What privileges do Azure Pipelines Bot require from a GitHub user asking for a pipeline re-run? Currently, it reacts to /azp run comment of the user with the following error message:
Commenter does not have sufficient privileges for PR 9999 in repo org/repo
The whole integration works flawlessly for other users of the same repository.
According to your description, This problem seems to be that the user does not have sufficient repository permissions.
Please refer to the following steps to check:
Responses to this commands will appear in the pull request discussion only if your pipeline uses the Azure Pipelines GitHub App. Make sure your pipeline uses the Azure Pipelines GitHub App.
Repository collaborators can comment on a pull request to manually run a pipeline. Please check whether the user is collaborator. If not, please invite collaborators to a repository.
Make sure that your membership is public in the repository's organization, or directly add the user as a repository collaborator. Azure Pipelines cannot see private organization members unless they are direct collaborators or belong to a team that is a direct collaborator.
How to invite collaborators to a repository:
On GitHub, navigate to the main page of the repository.
Under your repository name, click Settings.
In the left sidebar, click Manage access, then click Invite a collaborator button.
Under "Invite a collaborator to {your repository}", start typing the collaborator's username. Select the collaborator's username from the drop-down menu.
Click Add collaborator.
Note: Only one /azp command per comment.
Reference document:
https://learn.microsoft.com/en-us/azure/devops/pipelines/repos/github?view=azure-devops&tabs=yaml#comment-triggers
Related
I created a classic CI azure pipeline for a .net application present in GitHub repo and enabled continuous integration in triggers and also added 2 branches in branch filters. But when my team members made some changes and make commits, my pipeline is not triggering and build is not created. I can't understand what might be the problem as I'm new to azure pipelines
Here is some troubleshooting advices, and you can click this document for more detailed information:
Are you using the GitHub app connection to connect the pipeline to GitHub? If you are using a GitHub app connection, follow these steps:
Is the mapping set up properly between GitHub and Azure DevOps? Open a
pull request in your GitHub repository, and make the comment /azp
where. This reports back the Azure DevOps organization that the
repository is mapped to.
If no organizations are set up to build this repository using the app,
go to
https://github.com/<org_name>/<repo_name>/settings/installations and
complete the configuration of the app.
If a different Azure DevOps organization is reported, then someone has
already established a pipeline for this repo in a different
organization. We currently have the limitation that we can only map a
GitHub repo to a single DevOps org. Only the pipelines in the first
Azure DevOps org can be automatically triggered. To change the
mapping, uninstall the app from the GitHub organization, and
re-install it. As you re-install it, make sure to select the correct
organization when you are redirected to Azure DevOps.
Are you using OAuth or PAT to connect the pipeline to GitHub? If you are using a GitHub connection, follow these steps:
OAuth and PAT connections rely on webhooks to communicate updates to
Azure Pipelines. In GitHub, navigate to the settings for your
repository, then to Webhooks. Verify that the webhooks exist. Usually
you should see three webhooks - push, pull_request, and issue_comment.
If you don't, then you must re-create the service connection and
update the pipeline to use the new service connection.
Select each of the webhooks in GitHub and verify that the payload that
corresponds to the user's commit exists and was sent successfully to
Azure DevOps. You may see an error here if the event could not be
communicated to Azure DevOps.
Is your pipeline paused or disabled? Open the editor for the pipeline, and then select Settings to check. If your pipeline is
paused or disabled, then triggers do not work.
Have you used variables in defining the trigger or the paths? That is not supported.
Have you excluded the branches or paths to which you pushed your changes? Test by pushing a change to an included path in an included
branch. Note that paths in triggers are case-sensitive. Make sure that
you use the same case as those of real folders when specifying the
paths in triggers.
Updates:
You don't need to change webhooks in github, what you need to do is that go to github Settings -> Webhooks, check whether there are "Recent Deliveries". If there are errors in recent deliveries, the cause of the question is indicated.
If Azure DevOps and GitHub are properly connected, GitHub will automatically generate Webhooks. As shown below:
The content of "Payload URL" is:
https://dev.azure.com/{organization}/_apis/public/hooks/externalEvents?publisherId=github&channelId={channelId}&api-version=6.1-preview
Please note that a GitHub repository can only connect to one Azure DevOps organization. If you have connected to more than one organizations, keep the only one you are using currently.
In DevOps click Pipelines on the left-hand side navigation
Select your pipeline.
Click Edit
Then in the new window pane (top left), you'll see a tab for triggers.
This is where you can configure the continuous integration settings to trigger builds on push / pull requests etc.
Here's an example
Continues integration is enabled for the development branch, thus any push to that branch will trigger a build.
Recently I removed the writing rights of a former collaborator who left our github project.
Then I noticed that in the commits page there was no more report for the continuous integration tests with AppVeyer( by clicking on the red cross or the green check).
I gave again the write permission to this former collaborator and the report for AppVeyer became visible again.
So I looked more carefully at the features related to AppVeyor and this former collaborator. I saw that:
in https://ci.appveyor.com/team at Account > Team > GitHub teams, I have not yet granted access to any GitHub teams and by clicking on CONFIGURE TEAMS I see that AppVeyor is authorized to act on behalf of this_former_collaborator GitHub account with admin:repo_hook, read:org, repo:status scope.
in https://github.com, for our organization, by editing, in Seetings > Third-party access, the AppVeyor CI application, I see "approval requested by this_former_collaborator".
What can I do to remove the write rights to our Github project from this former contributor while keeping the results of the ongoing AppVeyor CI tests on the project commits page (and don't lose the history of the tests)?
Thanks to the fast and efficient help of AppVeyor's support team I was able to fixe this problem by authorising AppVeyor as GitHub App. Everything works fine now ...
I read the documentation about the GitHub integration in AppVeyor and one thing is still not clear to me:
When I want to use GitHub teams, do I still need to invite people to be collaborators in AppVeyor?
If so, how does it work with permissions? If both GitHub teams and users/collaborators are assigned to roles, what does take precedence? Eg. user is directly assigned to an "Administrators" role and also a member of a GitHub team with a lower set of permissions. Are the two sets of permissions combined somehow?
In other words, is it possible to manage access to AppVeyor only through GitHub teams? (Without having to invite users to AppVeyor.) If not, what's the point of GitHub teams integration...?
I configured several GitHub teams from our organization (Kentico) with certain roles in AppVeyor. However, the users belonging to the GitHub teams didn't see the Kentico account in AppVeyor when they signed in with their GitHub account.
You do not have to invite GitHub team members (though you can). They should see your account in top left drop down when logged with GitHub button.
If you still invite them, GitHub team role takes over role you assigned in invitation.
Yes, you should be able just use GitHub teams. When GitHub team member login into AppVeyor with GitHub button, hidden Collaborator automatically created.
Let us troubleshoot your specific users over support ticket you created on our forum.
I tried to:
Revoke access and authorize again at https://ci.appveyor.com/account/kentico/authorizations - DIDN'T WORK
Remove and recreate the GitHub team at https://ci.appveyor.com/account/kentico/github-teams - DIDN'T WORK
Verify that both AppVeyor and AppVeyor CI are authorized OAuth apps at https://github.com/settings/applications - DIDN'T WORK
Reinstalled AppVeyor from GitHub marketplace: https://github.com/marketplace/appveyor - WORKED
I want to use Travis CI for personal projects, I would like to know if it is possible to prevent Travis CI to have access to an organization as a member and not an administrator.
If you have a Github account for yourself it is a personal account. That account can be a member or owner of any number of Github organizations.
If you are just trying to add Travis CI so that it has access to your personal repositories but not to the organizations you administer, you can do so easily.
When you sign in to the Travis CI website with your personal Github account for the first time, it asks you to "authorize Travis CI":
This page has an "organizations and teams" section that defaults to read-only (it can see what repositories etc your orgs have but cannot take any actions on them)
This page also has an "Organization Access" section at the bottom with a list of each Github organization you are a member of. As long as you do not click "request" or "grant" on any of those, your orgs will not yield any control to Travis CI.
I have a github account: https://github.com/remkohdev
and am a member of several github organizations
I have added all organizations to the Bluemix DevOps Third Party applications authorizations.
But I cannot change the default github organization to a different organization when I enable the Toolchain on Bluemix, so that I can create/edit the source code to the repo in a different than default Github organization?
Error:
The integration could not be set up. Check the settings and try again.
Reason: Unable to update the git integration. An error occurred while cloning the git repository. Error details: Unable to read the repository on: https://github.com/eventquarry/server.git. User is not authorized, or repository does not exist.
When you authorized with GitHub you probably did not explicitly grant access to the eventquarry organization.
To fix this, first you need to revoke your token by logging into Github.com, then click settings > Authorized applications > Revoke "IBM Bluemix Toolchains". Now go back to Bluemix, and when you click on the GitHub tool you will see an “Authorize” button. Upon clicking, you will be taken to GitHub, and here you need to click "Grant Access" next to eventquarry (and all orgs you would like to grant access to) before clicking "Authorize application".
Now you should be able to fork/clone/link with the private repositories in the eventquarry organization.
The devops git folks responded with this:
Right now, we don't support the ability to create new organization repositories through the toolchain UI. Any new repos are created under the personal account of the user. It is possible to link to existing organization repos by typing in the repo URL in the field. (Org repos won't show up in the dropdown, but the URL can be entered manually.) Note that the user needs admin privileges on the repo they're linking to in order to have a fully functioning integration though. It's possible to link to a repo without admin privileges, but we can't create a webhook on the repo, so there's no way for us to be notified of commit events. Pipelines will only run manually if the user doesn't have admin privileges on the repo.
Let me know if this is helpful...