error: failed to push some refs

Git push rejection in CI pipelines often stems from branch protection rules not configured to allow automated pushes. GitHub branch protection, GitLab protected branches, and Bitbucket branch permissions block force pushes and direct pushes from non-approved actors — including CI service accounts that have write access but are not in the "allowed to push" list. GitHub Actions' default GITHUB_TOKEN has read/write repository access but cannot bypass required status checks or required reviewer approvals. If your branch requires pull request reviews before merging, the GITHUB_TOKEN cannot push directly to main even with write permission. A common pattern: a CI job that runs automated dependency updates or version bumps and tries to commit and push them back to main fails with push rejected. The standard solution is to create a personal access token (PAT) or deploy key with specific bypass permissions, stored as a CI secret. For GitHub Actions, a bot account with "Bypass branch protections" permission can commit and push successfully, while still being audited in the commit log. A different cause: your local branch is behind the remote (git pull reveals diverged commits). This is particularly common when multiple developers push to the same feature branch, or when a CI job generates code (documentation, test snapshots, lockfile updates) and pushes a commit that your local branch has not yet fetched. git pull --rebase before pushing integrates remote changes without a merge commit and keeps the branch history linear.