I have a Bitbucket Pipelines script that wants to push some changes back to the master branch.
If branch permissions are enabled (which I have) OAuth seems to be the preferred way to do that (see docs on pushing back using alternative authentication methods). So I set up an OAuth consumer for my org workspace but unfortunately, my script fails with Permission denied to update branch master.
The OAuth consumer has read/write permission to the repository but I cannot select it in the branch permission settings to allow write access. I have also tried to select Administrators without success.
If I set the write branch permission to Everyone it obviously works.
Hey @tbinna,
unfortunately there is no real good answer to this problem yet.
There are some options, but they are not great:
create an app password and inject that into the build to push back to the repo. The risk here, is that someone could extract it from your build and use the app password to access other repositories and data (since the app password can access the same data that your user can access - but respecting the configured scopes for the app password).
create a separate Bitbucket user that you treat as a bot user, that only has access to that repository. You can then use that bot user (e.g. through an app password) to push back to the repo.
We have a couple of feature requests open that would improve this:
I don’t understand this answer at all, the docs that tbinna linked specifically say to use OAuth Consumers in this case:
If your repository has branch permissions enabled and you can’t commit back using the default configured HTTP origin, or you want to commit using a ‘Bot’ account or another authentication method, you have a few options. We recommend using OAuth above all other methods, for security and compatibility with the HTTP origin.
If branch permissions prevent this from working, what is the point of this documentation?