In an Azure Pipelines Task, I am attempting to create and push a new branch. I am able to clone the repo using the $(System.AccessToken) variable, bit when I try to push the new branch I get the following error:
remote: TF401027: You need the Git 'GenericContribute' permission to perform this action. Details: identity 'Build\(GUID)', scope 'repository'.
If I check my repository security, I see that both the Build Service user and Project Collection Build Service Accounts group has Contribute, Create Branch, Contribute to pull request, and Create Tag permission set to "Allow", which from all the research I've done is all I should need to do.
How can I troubleshoot this issue? I assume that either I am missing something silly, or there's a permissions inheritance issue. However, if I'm setting security on the repository itself my assumption is that should override any inherited permissions.
Pipeline:
steps:
- powershell: |
git -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" clone "https://repoaddress/_git/common"
cd common
git checkout develop
git checkout -b release/$(build.buildNumber) $(build.buildNumber)
git -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" push -u origin HEAD
displayName: 'Create Branch From Tag'
Permissions:
It should caused by your build service account do not have the contribute permission for this repository.
Go Project setting --> Repositories --> click Repos you want to operate -->set repository permissions accordingly.
Note: Service account is Project Collection Build Service (org name)
Update1
I got the issue, add this service account {project name} Build Service ({Org name}) and configure the account permission, it will work.
According to the error message: Details: identity 'Build\(GUID)', scope 'repository'., we could get the service account GUID
Check this REST API, it could list the service account, we could search the service account name via the GUID, then configure the permission.
Update2
Since you are using AccessToken, it update the repo via service account, as another workaround, we could use Personal access token do the same things, and it do not need to configure service account permission.
Update2
A sample power shell script to clone the repo via PAT token:
$MyPat = 'yourPAT'
$B64Pat = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":$MyPat"))
git -c http.extraHeader="Authorization: Basic $B64Pat" clone https://dev.azure.com/yourOrgName/yourProjectName/_git/yourRepoName
And we will receive two notifications during the lifetime of a PAT - one upon creation and the other seven days before the expiration. You could refer to this doc for more details.
Seven days before your PAT expires, you receive a notification similar to the following example.
Then we could change the Expiration time.
Related
I'm part of an organization, and through the UI I can create a private repository inside that organization.
Going on repository -> setting -> Collaboration and team, I can see
I'm the admin
I've created my PAT and in fact, I can commit and push other
public repositories.
But if I clone this new repository I get "fatal: unable to access"
Is there anything specific to do when creating repos inside an organization?
If I try to create a new PAT and try to create it for specific repos, I can't see this new repo in the list of my repos! So I have to create it for "All repositories".
Other trials:
git clone https://<username>:<token>#github.com/orgName/repoName failed
git clone https://<username>#github.com/orgName/repoName failed
git clone https://github.com/orgName/repoName of course failed as well
BUT, one strange thing:
git clone https://<token>#github.com/orgName/repoName asked me for a password
I didn't go on, maybe it's recognized just as a new username so it was asking for a password
Turns out for whatever reason you have to use ssh and cannot use PAT and https. After registering a key on GitHub everything worked as expected.
Here is the guide: https://docs.github.com/en/authentication/connecting-to-github-with-ssh/checking-for-existing-ssh-keys
If it is a private repository that is accessed using the classic Personal Access Token(PAT) try resetting the fetch and push url for the remote repo by running:
git remote set-url origin https://<classic PAT >#github.com/organization_name/repo_name
In order to do the same while using the newer fine-grained token:
git remote set-url origin https://oauth2:<fine-grained PAT >#github.com/organization_name/repo_name
If indeed the Personal access token above is authorized to access that repo you should now be able to do all functions from before such as cloning, pushing and pulling.
I have my personal GitHub account which has been given access to Repos that exist as part of an organization. I'm trying to create a pull-request from within VSCode for these Repos, but I get the below error.
Is there a setting I'm just missing?
[Info] GitHubRepository> Creating pull requests failed: HttpError: Validation Failed: {"resource":"PullRequest","field":"head","code":"invalid"}
HttpError
Check first if you have a git config credential.helper set (to, for instance on windows, manager-core)
If you have, that means the wrong credentials (username/password) are cached in said credential helper. They are not the ones for your organization GitHub account.
See GitHub "Caching your GitHub credentials in Git" and update them.
I created Authentication token as well all permission for user which running pipeline is defined
If you checked Run with Build Agent Credentials as Authentication in the task. And the build account {ProjectName} build service ({OrganizationName}) was granted Read and Contribute permission in the Wiki Security page.
But you still encounter above error. It's probably because you have IIS Basic Authentication turned on in the Azure DevOps Server machine. When IIS Basic Authentication is enabled on your windows machine, it prevents you from using personal access tokens (PATs) as an authentication mechanism. See here.
We recommend you keep IIS Basic Authentication turned off at all times when using Azure DevOps Server. Only if necessary should you enable IIS Basic Authentication. When IIS Basic Authentication is enabled on your windows machine, it prevents you from using personal access tokens (PATs) as an authentication mechanism.
As workaround to this, you can add an extra header which includes a base 64 encoding of "user:PAT" to the Git requests when IIS Basic Authentication is enabled:
So you can run the pure git commands in a powershell task to update your wiki repo, instead of uisng the git based wiki updater task. See below example scripts in the powershell task (yaml format):
steps:
- powershell: |
git config --global user.email "your#eamil.com"
git config --global user.name "name"
$MyPat = "$(system.accesstoken)"
$B64Pat = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":$MyPat"))
#clone the wiki repo
git -c http.extraHeader="Authorization: Basic $B64Pat" clone https://server/collection/_git/Document.wiki -q
cd Document.wiki
#add a new file
echo echo "some-text" > addnew.md
git add .
git commit -m message
#push to wiki repo
git -c http.extraHeader="Authorization: Basic $B64Pat" push https://server/collection/_git/Document.wiki -q
displayName: 'update wiki'
Check here for more information.
In order to use the Build Agent OAuth token $(system.accesstoken) in above script. You need click the Agent job 1 and Check the option Allow scripts to access the OAuth token
Usually one must click link "Invite teams or people" after accessing "https://github.com///settings/access" in a web browser.
But, I wish to do this through a command line interface, because I must invite
many persons. Is it possible?
You could use the GitHub API in order to add a collaborator
PUT /repos/:owner/:repo/collaborators/:username
See for instance here:
curl -H "Authorization: token YOUR_TOKEN" "https://api.github.com/repos/YOUR_USER_NAME/YOUR_REPO/collaborators/COLLABORATOR_USER_NAME" -X PUT -d '{"permission":"admin"}'
With permission level being one of:
pull - can pull, but not push to or administer this repository.
push - can pull and push, but not administer this repository.
admin - can pull, push and administer this repository.
maintain - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
triage - Recommended for contributors who need to proactively manage issues and pull requests without write access.
(default is "push")
Update Sept. 2020, considering GitHub CLI gh is now 1.0, it could be a good feature to add (a kind of gh repo invite)
In the meantime, you can use gh pi to make a similar API call, automatically authenticated, with -f to add POST fields.
gh api repos/YOUR_USER_NAME/YOUR_REPO/collaborators/COLLABORATOR_USER_NAME" -f '{"permission":"admin"}'
An alternative using hub:
1- Check all users with permissions in your repo:
hub api --flat 'repos/YOUR_USER_OR_ORGANIZATION_NAME/YOUR_REPO/collaborators' | grep -E 'login|permissions'
2- Give permission to an user :
hub api 'repos/YOUR_USER_OR_ORGANIZATION_NAME/YOUR_REPO/collaborators/COLLABORATOR_USER_NAME' -H X:PUT -H d:'{"permission":"admin"}'
You can use the github cli or call the github api directly through curl. In this example I add a member to a company repo using the github cli:
gh api "orgs/$target_repo/teams/$team/repos/$target_repo/$repo_new_name" -X PUT -f permission=admin
Also see the docs: https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions
For your situation you can use this endpoint:
https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator
I would like to create a webhook within Gitlab to automatically update a mirror repository on Github, whenever a push event happens. I've checked this page, but I didn't understand how it is done.
My Gitlab version is 6.5. Here is the configuration page:
What should I put in URL? Where do I need to place the script to update the repository?
You don't need a webhook for that. A regular post-receive hook will work very well.
To create and use such a hook you just have to login on the server where your gitlab is installed and create an ssh key for git user.
sudo -u git ssh-keygen -f /home/git/.ssh/reponame_key
(do not type any passphrase when prompted)
Go to your github account and add the public key (it's been created as /home/git/ssh/reponame_key.pub) to your project as a deploy key.
have a look at https://help.github.com/articles/managing-deploy-keys if you need help with that.
Once that is done, you just have to configure the connection between your git server and github's:
add an alias to git user's ssh configuration (add following lines to /home/git/.ssh/config - create it if it's not present)
Host reponame
IdentityFile /home/git/.ssh/reponame_key
HostName github.com
User git
Now add the new remote (using the alias you just created) to your repository:
cd /home/git/repositories/namespace/reponame.git
git remote add --mirror github reponame:youruser/reponame.git
Now that everything is in place you'll have to create the actual hook:
cd /home/git/repositories/namespace/reponame.git/hooks
echo "exec git push --quiet github &" >> post-receive
chmod 755 post-receive
The lastcommand is very important because git will check if a hook is executable before running it.
That's it!
(Replace reponame, namespace and youruser according to your real accounts and enjoy).
Last note: if you want your name andavatar near commits on github, make sure that the email address you are using on gitlab is one of the addresses inked to your github account as well. You'll see your gitlab username otherwise.
If you aren't hosting your own GitLab, GitLab.com has introduced this feature directly, without any workarounds.
From within a project use the gear icon to select Mirror Repository
Scroll down to Push to a remote repository
Checkmark Remote mirror repository: Automatically update the remote mirror's branches, tags, and commits from this repository every hour.
Enter the repository you want to update; for GitHub you can include your username and password in the URL, like so: https://yourgithubusername:yourgithubpassword#github.com/agaric/guts_discuss_resource.git —as noted in the comments, it is much better securitywise to use your GitHub access token here instead of login credentials; will update the answer when i've tested.
For WebHooks processing I'm using sinatra web server.
require 'sinatra'
post '/pew' do
puts JSON.parse request.body.read
# here can be placed signal code to run commit processing script
end
register webhook for push events(or other) to http://localhost:4567/pew within GitLab
and since this moment on each commit gitlab will be sending commit info to url.