Push tag to Stash for successfull build in Jenkins fails with code 128 and error “Insufficient permissions”

Question

I want to push tag for code revision for every successful build from Jenkins CI.

How my job looks

1. I have "Source Code Management" setup to use git in form

   1.1 Repository URL : ssh://git@:7999//.git

   1.2 Credentials : my ssh name / my ssh key

   1.2.1 I use Credentials plugin to store name and key

   1.3 Name : repoName

   1.4 Repository viewer : stash

   1.4.1 URL : http://:7990/projects//repos/

   1.5 As additional bahavior I have "Clean before checkout" option

2. I have post build step "Git publisher"

   2.1 "Push Only If Build Succeeds" checked

   2.2 "Tag to push" $BUILD_NUMBER

   2.3 "Target remote name" repoName (as in 1.3 step as I read in instruction to setup successfull build code tagging)

My code is successfully checked out (via repo clone), built but job fails on tag pusshing into repo with error

 > /usr/bin/git tag -l 176 # timeout=10
 > /usr/bin/git tag -a -f -m Jenkins Git plugin tagging with 176 176 # timeout=10
Pushing tag 176 to repo repoName
using GIT_SSH to set credentials 
 > /usr/bin/git --version # timeout=10
 > /usr/bin/git -c core.askpass=true push ssh://git@<repo url>:7999/<project>/<repo>.git 176
ERROR: Failed to push tag 176 to repoName
hudson.plugins.git.GitException: Command "/usr/bin/git -c core.askpass=true push ssh://git@<repo url>:7999/<project>/<repo>.git 176" returned status code 128:
stdout: 
stderr: fatal: remote error: Insufficient permissions
You do not have permission to push to the repository <repo> in project <project>
fatal: Could not read from remote repository.

But same using GIT_SSH to set credentials call setup rights successfull to repo clone at job beginning.

I found some posts in web and questions here describing the same issues but it is not clear for me why I should manually setup ssh keys for git in job which starts from successfull repo cloning with using my key.

Does anyone help me point out how to tell git to use for tag push same key as it does for repo clone?

Update 1: I login into build (slave) machine, checked tags and found all of them

user@machine:~/workspace/Build$ git tag
1.0
1.0.1
1.1
1.2
1.2.1
1.3
1.3.1
1.3.2
1.3.3
164
165
166
167
168
169
170
171
172
173
174
175
176
177
180
181
182
183
184
2.0.0
2.1.0
2.2.0
2.2.1
2.3.0
2.3.1
jenkins-Build-166
jenkins-Build-169
jenkins-Build-170
user@machine:~/workspace/Build$

and I tried to push it

sk@mgc-cranberry:~/workspace/CranberryPackageBuild$ git push origin 184
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
sk@mgc-cranberry:~/workspace/CranberryPackageBuild$

And also I tried command /usr/bin/git -c core.askpass=true push ssh://git@<repo url>:7999/<project>/<repo>.git 176 and got same result.

Update 2: I also found issue Git Publisher does not use Credentials describing same behavior but my versions are newer that ones where the issue has been fixed. I think the issue is in my config but at the moment I'm not able to identify root cause of it. So, ideas are welcome!

So, I still do not understand why Git Publisher plugin do not pick up authorization from clonning at job start.

Answer 1

It looks like whatever account (SSH key) the git push command is using is not one that can write to the repo. You'll need to check that and change accordingly (either by giving that key access in Stash, or using one that has access already).

I'd start by verifying that the key you provided is the one being used by the git command. I suspect this isn't picked up automatically if you're writing your own custom git commands outside of the git repo plugin's remit.