From Fedora Project Wiki

HTTPS commits to src.fedoraproject.org

Background

In the past, pkgs.fedoraproject.org was the host that maintainers used to upload package sources via https and push commits via ssh. All such commits via ssh required the user to be in the 'packager' group, because the host created actual accounts for each packager, then restricted them to commits. If a user was not in that group, they wouldn't be known to the acls and would be denied.

When we moved to src.fedoraproject.org with a pagure instance in front of it, this limitation was still in place, leading to users who aren't in the packagers group being able to fork packages, but being unable to push to their forks.

This limitation is now removed by using https pushes, which are available for all users who have permissions to commit to packages/modules/containers/tests or forks thereof.

How it works

fedpkg (starting with version 1.34) has the ability to fetch a OIDC token from src.fedoraproject.org and then use that token to push commits over https. You also need to make sure and have python-openidc-client => 0.6.0 installed)

You will need to do your git clone with -a (anonymous) for now, and will need to use a graphical session (so your browser can be used to get the token you need).

If fedpkg push shows Could not execute pre_push_check: Request is unauthorized., use fedpkg push --no-verify to push your commits. See https://pagure.io/fedpkg/issue/513 for reference.

Future plans

Slowly over time we plan to transition all users to https pushing for commits and retire the ssh service. There will be a lot of notice for this and it will only happen after https pushing is well established and working.

FAQ

Q: On push, git asks for a username and password, what do I enter there?

A: This means you cloned with an old version of fedpkg. Do a fedpkg push (instead of git push) once after upgrading to fedpkg 1.34 or higher. Under no circumstances should you enter your FAS password in the CLI.

Q: I want to use normal 'git push', can I?

A: Yes, if you cloned it with a recent enough fedpkg. If it asks for your password, rerun the fedpkg clone command, or run "fedpkg push" for now.

Q: Can I do a push on a headless machine?

A: Not yet. Currently you need a graphical session with a browser (firefox, chrome, etc). This will get fixed down the road.

Q: Can I still push via ssh?

A: If you are in the packager group you can still push via ssh for now. In time, we are planning to deprecate this.

Q: I get the message "Token was renewed. Please rerun command" when trying to push.

A: This means the tool has realized your token has expired and renewed it. Just press arrow-up enter and it should work.