This error occurs when you try to push directly to a protected branch on GitHub. Branch protection rules require changes to go through pull requests with reviews and passing status checks.
When you push to a GitHub repository and receive the GH006 error, it means the target branch has protection rules enabled that prevent direct pushes. GitHub's branch protection is a feature designed to enforce code quality and team collaboration by requiring: - Pull requests instead of direct commits - Passing CI/CD status checks - Required code reviews from designated reviewers - Signed commits or linear history This error is GitHub doing its job—protecting your codebase from accidental or unauthorized changes. The `refs/heads/main` in the error message indicates which branch triggered the protection (commonly main, master, or release branches). This error commonly appears when: - Developers forget they're working on a protected branch - CI/CD pipelines try to push commits directly (like version bumps or changelog updates) - Git hooks or automation attempt to push without proper authentication - New team members aren't familiar with the repository's workflow
The standard solution is to use a pull request workflow:
# Create a feature branch
git checkout -b feature/your-changes
# Make your changes and commit
git add .
git commit -m "Your changes"
# Push the feature branch
git push -u origin feature/your-changesThen create a pull request on GitHub to merge your changes into the protected branch. This allows code review and CI checks to run.
If you have admin access, review the protection rules:
1. Go to your repository on GitHub
2. Navigate to Settings > Branches
3. Under "Branch protection rules", find your branch (e.g., main)
4. Click Edit to review current protections
Common protections that block direct pushes:
- "Require a pull request before merging"
- "Require status checks to pass before merging"
- "Require approvals"
- "Do not allow bypassing the above settings"
If certain users need direct push access (use sparingly):
1. Go to Settings > Branches > Edit your branch rule
2. Find "Allow specified actors to bypass required pull requests"
3. Add the user or team that needs bypass access
4. Click Save changes
Warning: This reduces protection. Only grant bypass access when absolutely necessary, and prefer the pull request workflow.
For GitHub Actions that need to push (like version bumps):
Option 1: Use a Personal Access Token (PAT)
1. Create a PAT with repo scope at GitHub Settings > Developer settings > Personal access tokens
2. Add it as a repository secret (e.g., BUILD_PAT)
3. Update your workflow:
- uses: actions/checkout@v4
with:
token: ${{ secrets.BUILD_PAT }}Option 2: Add a deploy key with write access
1. Generate an SSH key: ssh-keygen -t ed25519 -C "deploy-key"
2. Add the public key as a deploy key in repo Settings > Deploy keys (check "Allow write access")
3. Add the private key as a secret and configure checkout to use it
For robust CI/CD setups, create a dedicated GitHub user:
1. Create a new GitHub account for your build system
2. Generate a PAT for this account with repo permissions
3. Add this user to "Allow specified actors to bypass" in branch protection
4. Add the PAT as a secret in your repository
5. Update workflows to use this token:
- uses: actions/checkout@v4
with:
token: ${{ secrets.MACHINE_USER_PAT }}
- name: Push changes
run: |
git config user.name "build-bot"
git config user.email "[email protected]"
git push origin mainGitHub Rulesets offer more flexible bypass options:
1. Go to Settings > Rules > Rulesets
2. Create a new ruleset or edit existing one
3. Under "Bypass list", add actors who can bypass:
- Select "Repository admin" or specific teams
- Add GitHub Apps or deploy keys
Rulesets allow you to:
- Set different rules for different branch patterns
- Grant bypass to GitHub Apps (not possible with classic protection)
- Apply rules across multiple repositories in an organization
### Why Not Just Disable Protection?
While temporarily disabling branch protection will let you push, this defeats the purpose of having protection in the first place. It opens a window where anyone can push directly, including malicious actors if your repo is compromised.
### Default GITHUB_TOKEN Limitations
The GITHUB_TOKEN provided by GitHub Actions has intentional limitations—it cannot bypass branch protection rules even with contents: write permission. This is a security feature. If Actions could bypass protection, a compromised workflow could push malicious code directly.
### Force Push Considerations
Protected branches typically have force push disabled. If you need to rewrite history (e.g., after a rebase):
1. This generally should go through a PR
2. Or, temporarily enable force push in Settings (not recommended)
3. Or, grant specific users force push bypass (Settings > Branches > "Allow force pushes")
### GitLab vs GitHub
This error is specific to GitHub. GitLab has similar protection but different error messages ("You are not allowed to push code to protected branches").
### Semantic-Release and Similar Tools
Tools like semantic-release need to push version commits and tags. Use one of these approaches:
1. Use a PAT with bypass permissions
2. Configure the tool to create a PR instead of pushing directly
3. Use a GitHub App with bypass permissions
kex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git
fatal: unable to access: no_proxy configuration not working
How to fix 'no_proxy configuration not working' in Git
fatal: unable to read tree object in treeless clone
How to fix 'unable to read tree object in treeless clone' in Git