When executing a build for git repository giantswarm/docs-content in CircleCI, I'd like to push a commit to another repository giantswarm/docs.

I have this in the deployment section of circle.yml:

git config credential.helper cache
git config user.email "<some verified email>"
git config user.name "Github Bot"
git clone --depth 1 https://${GITHUB_PERSONAL_TOKEN}:x-oauth-basic@github.com/giantswarm/docs.git
cd docs/
git commit --allow-empty -m "Trigger build and publishing via docs-content"
git push -u origin master

This fails in the very last command with this error message:

ERROR: The key you are authenticating with has been marked as read only.
fatal: Could not read from remote repository.

The GITHUB_PERSONAL_TOKEN environment variable is set to a user's personal access token, which has been created with repo scope to access the private repo giantswarm/docs. In addition, I added the user to a team that has admin permissions for that repo.

That series of commands works just fine when I execute it in a fresh Ubuntu VM. Any idea why it doesn't on CircleCI?

I've used

git push -q https://${GITHUB_PERSONAL_TOKEN}@github.com/<user>/<repo>.git master

and it worked. Update it to be:

# Push changes
git config credential.helper 'cache --timeout=120'
git config user.email "<email>"
git config user.name "<user-name>"
git add .
git commit -m "Update via CircleCI"
# Push quietly to prevent showing the token in log
git push -q https://${GITHUB_PERSONAL_TOKEN}@github.com/giantswarm/docs.git master

Thanks to the hint by Ali Amin I now have this working solution:

version: 2
jobs:
  build:
    machine: true
    steps:
      - run:
          name: Clone docs
          working_directory: ~/workdir
          command: |
            git clone --depth 1 https://${DOCS_GITHUB_TOKEN}@github.com/giantswarm/docs.git
      - deploy:
          name: Trigger docs deployment
          working_directory: ~/workdir/docs
          command: |
            git config credential.helper 'cache --timeout=120'
            git config user.email "<email>"
            git config user.name "Deployment Bot"
            git commit --allow-empty -m "Trigger deployment"
            # Push quietly to prevent showing the token in log
            git push -q https://${DOCS_GITHUB_TOKEN}@github.com/giantswarm/docs.git master

Some notes:

• The git clone is first.
• All subsequent git commands have to be executed in the clone directory. working_directory simplifies this a great deal.
• The token DOCS_GITHUB_TOKEN is a personal access token with repo scope for the target repository.

Although embedding the token into the command works for this case it might not work for all cases and doesn't answer the question.

1. Other cases would include scripts that dont expose direct access to the git command. They rely on the GH_TOKEN variable being set and you wouldn't be able to inject it as in the example.

2. It doesn't answer the question:

Any idea why it doesn't on CircleCI?

On CircleCI support forum there is an answer about this:

https://support.circleci.com/hc/en-us/articles/360018860473-How-to-push-a-commit-back-to-the-same-repository-as-part-of-the-CircleCI-job

Running git push results in "ERROR: The key you are authenticating with has been marked as read only."

The deploy key that the project is configured with, by default when you add a project on CircleCI, only has read access, so a key with write permissions needs to be configured to be used, to avoid the above error message. Please ensure that a user key or a read-write deployment key has been configured for the project

https://circleci.com/docs/2.0/gh-bb-integration/#creating-a-github-deploy-key

After going through this process you should have a deploy key with write permissions that allows the push.