I have added a pipeline source using my repository as per the steps mentioned in the developer doc.
But, the sync is stuck in processing since an hour, it only shows Sync in Progress.. in the logs.
Few things you can check here:
The token you have created has enough permissions on the repository which you are trying to add as a source. Make sure the token you have created has following permissions:
SCM
Permissions
Github
repo (all); admin:repo_hook (read, write); admin:public_key (read, write)
Bitbucket
Account: Read; Pull requests: Read; Workspace membership: Read; Projects: Read; Repositories: Admin; Webhooks: Read and Write
BitbucketServer
Admin permission for repositories
Gitlab
token needs to granted these scopes at minimum: api, write_repository
Even after ensuring the above it doesn't work, then do validate the yml using yml validator in UI and check if its a valid yml. Please refer Pipelines Validating Yml
Related
we use yaml pipelines in azure devops and use the 'limit job authorization scope' and 'Protect access to repositories in YAML pipelines' on organization level. but now we need some cross-project azure pipelines and as expected we get an authorization error when using the checkout task:
remote: TF401019: The Git repository with name or identifier SecondRepo does not exist or you do not have permissions for the operation you are attempting.
fatal: repository 'https://dev.azure.com/myorg/SecondProject/_git/SecondRepo/' not found
##[warning]Git fetch failed with exit code 128, back off 1.451 seconds before retry
We thought we were smart and gave the 'FirstProject Build Service (myorg)' (which runs the pipeline) access to the SecondRepo repository. However, we still get the authorization error described above.
i would have expected that the limit job authorization settings would not automatically give the user more rights. but as it looks to us, manually set rights are probably also deliberately removed.
is this intended?
Please make sure to disable the Limit job authorization scope to current project for non-release pipelines setting at project level and organization level for the project where you are running the pipeline. For more details, please refer to here.
I have my personal GitHub account which has been given access to Repos that exist as part of an organization. I'm trying to create a pull-request from within VSCode for these Repos, but I get the below error.
Is there a setting I'm just missing?
[Info] GitHubRepository> Creating pull requests failed: HttpError: Validation Failed: {"resource":"PullRequest","field":"head","code":"invalid"}
HttpError
Check first if you have a git config credential.helper set (to, for instance on windows, manager-core)
If you have, that means the wrong credentials (username/password) are cached in said credential helper. They are not the ones for your organization GitHub account.
See GitHub "Caching your GitHub credentials in Git" and update them.
I have a pipeline with the following:
resources:
repositories:
- repository: repo
type: git
name: TEST-staging
steps:
- checkout: repo
When the pipeline runs I get this warning:
This pipeline needs permission to access a resource before this run can continue
Which prompts me to grant access:
Granting permission here will permit the use of Repository 'TEST-staging' for all waiting and future runs of this pipeline.
I would like to be able to audit and modify which pipelines have access to which repos. Where are those permissions listed?
EDIT: User is prompted to permit access when the pipeline names the repo e.g. - checkout: repo however, user is NOT prompted to permit access when using -checkout: self even though it's the same repo.
EDIT: The organization settings for Limit job authorization scope to current project for non-release pipelines and Limit job authorization scope to referenced Azure DevOps repositories are currently and have always been disabled.
EDIT: This FAQ question is similar to my question: Why am I am prompted to authorize resources the first time I try to check out a different repository?. That FAQ leads to this documentation: Troubleshooting authorization for a YAML pipeline. That documentation contains:
When you create a pipeline for the first time, all the resources that
are referenced in the YAML file are automatically authorized for use
by the pipeline, provided that you are a member of the User role
for that resource. So, resources that are referenced in the YAML file
at pipeline creation time are automatically authorized. When you
make changes to the YAML file and add additional resources ... then
the build fails with a resource authorization error ... In this case,
you will see an option to authorize the resources on the failed build.
If you are a member of the User role for the resource, you can select
this option. Once the resources are authorized, you can start a new
build.
EDIT: This seems to be the work item for the change that is causing us to be prompted to permit access.
So, I am being lead to these conclusions:
#Leo had the correct answer to the question "Where are those permissions listed?" except when a YAML resource is added to an existing pipeline
When YAML resources are modified or edited, the user is prompted to authorize that access even when that access is already authorized via the user's role
I have re-titled this post in the hopes that it more clearly asks the question, because as of now there does not seem to be any place in which ad-hoc authorizations are listed
I would like to be able to audit and modify which pipelines have access to which repos. Where are those permissions listed?
According to the document Pipeline permissions and security roles, we could to know:
For permissions, you grant or restrict permissions by setting the
permission state to Allow or Deny, either for a security group or an
individual user. For a role, you add a user or group to the role.
Therefore, the permission of the pipeline is associated with the user executing the pipeline.
To be able to audit and modify which pipelines have access to which repos, we could use a higher authority account to give the current user permission to access the TEST-staging repo:
Organization Settings->Users->select the current user->Three dots->Manager User:
If the current user has permission to directly access the repo, then when this user executes the pipeline, the pipeline will have the permission to access the resource repo.
I have a public GitHub repo with some Azure Pipelines yml template files. I want to create a pipeline that uses these templates. I don't want to use an OAuth based service connection, because the whole concept of an OAuth Service Connection is simply ridiculous for a CI/CD environment since the tokens expire and need to be tied to a specific user. I also don't want to use a GitHub PAT because it seems ridiculous to have a PAT (again tied to a specific user) to access a public GitHub repo.
How can I create my pipeline so it is not tied to a specific user?
I would like to have something like this
resources:
repositories:
- repository: templates
type: github
name: APublicGitHubOrg/APublicGitHubRepo
ref: ref/heads/master
extends:
template: TheTemplate.yml
but that doesn't work because endpoint is a required property.
Ok...so how can I create an endpoint for GitHub without tying it to a user or having an expiration?
Unfortunately, Repository templates requires an endpoint, and GitHub repos require a GitHub service connection for authorization, which requires either Grant authorization or Personal access token.
If you really want to this feature, please submit a suggestion at website below, product team will evaluate it carefully:
https://developercommunity.visualstudio.com/content/idea/post.html?space=21
Can Azure Artifacts packages be made available publicly? If so, I'd like publish NuGet packages from a PR to my GitHub project. I currently get the following permissions error from PR builds:
[warning]Warning_SessionCreationFailed {"statusCode":500,"result":{"$id":"1","innerException":null,"message":"User
'89e4e6df-0ac0-471f-ba63-0270050c3b79' lacks permission to complete
this action. You need to have
'ReadPackages'.","typeName":"Microsoft.VisualStudio.Services.Feed.WebApi.FeedNeedsPermissionsException,
Microsoft.VisualStudio.Services.Feed.WebApi","typeKey":"FeedNeedsPermissionsException","errorCode":0,"eventId":3000}}
[error]Error: The process '/usr/bin/dotnet' failed with exit code 1
[error]Packages failed to publish
I'm using an azure-pipelines.yml file. Here is a link to my Azure Pipelines build.
Update 1
These are the users/groups I have already added to my feed:
These are the users/groups I can add to my feed, that I haven't already done:
Update 2
This is the yaml for the Azure Pipelines task I am using to publish the NuGet package:
- task: DotNetCoreCLI#2
displayName: 'Dotnet NuGet Push'
inputs:
command: push
nuGetFeedType: internal
packagesToPush: '/home/vsts/work/1/Windows/*.nupkg'
publishVstsFeed: schema-net
According to the error message, your account does not have permissions on that feed which you want to operate.
You need verify whether your account has Contributor or higher permissions on the feed which you are trying push to.
In another, the group Project Collection Build Service is a default Contributor. But also, as default setting, it does not include the account Project Collection Build Service(xxxx) as a member. So, if you are the owner, you may need to add the Project Collection Build Service(xxxx) account into Project Collection Build Service group.
Edit:
As I check your org info from our back end, I found the user(89e4e6df-0ac0-xxxxxx-0270050c3b79), which displayed in your error message, is a Service identity account. And it's domain is build. It's a special account, not the normal user who may create or trigger the pr. So, if you do not grant permission to this service identity account, it will not have permission to access the feed you want to push to.
And also, the direct parents groups of this security account in your Org is [org name]\Security Service Group. You can check it under your org setting. You can also check its permission under your feed.
So, for solved, you need to add this service identity account in to your feed setting, and grant it contributor or higher role.
2nd Update:
For clearly understand, let me clear up some details.
At first,according to the error message which displayed in log said lack ReadPackage permission, I considered this firstly with the permission of the feed which you wanted push to in task.
In addition, the user number which also displayed in the log, 89e4e6df-0ac0-xxxxxx-0270050c3b79. As I checked from backend, it is a VSID that represent a build service account: Schema.NET Build Service (schema-net). So, firstly, it’s easy to think that this account does not has relevant permission so that it could not push package.
But, after you update the feed setting, I check user VSID from backend again and review the error log. I figure it out. According to the logs of #20190625.1, you can see that the error begin occurred on getting source package:
##[warning]Can\'t find loc string for key:
Warning_SessionCreationFailed
Because of this error, it’s failed to create the correct package source package path so that the service account does not have permission to access it because it’s a wrong path:
In fact, the correct source package url should look like this( you can refer this from #2029062502)
https://pkgs.dev.azure.com/schema-net/_packaging/f43386ca-{package id}-d2f8da200fb3/nuget/v3/index.json
Now, I think this is a issue which about the configuration of your nuget.config file.