Why Jenkins ask for "write permission" of an organization private Github repos

Hi,

I have an private Github repos of my organization. I have created a Github personal token with permission to access the content of my repos. Then I created a Jenkins credential with username and password is my username and the created token. I can clone this repos with git bash, as well as access the repos from the web browser using: my token@github/my account/my repos .
After that, I created a Jenkins pipeline: "pipeline script on SCM" > “Git” > “Repositories”: github/my account/my repos, and "Credentials" is my above credential. An error message appears under the Git repos:
"Failed to connect to repository : Command “git.exe ls-remote -h – https:// my · GitHub account/my repos/ HEAD” returned status code 128:
stdout:

  • stderr: remote: Write access to repository not granted.*
    fatal: unable to access : The requested URL returned error: 403

However, if I replace in the “Repositories” in pipeline configuration by the link added my token: my token@github/my account/my repos, and the “Credentials” is none. It can connect and clone my repos.

Finally, I built the pipeline and got the log of error:
hudson.plugins.git.GitException: Command “git.exe fetch --tags --force --progress --prune – origin +refs/heads/controller:refs/remotes/origin/controller” returned status code 128:
*stdout: *
stderr: remote: Write access to repository not granted.
fatal: unable to access “my repos”: The requested URL returned error: 403

My question is:

  • In the setting that returns error, why does it ask for the write permission if with the command only asking for the list on the repos? Why does the link added token@github not require for that permission?

  • Looking into the log, the option --prune may be the cause of “writing permission” requirement. Why does --prune option added? How can I disable it?

Looking forward to someone helping me.

Jenkins: 2.426.3
OS: Windows 10 - 10.0
Java: 21.0.1 - Oracle Corporation (Java HotSpot™ 64-Bit Server VM)

ant:497.v94e7d9fffa_b_9
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
blueocean-commons:1.27.10
blueocean-core-js:1.27.10
blueocean-dashboard:1.27.10
blueocean-git-pipeline:1.27.10
blueocean-github-pipeline:1.27.10
blueocean-jwt:1.27.10
blueocean-pipeline-api-impl:1.27.10
blueocean-pipeline-editor:1.27.10
blueocean-pipeline-scm-api:1.27.10
blueocean-rest:1.27.10
blueocean-rest-impl:1.27.10
blueocean-web:1.27.10
bootstrap5-api:5.3.2-3
bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9
branch-api:2.1144.v1425d1c3d5a_7
build-pipeline-plugin:2.0.1
build-timeout:1.32
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.0.2
cloudbees-folder:6.858.v898218f3609d
command-launcher:107.v773860566e2e
commons-lang3-api:3.13.0-62.v7d18e55f51e2
commons-text-api:1.11.0-95.v22a_d30ee5d36
credentials:1311.vcf0a_900b_37c2
credentials-binding:657.v2b_19db_7d6e6d
display-url-api:2.200.vb_9327d658781
durable-task:543.v262f6a_803410
echarts-api:5.4.3-2
email-ext:2.104
favorite:2.208.v91d65b_7792a_c
font-awesome-api:6.5.1-2
git:5.2.1
git-client:4.6.0
github:1.37.3.1
github-api:1.318-461.v7a_c09c9fa_d63
github-branch-source:1772.va_69eda_d018d4
github-oauth:597.ve0c3480fcb_d0
gradle:2.9
gson-api:2.10.1-15.v0d99f670e0a_7
htmlpublisher:1.32
instance-identity:185.v303dc7c645f9
ionicons-api:56.v1b_1c8c49374e
jackson2-api:2.16.1-373.ve709c6871598
jakarta-activation-api:2.0.1-3
jakarta-mail-api:2.0.1-3
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-9
jaxb:2.3.9-1
jdk-tool:73.vddf737284550
jenkins-design-language:1.27.10
jjwt-api:0.11.5-77.v646c772fddb_0
joda-time-api:2.12.6-21.vca_fd74418fb_7
jquery:1.12.4-1
jquery3-api:3.7.1-1
json-path-api:2.9.0-33.v2527142f2e1d
junit:1256.v002534a_5f33e
ldap:711.vb_d1a_491714dc
mailer:463.vedf8358e006b_
matrix-auth:3.2.1
matrix-project:822.824.v14451b_c0fd42
mina-sshd-api-common:2.12.0-90.v9f7fb_9fa_3d3b_
mina-sshd-api-core:2.12.0-90.v9f7fb_9fa_3d3b_
okhttp-api:4.11.0-157.v6852a_a_fa_ec11
pam-auth:1.10
parameterized-trigger:787.v665fcf2a_830b_
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-github:2.8-159.09e4403bc62f
pipeline-github-lib:42.v0739460cda_c4
pipeline-graph-analysis:202.va_d268e64deb_3
pipeline-groovy-lib:704.vc58b_8890a_384
pipeline-input-step:477.v339683a_8d55e
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2175.v76a_fff0a_2618
pipeline-model-definition:2.2175.v76a_fff0a_2618
pipeline-model-extensions:2.2175.v76a_fff0a_2618
pipeline-rest-api:2.34
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2175.v76a_fff0a_2618
pipeline-stage-view:2.34
plain-credentials:143.v1b_df8b_d3b_e48
plugin-util-api:3.8.0
pubsub-light:1.18
resource-disposer:0.23
scm-api:683.vb_16722fb_b_80b_
script-security:1313.v7a_6067dc7087
snakeyaml-api:2.2-111.vc6598e30cc65
ssh-credentials:308.ve4497b_ccd8f4
ssh-slaves:2.948.vb_8050d697fec
sshd:3.322.v159e91f6a_550
structs:337.v1b_04ea_4df7c8
timestamper:1.26
token-macro:400.v35420b_922dcb_
trilead-api:2.133.vfb_8a_7b_9c5dd1
variant:60.v7290fc0eb_b_cd
workflow-aggregator:596.v8c21c963d92d
workflow-api:1289.va_cf779f32df0
workflow-basic-steps:1042.ve7b_140c4a_e0c
workflow-cps:3853.vb_a_490d892963
workflow-durable-task-step:1317.v5337e0c1fe28
workflow-job:1385.vb_58b_86ea_fff1
workflow-multibranch:773.vc4fe1378f1d5
workflow-scm-step:415.v434365564324
workflow-step-api:657.v03b_e8115821b_
workflow-support:865.v43e78cc44e0d
ws-cleanup:0.45

I’m not entirely familiar with all the rules around GitHub and HTTPS clones. However, I can say that the git fetch command you noticed does not have any requirements at all on the GitHub side of the process. Specifically, --prune tells git to remove branches from your clone if they were removed from GitHub’s clone.

Usually 403 errors are the result of missing or failed credentials and GitHub provides an extensive checklist for troubleshooting this – Troubleshooting cloning errors - GitHub Docs

Note, that you want to run all troubleshooting steps on the Jenkins Agent that is giving you these errors.