Currently we have setup a pipeline, so when there is a PR then on Jenkins a build is started.
I used my personal account to connect Jenkins and GitHub (via personal access token), also using Smee for webhooks behind a secure firewall.
My problem I would like to disconnect from my personal account but the organization does not provide any dummy email account to be used such as services#xxx.com.
How could I manage to be able to use PullRequestBuilder without any personal/dummy account?
Thank you
Related
After a quick internet search I couldn't seem to find an easy way for my Azure Pipeline to write a custom comment back to the PR that triggered it. Is this possible? Does it require a PAT? I can't use any solution that requires exposing a PAT to a external PR, as they could then easily exfiltrate it.
Sure, you can add comments to the PR on GitHub from Azure pipelines. You can use the GitHub Comment task in your pipeline to easily write comments to the GitHub PR.
With this task, you also need to create a GitHub service connection, or a GitHub Enterprise Server service connection if your repository is hosted on GitHub Enterprise Server, for use on the task.
When creating the GitHub (or GitHub Enterprise Server) service connection, you can choose an authorization method from the optional.
GitHub service connection -- Grant authorization or Personal Access Token
GitHub Enterprise Server service connection -- Personal Access Token, Username and Password or OAuth2
So, a GitHub PAT is not required if the authorization method you choose is not Personal Access Token.
[UPDATE]
If you are worrying about that the service connection would be abused by someone to attack your source code repository, you can do the following things:
On GitHub, you can create a PAT, and limit the permission scopes of this PAT. More details, see "Creating a personal access token".
On Azure DevOps, you can choose Personal Access Token as the authorization method on the service connection, and fill with the PAT that you created in above step. Then you can limit which users, teams and groups, even which pipelines, can use the service connection in the project. More details, you can see "Secure a service connection".
I am using deployment group to deploy a .NET Core Console app to an on prem VM. In order to register the target I run the PAT on the VM. Is there a way I can use a Service Account to generate the PAT and use that to register the VM instead of my personal account?
I have used this article as a guide.
https://medium.com/#samjwright/automating-deployments-to-on-premis-servers-with-azure-devops-bb0e6cac4656
Is there a way I can use a Service Account to generate the PAT and use
that to register the VM instead of my personal account?
If you can use the service account to log in, then you can also create PAT with proper scopes in the user settings of the service account. You can refer to this ticket.
In addition, PAT is only used during registration of agent. The identity of agent pool administrator is needed ONLY at the time of registration and is not persisted on the agent, nor is used in any further communication between the agent and Azure Pipelines or TFS. Once the registration is complete, the agent downloads a listener OAuth token and uses it to listen to the job queue.
I added a user to my Azure Devops project but when they click on the link in the invitation email they get the "401 - Uh-oh, you do not have access." error. What am I doing wrong?
What I did that seems to have worked, was I made the project public, and the other user was able to access it. After they had accessed one time successfully I made it private again. They are still able to get to it.
First, check if your Azure DevOps organization is AAD based or not. Then that invited user should use corresponding account, work/school account for AAD based, personal account for the other. For example:
A highly specific 401 error case. In this case, both a personal Microsoft account and a work or school account (Azure AD) that have the same sign-in address exist. You've signed in with your work or school account, but your personal account is the identity with access to the organization.
More detail explanation you could take a look at our official documentation here:
Why can't I sign in after I select "personal Microsoft account" or
"work or school account"?
Although both identities use the same sign-in address, they're separate: they have different profiles, security settings, and permissions. Sign out completely from Azure DevOps by completing the following steps. Closing your browser might not sign you out
completely. Sign in again and select your other identity:
Close all browsers, including browsers that aren't running Azure DevOps.
Open a private or incognito browsing session.
Go to this URL: https://aka.ms/vssignout.
You see a message that says, "Sign out in progress." After you sign out, you're redirected to the Azure DevOps #dev.azure.microsoft.com webpage.
If the sign-out page takes more than a minute to sign you out, close the browser and continue.
Sign in to Azure DevOps again. Select your other identity.
Suggest you to use a InPrivate mode browser to login, then use your Microsoft Account to authenticate, also select personal account if you need to choose between a "work or school account" and my "personal account".
When I try to authorize Azure Devops to get access to my GitHub repositories it wants full access to everything, including:
This application will be able to read and write all public and private repository data. This includes the following:
Code
Issues
Pull requests
Wikis
Settings
Webhooks and services
Deploy keys
Collaboration invites
But that is to broad access to my taste, how can I just give it access to specific repositories without giving it access to everything?
Create a specific user that has the exact permissions you would grant, create an Access Token for that user to strip some of the requested permissions, don't use the OAuth flow.
My Github account has two factor authorization (2fa) enabled. I want to integrate Jenkins with a few of my private repositories, but I cannot authorize them because I have 2fa enabled. Note this is a multibranch pipeline project.
Any ideas how to configure Jenkins to connect with private repos without creating a dummy account that does not have 2fa enabled?
Whoever would have thought to click the help button?
Credentials used to scan branches and pull requests, check out sources and mark commit statuses.
If none is given, only the public repositories will be scanned, and commit status will not be set on GitHub.
If your organization contains private repositories, then you need to specify a credential from an user who have access to those repositories.
This is done by creating a "username with password" credential where the password is GitHub personal access tokens. The necessary scope is "repo"
ie use a Github personal access token as your password when using username/password for your Jenkins credential.