Bitbucket Cloud Pipelines Error: "[remote rejected] HEAD -> master (pre-receive hook declined)
Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.
Summary
When using Bitbucket Cloud Pipelines, you may encounter an error when attempting to perform a 'git push' to the cloned repo, and may encounter the following error message:
1
2
3
4
5
+ git push origin HEAD:master
remote: Permission denied to update branch master.
! [remote rejected] HEAD -> master (pre-receive hook declined)
error: failed to push some refs to
"[remote rejected] HEAD -> master (pre-receive hook declined)."Environment
Bitbucket Cloud Pipelines
Cause
The branch permissions feature validates whether or not the user that is trying to trying to perform a commit push has write permissions on the targeted branch (for example, master). Only specific users may have been given write access under branch permissions.
In the following example, the user "John Smith" has been granted write permission on the master branch.
If the pipeline is started by the user 'John Smith' through a commit push on the master branch or by opening a pull request from the master branch or through a manual trigger of a pipeline build on the master branch, the script command 'git push origin HEAD:master' will write changes to the restricted branch without any errors. This is due to the branch permission settings, which grant user 'John Smith' write permission on the master branch.
However, if the pipeline is triggered by a different user who does not have write permission on the master branch, in that case, the pipeline will fail with an error "[remote rejected] HEAD -> master (pre-receive hook declined). As shown in the below screenshot, the user "Maria Adams" does not have write access to the "master" branch, resulting in a push error.
Solution
Branch permissions are essential for enforcing workflows and preventing unwanted changes or deletions in the codebase. Bitbucket Cloud offers a simple method for controlling which users and groups can write to or merge a specific branch.
Granting write permissions to all pipeline users would violate this rule. The "git push" attempts to restricted branches are always verified. However, users with write access to restricted branches can still generate an SSH key from Pipeline settings, copy the public key to their personal accounts, and then allow all Pipeline users to perform "git push" to restricted branches part of pipeline build steps.
Adding the pipelines generated public key to user accounts may unnecessarily grant access to other repositories as well. Using the 'git remote set-urlL' command, you can change the remote URL and perform a --force push to other repositories. Hence, it's not recommended to share the public key from personal accounts in the pipelines. Also, it is recommended to enable branch permissionswith history rewrite disabled where required.
If you are still encountering issues with pushing to your repository in Bitbucket Cloud Pipelines after following the steps within this article, please feel free to raise a support ticket or raise a community support ticket for further assistance.
Was this helpful?