Authentication to access other parts of Azure DevOps within a custom task

Question

I want to create a Azure DevOps custom task that accesses other parts of Azure DevOps. Specifically, I want to create a custom task that adds a comment to a PR.

Unfortunately, I can't figure out how to authenticate properly. I found this code and added it to my task:

let token: string = tl.getEndpointAuthorizationParameter("SYSTEMVSSCONNECTION", "AccessToken", false);
let collectionUrl: string = tl.getEndpointUrl("SYSTEMVSSCONNECTION", false).replace(".vsrm.visualstudio.com", ".visualstudio.com");
let authHandler = token.length === 52 ? vsts.getPersonalAccessTokenHandler(token) : vsts.getBearerHandler(token);
let connection = new vsts.WebApi(collectionUrl, authHandler);

but I get the error:

TF401027: You need the Git 'PullRequestContribute' permission to perform this action. Details: identity 'Build\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX', scope 'repository'.

I verified that the build service should have the correct permissions:

I've also tried checking the box "Allow scripts to access the OAuth token" in the Job settings, but that had no effect.

What am I missing?

Answer 1

I think you should use the "System.AccessToken" variable to get the token:

tl.getVariable('System.AccessToken'); 

Predefined build variables - System.AccessToken

I use that in my build task: https://github.com/ashamrai/AzureDevOpsExtensions/blob/master/CustomBuildTask/NewWICustomTask/index.ts

Answer 2

You need to give permissions to the build users:

In Microsoft hosted agent is "Build Service (user-name)" and "Project Collection Build Service (Project)" (Sometimes the last only show up if you type the UUID (8837...) on "Search for user or groups".)

Can be found in project settings > repositories > permissions