i am facing below issue in git based wiki updater task - azure-devops

I created Authentication token as well all permission for user which running pipeline is defined

If you checked Run with Build Agent Credentials as Authentication in the task. And the build account {ProjectName} build service ({OrganizationName}) was granted Read and Contribute permission in the Wiki Security page.
But you still encounter above error. It's probably because you have IIS Basic Authentication turned on in the Azure DevOps Server machine. When IIS Basic Authentication is enabled on your windows machine, it prevents you from using personal access tokens (PATs) as an authentication mechanism. See here.
We recommend you keep IIS Basic Authentication turned off at all times when using Azure DevOps Server. Only if necessary should you enable IIS Basic Authentication. When IIS Basic Authentication is enabled on your windows machine, it prevents you from using personal access tokens (PATs) as an authentication mechanism.
As workaround to this, you can add an extra header which includes a base 64 encoding of "user:PAT" to the Git requests when IIS Basic Authentication is enabled:
So you can run the pure git commands in a powershell task to update your wiki repo, instead of uisng the git based wiki updater task. See below example scripts in the powershell task (yaml format):
steps:
- powershell: |
git config --global user.email "your#eamil.com"
git config --global user.name "name"
$MyPat = "$(system.accesstoken)"
$B64Pat = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":$MyPat"))
#clone the wiki repo
git -c http.extraHeader="Authorization: Basic $B64Pat" clone https://server/collection/_git/Document.wiki -q
cd Document.wiki
#add a new file
echo echo "some-text" > addnew.md
git add .
git commit -m message
#push to wiki repo
git -c http.extraHeader="Authorization: Basic $B64Pat" push https://server/collection/_git/Document.wiki -q
displayName: 'update wiki'
Check here for more information.
In order to use the Build Agent OAuth token $(system.accesstoken) in above script. You need click the Agent job 1 and Check the option Allow scripts to access the OAuth token

Related

Git repository permissions issue in Azure DevOps Pipeline

In an Azure Pipelines Task, I am attempting to create and push a new branch. I am able to clone the repo using the $(System.AccessToken) variable, bit when I try to push the new branch I get the following error:
remote: TF401027: You need the Git 'GenericContribute' permission to perform this action. Details: identity 'Build\(GUID)', scope 'repository'.
If I check my repository security, I see that both the Build Service user and Project Collection Build Service Accounts group has Contribute, Create Branch, Contribute to pull request, and Create Tag permission set to "Allow", which from all the research I've done is all I should need to do.
How can I troubleshoot this issue? I assume that either I am missing something silly, or there's a permissions inheritance issue. However, if I'm setting security on the repository itself my assumption is that should override any inherited permissions.
Pipeline:
steps:
- powershell: |
git -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" clone "https://repoaddress/_git/common"
cd common
git checkout develop
git checkout -b release/$(build.buildNumber) $(build.buildNumber)
git -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" push -u origin HEAD
displayName: 'Create Branch From Tag'
Permissions:
It should caused by your build service account do not have the contribute permission for this repository.
Go Project setting --> Repositories --> click Repos you want to operate -->set repository permissions accordingly.
Note: Service account is Project Collection Build Service (org name)
Update1
I got the issue, add this service account {project name} Build Service ({Org name}) and configure the account permission, it will work.
According to the error message: Details: identity 'Build\(GUID)', scope 'repository'., we could get the service account GUID
Check this REST API, it could list the service account, we could search the service account name via the GUID, then configure the permission.
Update2
Since you are using AccessToken, it update the repo via service account, as another workaround, we could use Personal access token do the same things, and it do not need to configure service account permission.
Update2
A sample power shell script to clone the repo via PAT token:
$MyPat = 'yourPAT'
$B64Pat = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":$MyPat"))
git -c http.extraHeader="Authorization: Basic $B64Pat" clone https://dev.azure.com/yourOrgName/yourProjectName/_git/yourRepoName
And we will receive two notifications during the lifetime of a PAT - one upon creation and the other seven days before the expiration. You could refer to this doc for more details.
Seven days before your PAT expires, you receive a notification similar to the following example.
Then we could change the Expiration time.

Does deprecation of basic password authentication affect GitHub deploy keys?

I received an email from GitHub stating:
You recently used a password to access the repository at username/repo with git using git/2.24.3 (Apple Git-128).
Basic authentication using a password to Git is deprecated and will soon no longer work. Visit https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/ for more information around suggested workarounds and removal dates.
So I'll need to use another method for standard command line for git commits pushed to GitHub, which shouldn't be a problem.
But I wonder does this affect deploy keys? For example, in automated processes that have been running for some months or years - should we prepare for changes?
I have checked the blog post, and note that there's still plenty of time (deprecation happens 13 August 2021), but it will be important to understand any affect on deploy keys in order to prepare.
No, deploy keys are unaffected. The only thing that's affected is using a password to authenticate to Git or Git LFS over HTTPS. If you use a personal access token or OAuth token over HTTPS or you use SSH at all (whether with a personal or deploy key), those are unaffected.
The reason for this change is because knowing an account's password allows you to log into that account, change the password, and configure virtually every setting. On the other hand, a token does not allow you to log in via the web interface and is typically restricted to a limited set of scopes, and it is pseudorandomly generated. Similarly, SSH keys are also restricted in their access and are not easily guessable.
As a result, the consequences of accidentally exposing your authentication credentials are lower and the set of credentials you replace it with is unlikely to be guessable from the old exposure.
You can change from https:// remote urls to git# urls (e.g. ssh)
git remote -v # check that your remote (e.g. origin) is using https://
git remote rm origin
git remote add origin git#github.com:ORGANIZATION_OR_USER/REPO_NAME.git
git fetch --all
git branch -u origin/master master
And then you can test it:
git pull
git commit --allow-empty -m "nothing"
git push

Travis Client - Login with BitBucket account

I'm trying to encrypt a service account file for Google Cloud and transfer over BitBucket to eventually deploy to GCP Kubernetes. I'm using the travis command line to do this, but whenever I try to log in via the command line it assumes I have a GitHub account associated with Travis CI not BitBucket.
travis encrypt-file service.json -r USERNAME/REPO
When I run this, Travis assumes I have trying to auth a GitHub account and asks me to login. It tries to validate my username and password against GitHub not BitBucket.
We need your GitHub login to identify you.
Is there an alternative command line command that lets me force a BitBucket login? Or a workaround for allowing me to encrypt the file and include in my .travis.yml build file?
You can use -t TRAVIS_TOKEN instead of authentication via login command (login command assumes that you want to login via GitHub)
Your encrypt command will look like this:
travis encrypt-file --pro --repo USER/REPO -t TRAVIS_TOKEN file --add
Steps to get user token:
Login into Travis (via BitBucket)
Click your user icon (top right corner) and select Settings
This will show you your Repositories with option to show Settings or Plan.
Select Settings
Click Copy token from API authentication
Or just click this link Travis CI preferences and Copy Token.

travis-ci setup releases with --github-token

I am having problems using setup releases with a github token. I like travis-ci but I am not willing to hand out my github password - I need to use the token and I read the documentation as this should be possible this way. Unfortunately it still asks for pasword:
$ travis login --github-token XXXXXXXXX
Successfully logged in as ligi!
$ travis whoami
You are ligi (ligi)
$ travis setup releases
Detected repository as ligi/gobandroid, is this correct? |yes|
Username:
Here's a route which doesn't involve typing your GitHub password into the terminal. I assume you have the travis CI installed. This assumes you're using travis-ci.org, but replacing --org with --com should work otherwise.
If github.com/your/repo was your repo:
Generate a Github personal access token with the following scope: read:org, public_repo, repo:status, repo_deployment, user:email, write:repo_hook
(Optional?) Login using travis login <github token> --org
Run echo <github token> | travis encrypt --org -r your/repo
Use that secret in your .travis.yml file as described in the documentation
You may need to provide full repo scope, but for the free tier of Travis, public_repo is enough. I'm also not sure which of the other scopes are mandatory.
echo is useful on Windows because Ctrl-D doesn't work properly in Powershell.
The Travis CI CLI will not send the GitHub password to Travis CI, instead it will send it to GitHub and use it to generate a GitHub token (the same is true for travis login).
However, if you still feel uncomfortable, you can configure the deployment manually.
Add the following to your .travis.yml:
deploy:
provider: releases
api_key: "GITHUB OAUTH TOKEN"
file: "FILE TO UPLOAD"
skip_cleanup: true
on:
tags: true
all_branches: true
You can encrypt the GitHub OAuth token via travis encrypt .... It is not necessary to be logged in via the CLI for this, and the encryption happens locally.
See http://docs.travis-ci.com/user/deployment/releases/ for the full documentation
I think you can use -t/--token option, e.g.
travis login --org --github-token G1tHu8T0K3N
travis setup releases --org -t G1tHu8T0K3N

How to create a Gitlab webhook to update a mirror repo on Github?

I would like to create a webhook within Gitlab to automatically update a mirror repository on Github, whenever a push event happens. I've checked this page, but I didn't understand how it is done.
My Gitlab version is 6.5. Here is the configuration page:
What should I put in URL? Where do I need to place the script to update the repository?
You don't need a webhook for that. A regular post-receive hook will work very well.
To create and use such a hook you just have to login on the server where your gitlab is installed and create an ssh key for git user.
sudo -u git ssh-keygen -f /home/git/.ssh/reponame_key
(do not type any passphrase when prompted)
Go to your github account and add the public key (it's been created as /home/git/ssh/reponame_key.pub) to your project as a deploy key.
have a look at https://help.github.com/articles/managing-deploy-keys if you need help with that.
Once that is done, you just have to configure the connection between your git server and github's:
add an alias to git user's ssh configuration (add following lines to /home/git/.ssh/config - create it if it's not present)
Host reponame
IdentityFile /home/git/.ssh/reponame_key
HostName github.com
User git
Now add the new remote (using the alias you just created) to your repository:
cd /home/git/repositories/namespace/reponame.git
git remote add --mirror github reponame:youruser/reponame.git
Now that everything is in place you'll have to create the actual hook:
cd /home/git/repositories/namespace/reponame.git/hooks
echo "exec git push --quiet github &" >> post-receive
chmod 755 post-receive
The lastcommand is very important because git will check if a hook is executable before running it.
That's it!
(Replace reponame, namespace and youruser according to your real accounts and enjoy).
Last note: if you want your name andavatar near commits on github, make sure that the email address you are using on gitlab is one of the addresses inked to your github account as well. You'll see your gitlab username otherwise.
If you aren't hosting your own GitLab, GitLab.com has introduced this feature directly, without any workarounds.
From within a project use the gear icon to select Mirror Repository
Scroll down to Push to a remote repository
Checkmark Remote mirror repository: Automatically update the remote mirror's branches, tags, and commits from this repository every hour.
Enter the repository you want to update; for GitHub you can include your username and password in the URL, like so: https://yourgithubusername:yourgithubpassword#github.com/agaric/guts_discuss_resource.git —as noted in the comments, it is much better securitywise to use your GitHub access token here instead of login credentials; will update the answer when i've tested.
For WebHooks processing I'm using sinatra web server.
require 'sinatra'
post '/pew' do
puts JSON.parse request.body.read
# here can be placed signal code to run commit processing script
end
register webhook for push events(or other) to http://localhost:4567/pew within GitLab
and since this moment on each commit gitlab will be sending commit info to url.