Set git credentials inside a Azure yaml pipeline

Question

I'm writing an Azure YAML pipeline which have to do a 'git push' to repo so, I've written my git commands inside a CmdLine@2 task. Something like this :

            git checkout -b foo-branch-$(Build.BuildId)
            
            git add myGeneratedFile

            git commit -m "My commit message"

            git config user.email "$(GitUserName)@foo.com"
            git config user.name "$(GitUserName)"

            git push --set-upstream origin feature/foo-branch-$(Build.BuildId)

Obviously this code doesn't work as git credentials aren't set anywhere. How can specify that commands?

My idea is reading them from a parameter just like $(GitUserName) or from a git secret.

Is there any parameter that I can hide to avoid showing the value in the log and when the user type it?

I think you could add your variables in `release` section of the `pipelines` in Azure devops. So you create your YAML file in `pipeline` section and use that in `release` to define steps — Amir Maleki, Mar 04 '21 at 08:14
Hi @arturn Is there any update about this ticket? Feel free to let me know if the answer could give you some help. Just a remind of [this](https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work). — Kevin Lu-MSFT, Mar 08 '21 at 07:36
Hi @arturn. Is there any update about this issue? Feel free to let me know if the answer could solve this issue — Kevin Lu-MSFT, Mar 12 '21 at 07:53
According to [this article](https://stackoverflow.com/questions/56541458/azure-pipeline-doest-allow-to-git-push-throwing-genericcontribute-permission), and the message I've got in the log, I have to set the "contributor" permission to Project Collection Build service. But I can't see that option, so I'm already investigating the issue... — arturn, Mar 15 '21 at 14:24
Hi @arturn. Please refer to my update. In Yaml pipeline, you don't need to select the option. You could add persistCredentials: true when you check out the current repo. Then it will work. — Kevin Lu-MSFT, Mar 16 '21 at 05:25
Hi @arturn Feel free to let me know if the update could solve this issue. Thank you. — Kevin Lu-MSFT, Mar 18 '21 at 09:53

Kevin Lu-MSFT · Answer 1 · 2021-03-31T01:06:11.083

14

Based on your latest commnet, the option Allow scripts to access the OAuth token only exists in classic editor.

In Yaml pipeline, you could use the following command:

- checkout: self
  persistCredentials: true

The persistCredentials will leave the OAuth token in the Git config after the initial fetch.

Here is the example:

steps:
- checkout: self
  persistCredentials: true

- script: |
   git config --global user.email "email"
   git config --global user.name "Kevin Lu"
   
   
   
   git checkout -b master
   
   git add .
   
   git commit -m "My commit message"
   
    git push origin HEAD:master
   
  displayName: 'Command Line Script'

For more detailed info, you could refer to this doc.

Update2:

To solve this permission issue, you need to grant the Contributor permission to the service account: Projectname Build Service(OrganizationName) in Project Settings -> Repositories -> Target Repo -> Permission.

Update3:

edited Mar 31 '21 at 01:06

answered Mar 05 '21 at 05:10

Kevin Lu-MSFT

20,786
3
19
28

Is it possible to do the same thing without having to modify the origin? As pipeline can clone the repo, might I can set permissions to push, without the need PAT... – arturn Mar 15 '21 at 14:31
@arturn Of course. Please refer to my update. – Kevin Lu-MSFT Mar 16 '21 at 05:26
My pipeline yaml already had the persisCredentials and the error was the same. I think the problem is related with pipeline's permissions, I've check out the permissions dialog, but I can't found anywhere to set the 'Contributor' permission. – arturn Mar 18 '21 at 11:11
@arturn. Get it. Please refer to my update2. You need to grant the repo Contributor permission to Projectname Build Service(OrganizationName) instead of Project Collection Build Service. – Kevin Lu-MSFT Mar 19 '21 at 03:11
I can't see that option (see https://ibb.co/2F2v0V8) – arturn Mar 19 '21 at 07:21
This permission is not for Pipeline. The Contributor permission is for azure repo in **Project Settings -> Repositories -> Target Repo -> Permission**. – Kevin Lu-MSFT Mar 19 '21 at 07:27
@arturn Please refer to my update3. Since the git command is used to push changes to Azure Repo , so you need to set the permission for repo. And the service account name is **Projectname Build Service(OrganizationName)** – Kevin Lu-MSFT Mar 19 '21 at 07:39
Hi @arturn. Is there any update about this ticket? – Kevin Lu-MSFT Mar 22 '21 at 06:32
Thanks, setting the appropriate permissions as you told me in the last comment works. But now, I think the answer is a bit confusing... Only set 'persistCredentials' and set the right repo's permissions is need to get it working. – arturn Mar 23 '21 at 14:27
Hi @arturn. persistCredentials will leave the OAuth token in the Git config after the initial fetch. So it will inherit the token used by the initial checkout. So it will work. If the service account has enough permission to operate the repo, the git command will run successfully in Azure Pipeline. – Kevin Lu-MSFT Mar 24 '21 at 03:19
Hi @arturn. If the answer could solve your issue, you may consider accepting it as answer. Thanks – Kevin Lu-MSFT Mar 30 '21 at 06:21
Sure, but as we told the answer is a bit confusing as it contains an extra steps not really necessary, please edit it, and I'll mark as accepted. – arturn Mar 30 '21 at 10:56
Hi @arturn. i have removed unnecessary steps. Please check the answer. Thank you – Kevin Lu-MSFT Mar 31 '21 at 01:06
Turns out the exact service account used by the pipeline differs from tenant to tenant. A reliable way of knowing which account to give permissions to would be to check the logs: `TF401027: You need the Git 'GenericContribute' permission to perform this action. Details: identity 'Build\my-service-account-guid', scope 'repository'` and then to search by that my-service-account-guid . – scale_tone Aug 08 '22 at 15:19

score 3 · Answer 2 · answered Feb 24 '23 at 14:02

Just as an update, in case anyone is encountering the problem I was having. I followed the steps in Kevin Lu's answer, for a release pipeline, but just checking "Allow scripts to access OAuth token" (which is supossedly the UI equivalent of persistCredentials: true) was not enough.

After checking the box, and setting the right permissions for Project Collection Build Service, I modified my script in the pipeline step to clone the repo using the token specifically:
git clone https://$(System.AccessToken)<rest of url to github repo>

Set git credentials inside a Azure yaml pipeline

2 Answers2

Linked