After a quick internet search I couldn't seem to find an easy way for my Azure Pipeline to write a custom comment back to the PR that triggered it. Is this possible? Does it require a PAT? I can't use any solution that requires exposing a PAT to a external PR, as they could then easily exfiltrate it.
Sure, you can add comments to the PR on GitHub from Azure pipelines. You can use the GitHub Comment task in your pipeline to easily write comments to the GitHub PR.
With this task, you also need to create a GitHub service connection, or a GitHub Enterprise Server service connection if your repository is hosted on GitHub Enterprise Server, for use on the task.
When creating the GitHub (or GitHub Enterprise Server) service connection, you can choose an authorization method from the optional.
GitHub service connection -- Grant authorization or Personal Access Token
GitHub Enterprise Server service connection -- Personal Access Token, Username and Password or OAuth2
So, a GitHub PAT is not required if the authorization method you choose is not Personal Access Token.
[UPDATE]
If you are worrying about that the service connection would be abused by someone to attack your source code repository, you can do the following things:
On GitHub, you can create a PAT, and limit the permission scopes of this PAT. More details, see "Creating a personal access token".
On Azure DevOps, you can choose Personal Access Token as the authorization method on the service connection, and fill with the PAT that you created in above step. Then you can limit which users, teams and groups, even which pipelines, can use the service connection in the project. More details, you can see "Secure a service connection".
Related
Currently we have setup a pipeline, so when there is a PR then on Jenkins a build is started.
I used my personal account to connect Jenkins and GitHub (via personal access token), also using Smee for webhooks behind a secure firewall.
My problem I would like to disconnect from my personal account but the organization does not provide any dummy email account to be used such as services#xxx.com.
How could I manage to be able to use PullRequestBuilder without any personal/dummy account?
Thank you
I need to add Azure DevOps repos to azure databricks repo by using databricks API at this link. I am using a service principal credentials for this. The service principal is already added as admin user to databricks. With my service principal I can get the list of repos and even delete them. But when I want to add a repo to a folder, it raises the following error:
{
"error_code": "PERMISSION_DENIED",
"message": "Missing Git provider credentials. Go to User Settings > Git Integration to add your personal access token."
}
I am not using my own credentials to use a PAT token, instead I am getting a bearer token by sending request to https://login.microsoftonline.com/directory-id/oauth2/token and use it to authenticate. This works for get repos, delete repos and get repos/repo-id. Just for creating a repo (adding repo by using post method to /repos) it is failing.
If I still use a PAT instead of bearer token, I get the following error:
{
"error_code": "PERMISSION_DENIED",
"message": "Azure Active Directory credentials missing. Ensure you are either logged in with your Azure
Active Directory account or have setup an Azure DevOps personal access token (PAT) in User Settings > Git Integration.
If you are not using a PAT and are using Azure DevOps with the Repos API, you must use an AAD access token. See https://learn.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/app-aad-token for steps to acquire an AAD access token."
}
I am using postman to construct the requests. To generate the error I am getting I am using the following:
method: post
url-endpoint: https://adb-databricksid.azuredatabricks.net/api/2.0/repos
body:
url: azure-devops-repo
provider: azureDevOpsServices
path: /Repos/folder-name/testrepo
header:
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbG... (Construct it by appending bearer token to key wor "Bearer")
X-Databricks-Azure-SP-Management-Token: management token (get it like bearer token by using resource https://management.core.windows.net/)
X-Databricks-Azure-Workspace-Resource-Id: /subscriptions/azure-subscription-id/resourceGroups/resourcegroup-name/providers/Microsoft.Databricks/workspaces/workspace-name
Here the screen shot of the postman:
Please note that I have used exactly same method of authentication for even creating clusters and jobs and deleting repos. Just for adding and updating repos it is failing. I'd like to know how I can resolve the error PERMISSION_DENIED mentioned above.
To make service principal working with Databricks Repos you need following:
Create an Azure DevOps personal access token (PAT) for it - Azure DevOps Git repositories don't support service principals authentication via AAD tokens (see documentation). (The service connection for SP that you configured is used for connection to other Azure services, not to the DevOps itself).
That PAT needs to be put into Databricks workspace using Git Credentials API - it should be done when configuring first time or when token is expired. When using this API you need to use AAD token of the service principal. (btw, it could be done via Terraform as well)
After it's done, you can use Databricks Repos APIs or databricks-cli to perform operations with Repos - create/update/delete them. (see previous answer on updating the repo)
Have you setup the git credentials using this endpoint before creating the repo through the API ?
https://docs.databricks.com/dev-tools/api/latest/gitcredentials.html#section/Authentication
If you do not setup this first, you can get the error when trying to create a repo.
Listing & deleting a repo only require a valid authentication to Databricks (Bearer token or PAT) and doesn't require valid git credentials.
When trying to create a repo, you need authorizations on the target repository that is on Azure Devops in your case.
So you need to call the git-credentials endpoint (it's the same syntax on AWS and Azure) to create it.
Once your git credentials up-to-date, the creation of the repo should work as intended.
"I want to create a service connection using AzureDevOps with which we get access to only one particular repository. But when I Create service connection it will give access to all repositories present in one account"
I already tried creating a personal access token using Github. But GitHub doesn't allow to create public access token with limited repository access.
How can I generate a personal access token with limited repository access ??
When you create a new GitHub service connection, you can choose Personal Access Token like below.
Then visit https://github.com/settings/tokens to create personal access tokens and you can choose your expected scope.
In this time, I choose the public_repo scope, create the token, copy the token to Azure DevOps and create the new GitHub connection.
As you can see, there are five repositories in my GitHub, one is private and four are public.
Then in the build pipeline source, I just get the four public repositories and don’t get the private repository.
When I try to authorize Azure Devops to get access to my GitHub repositories it wants full access to everything, including:
This application will be able to read and write all public and private repository data. This includes the following:
Code
Issues
Pull requests
Wikis
Settings
Webhooks and services
Deploy keys
Collaboration invites
But that is to broad access to my taste, how can I just give it access to specific repositories without giving it access to everything?
Create a specific user that has the exact permissions you would grant, create an Access Token for that user to strip some of the requested permissions, don't use the OAuth flow.
My Github account has two factor authorization (2fa) enabled. I want to integrate Jenkins with a few of my private repositories, but I cannot authorize them because I have 2fa enabled. Note this is a multibranch pipeline project.
Any ideas how to configure Jenkins to connect with private repos without creating a dummy account that does not have 2fa enabled?
Whoever would have thought to click the help button?
Credentials used to scan branches and pull requests, check out sources and mark commit statuses.
If none is given, only the public repositories will be scanned, and commit status will not be set on GitHub.
If your organization contains private repositories, then you need to specify a credential from an user who have access to those repositories.
This is done by creating a "username with password" credential where the password is GitHub personal access tokens. The necessary scope is "repo"
ie use a Github personal access token as your password when using username/password for your Jenkins credential.