Bitbucket Pipelines cannot push to protected master branch using repository access token

Hi everyone,

I’m configuring Bitbucket Pipelines to perform automated semantic versioning and releases.

Context

  • Repository hosted on Bitbucket Cloud

  • master branch is protected:

    • Direct pushes are disabled

    • Changes must come through Pull Requests

  • This protection is intentional and should remain in place

What the pipeline does

After a PR is merged into master, the pipeline:

  1. Computes the next semantic version

  2. Updates a version file (e.g. __version__)

  3. Creates a new commit with the version bump

  4. Attempts to push that commit back to master

  5. Creates and pushes a Git tag

Authentication setup

  • Git operations use SSH (git@bitbucket.org:workspace/repo.git)

  • I’ve created a repository-level access token and exposed it to the pipeline

  • Token scopes include:

    • repository:write

    • pullrequest:write

    • pipeline:write

    • runner:write

Problem

The pipeline can:

  • Clone and fetch the repository successfully

But when it tries to push the version bump commit to master, it fails with:

remote: Permission denied to update branch master.
! [remote rejected] master -> master (pre-receive hook declined)

Questions

  1. Is it actually possible for Bitbucket Pipelines to push commits directly to a protected branch like master, even with a repository access token that has repository:write?

  2. Do repository access tokens bypass branch restrictions, or are branch restrictions always enforced regardless of token scopes?

  3. Is the intended solution to:

    • Explicitly allow the pipeline identity to bypass branch restrictions, or

    • Avoid direct pushes entirely and instead have the pipeline create and merge a release PR?

  4. Is there a recommended or cleaner approach for implementing automated version bumps on protected branches in Bitbucket Cloud?

I want to keep master protected, but still allow fully automated releases without manual intervention.

Thanks in advance for any guidance.

Best regards,
Pau

EDIT: Currently I’ve solved it by toggling branch restrictions via API in the release script, but I don’t think this is a valid permanent solution (neither an elegant one).

@PauCastellanoRioja did you end up figuring this out? I have the same issue (thank you for spelling it out so clearly)

Hi @ChaimPaperman ,

There is an open issue about branch restrictions and access tokens: BCLOUD-22400.

You can try using user API tokens as they work with branch permissions, and probably the main downside being that it is tied to an user account.

Currently I’ve solved it by toggling branch restrictions via API in the release script, but I don’t think this is a valid permanent solution (neither an elegant one).

Thank you - we thought about doing that but as you mentioned it’s not a valid permanent solution.