Unable to push to a different repository from within gitlab pipeline/runner

Problem to solve

We have multiple repositories for one microservice, because it easier for us to do service-to-service integrations when you have a smaller separate “client” facing only repository for the microservice.

How we have it set up is we have our main repository - and whenever we make changes to main code that would impact the client we also update the client facing things in the same repository (but a different directory).

After taging the changes a separate pipeline is triggered that “splits” the directory and pushes it to the separate client facing repository to reflect the new changes.

We had it set up and working for a long time, but now we need to sign the splitted commits as well because of some corporate requirements.

I’ve tried creating a service account with it’s own gpg signing key, access key and what not, but once I’m doing the actual git push - it still pushes as me (or whoever initiated the pipeline, even though I’m checkit git -l and git --global -l and the user is the service account. I cannot understand why.

Steps to reproduce

I’ve tried playing around with setting global and local git config, global only, local only.
i’ve tried setting the access token, removing changes and pulling into the the pipeline to push fresh changes - nothing seems to work for me.

Configuration

Please excuse for formatting and errors if any, I’ve tried redacting what was sensitive and modified a bit to simplify.

image:
  name: internal.redacted.com:1000/main/images/php8
  pull_policy: if-not-present

before_script:
  ## Display current PHP version
  - php -v

  ## Run ssh-agent (inside the build environment)
  - eval $(ssh-agent -s)

  ## Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
  ## We're using tr to fix line endings which makes ed25519 keys work
  ## without extra base64 encoding.
  ## https://gitlab.com/gitlab-examples/ssh-private-key/issues/1#note_48526556
  - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null

  ## Create the SSH directory and give it the right permissions
  - mkdir -p ~/.ssh
  - chmod 700 ~/.ssh

  - ssh-keyscan internal.redacted.com >> ~/.ssh/known_hosts
  - chmod 644 ~/.ssh/known_hosts

  # Add GitLab deploy access token to composer config
  - test -f ./composer.json && composer config gitlab-token.internal.redacted.com $GITLAB_DEPLOY_TOKEN

  - if [ -z ${SERVICE_NAME+x} ]; then SERVICE_NAME=$(php -r "echo substr('$CI_PROJECT_NAME', 0, strpos('$CI_PROJECT_NAME', '-service'));"); fi
  - if [ -z ${BUCKET_PATH+x} ]; then BUCKET_PATH="/var/www/redacted.com/something-main-$SERVICE_NAME"; fi

.config_commit_signing: &config_commit_signing |
  function log_info() {
      echo -e "[\033[1;92mINFO\033[0m] $*"
  }

  function log_warn() {
      echo -e "[\033[1;93mWARN\033[0m] $*"
  }

  function log_error() {
      echo -e "[\033[1;91mERROR\033[0m] $*"
  }

  function fail() {
    log_error "$*"
    exit 1
  }

  function install_gpg() {
    log_info "Setting GPG."

    GPG_PACKAGE='gnupg'

    if [ -x "$(command -v apk)" ]; then
      log_info "installing gpg through apk"
      apk add --no-cache $GPG_PACKAGE
      log_info "installed gpg through apk"
    elif [ -x "$(command -v apt-get)" ]; then
      log_info "installing gpg through apk-get"
      apt-get install --no-install-recommends -y $GPG_PACKAGE
      log_info "installed gpg through apk-get"
    elif [ -x "$(command -v dnf)" ]; then
      dnf install -y $GPG_PACKAGE
    else
      fail "Package manager not found. You must manually install: $GPG_PACKAGE"
    fi

    gpg --update-trustdb

    log_info "GPG setup complete."
  }

  function configure_commit_signing() {
    if [[ -z "${GPG_PRIVATE_KEY}" ]]; then
      log_info "No GPG key provided."
      return
    fi

    log_info "Setting commit signing up."

    if [[ ! -f "${GPG_PRIVATE_KEY}" ]]; then
      fail "GPG_PRIVATE_KEY is not a file."
    fi

    log_info "doing a dry run.."

    if ! gpg --batch --dry-run --yes --import "${GPG_PRIVATE_KEY}"; then
      fail "Could not import GPG key."
    fi

    log_info "importing key id.."

    # import the key and extract its ID from the command output
    _GPG_KEY_ID=$(gpg --batch --yes --import "${GPG_PRIVATE_KEY}" 2>&1 | head -n 1 | sed -e 's/^.*key \([A-F0-9]*\): .*$/\1/g')

    if [[ -z "${_GPG_KEY_ID}" ]]; then
        fail "Could not extract key ID from gpg --import command."
    fi

    log_info "doing git config :))"

    git config --global commit.gpgsign true
    git config --global user.signingkey "${_GPG_KEY_ID}"
    git config --global user.name "cicd-service"
    git config --global user.email "cicd-service@redacted.com"
    git config user.name "cicd-service"
    git config user.email "cicd-service@redacted.com"

    log_info "Commit signing setup complete."
  }

stages:
  - setup

setup_signing_and_push:
  stage: setup
  script:
    - *config_commit_signing
    - if [ -z ${BUCKET_PATH+x} ]; then BUCKET_PATH="/var/www/redacted.redacted.net/something-main-$SERVICE_NAME"; fi
    - if [ -z ${BUNDLE+x} ]; then BUNDLE="${SERVICE_NAME}-bundle"; fi
    - if [ -z ${BUNDLE_NAME+x} ]; then BUNDLE_NAME=$(php -r "echo preg_replace_callback('/(^|-)(.?)/', function(\$m) { return ucfirst(\$m[2]); }, '$BUNDLE');"); fi
    - log_info "starting to set up gpg keys"
    - install_gpg
    - configure_commit_signing
    - SHA1=$(splitsh-lite "--prefix=bundles/${BUNDLE_NAME}/")
    - echo ${BUNDLE}
    - READ_ONLY_REPO_GIT_URL="https://oauth2:${CICD_ACCESS_TOKEN}@redacted.redacted.net/main/something-bundle.git"
    - git commit --amend --author="cicd-service <cicd-service@redacted.com>" --no-edit
    - git config --global -l #outputs as user.email "cicd-service@redacted.com", user.name "cicd-service"
    - git config -l #outputs as user.email "cicd-service@redacted.com", user.name "cicd-service"
    - git remote update origin --prune
    - git push "$READ_ONLY_REPO_GIT_URL" $SHA1:master -f # fails as it tries pushing as me (or whoever triggered the pipeline)

this is the error:

remote: GitLab: You cannot push commits for 'me.as.user@redacted.com'. You can only push commits if the committer email is one of your own verified emails.

Versions

Do not have permission/access to check runner version, but from my knowledge we’re using self managed runners and gitlab premium account.