git-push | Use git-push to deploy your website to Azure Heroku | Continuous Deployment library

Another option would be for the git-user to create an archive that contains all the relevant files to be deployed (think of it as an artefact). This can be done in the post-receive hook before touching the trigger file. To create the ZIP/TAR, you can use the git archive command which facilitates this step.

As soon as the cron-job runs and a deploy is triggered, the site-user extracts the contents of the archive into /var/www/site and removes the archive.

This way, the git-user has no access to the webroot. At the same time, the site-user does not even need read-access to the repository.

It is also possible to specify an alternative index-file with the environment variable GIT_INDEX_FILE to circumvent the default location ($GIT_DIR/index). But I don't know if Git needs write access to other files/folders as well.

If you don't have any specific rule on which branches/commits to tag, you can set the pipeline to add Tag automatically upon completing the build

The --force-if-includes option is, as you've noted, new. If you've never needed it before, you don't need it now. So the shortest answer to "when should I use this" would be "never". 🙃 The recommended answer is (or will be once it's proven?) always. (I'm not yet convinced one way or the other, myself.)

A blanket "always" or "never" is not very useful though. Let's look at where you might want to use it. It is, strictly speaking, never necessary because all it does is modify --force-with-lease slightly. So we already have --force-with-lease in effect, if --force-if-includes is going to be used.¹ Before we look at --force-with-includes we should cover how --force-with-lease actually works. What problem are we trying to solve? What are our "use cases" or "user stories" or whatever the latest buzzwords might be when someone is reading this later?

(Note: if you're already familiar with all of this, you can search for the next force-if-includes string to skip the next few sections, or just jump to the bottom and then scroll up to the section header.)

The fundamental problem we have here is one of atomicity. Git is, in the end, mostly—or at least significantly—a database, and any good database has four properties for which we have the mnemonic ACID: Atomicity, Consistency, Isolation, and Durability. Git doesn't exactly achieve any or all of these on its own: for instance, for the Durability property, it relies (at least partly) on the OS to provide it. But three of these—the C, I, and D ones—are local within a Git repository in the first place: if your computer crashes, your copy of the database may or may not be intact, recoverable, or whatever, depending on the state of your own hardware and OS.

Git is not, however, just a local database. It's a distributed one, distributed via replication, and its unit of atomicity—the commit—is spread out across multiple replications of the database. When we make a new commit locally, we can send it to some other copy or copies of the database, using git push. Those copies will try to provide their own ACID behavior, locally on those computers. But we'd like to preserve atomicity during the push itself.

We can get this in several ways. One way is to start with the idea that every commit has a globally (or universally) unique identifier: a GUID or UUID.² (I'll use the UUID form here.) I can safely give you a new commit I've made as long as we both agree that it gets the UUID I gave it, that you didn't have.

But, while Git does use these UUIDs to find the commits, Git also needs to have a name for the commit—well, for the last commit in some chain. This guarantees that whoever is using the repository has a way to find the commit: the name finds the last one in some chain, from which we find all the earlier ones in the same chain.

If we both use the same name, we have a problem. Let's say we're using the name main to find commit b789abc, and they're using it to find the commit a123456.

The solution we use with git fetch here is simple: we assign a name to their Git repository, e.g., origin. Then, when we get some new commit(s) from them, we take their name—the one that finds the last of these commits in some chain, that is—and rename it. If they used the name main to find that tip commit, we rename that to origin/main. We create or update our own origin/main to remember their commits, and it does not mess with our own main.

But, when we're going the other way—pushing our commits to them—Git doesn't apply this idea. Instead, we ask them to update their main directly. We hand over commit b789abc for instance, and then ask them to set their main to b789abc. What they do, to make sure that they don't lose their a123456 commit, is make sure that a123456 is part of the history of our commit b789abc:

As long as you see nbauma109@github.com, you can be sure an SSH push will fail (from command-line or maven)

A GitHub SSH URL would always use the remote user 'git': git@github.com:..., never the actual GitHub user account name: your public key registered to said GitHub account is suppose to authenticate you.

So start testing with:

From your reflog, it looks like you just want to do:

but I can still clone and push to repositories using the https link (e.g. https://github.com/username/repository.git).

When using HTTPS, you would not use any SSH key, only cached credentials (GitHub account username/password), that would be provided by the git credential helper (git config credential.helper)

The issue seemed to be caused by slow internet speeds. Perhaps what I reported was a timeout error.

It wasn't clear to me what specifically fixed it, but moving to another location with faster internet resolved this issue.

I still welcome any other suggestions!

No. This is ... unfortunate, because manually obtaining the first one is easy:

You could simply invoke the push-to-delete and continue anyway if it fails. This is crude—it would be better to continue if and only if it fails due to the branch not existing—but serviceable. To continue even if the command fails, use git push origin :gh-pages; git subtree push --prefix build origin gh-pages.

I would not recommend this method though (with or without something more clever to detect a "desirable failure"). There's another solution in that same comment thread you linked in your own comment that mentions this method: