline create and merge a release PR?

  4. Is there a recommended or cleaner approach for implementing automated version bumps on protected branches in Bitbucket Cloud?

I want to keep master protected, but still allow fully automated releases without manual intervention.

Thanks in advance for any guidance.

Best regards,
Pau

EDIT: Currently I’ve solved it by toggling branch restrictions via API in the release script, but I don’t think this is a valid permanent solution (neither an elegant one).

1 Like