5

The error message is (TF401027: You need the Git 'GenericContribute' permission to perform this action. Details: identity 'Build\8ec5f0f1-6bca-4182-bb3e-2d47a64262bf', scope 'repository'.)

I've taken that GUID and confirmed that the account it represents has all of the necessary permissions on the repo, plus more:

  • Contribute
  • Create branch
  • Read
  • Bypass policies when pushing

The target branch is not locked and there are no policies applied.

The relevant portion of the YAML for my pipeline looks like this:

steps:
- task: PowerShell@2
  inputs:
    targetType: 'inline'
    script: |
      git config --global user.email "me@example.com"
      git config --global user.name "Build Agent1"
    pwsh: true

- checkout: self
  persistCredentials: true
  
- task: PowerShell@2
  inputs:
    targetType: 'inline'
    pwsh: true
    script: |
      Write-Host "------------------------------------------------------------"
      # Update the file src\version.ts here
      git add src\version.ts
      git commit -m "Version bump from build pipeline [skip ci]"
      git push origin HEAD:Eval

Eval is the name of the branch I'm pushing to (the same branch the pipeline is running against). The version file gets updated but the last line fails. I've tried it without the HEAD:Eval but then I get an error that I'm in a disconnected Head state and need to add HEAD:branchName

Update: Here's an image showing permissions for the account referenced by the GUID from the error message: Permisisons for Build Account

TimTheEnchanter
  • 3,370
  • 1
  • 26
  • 47

2 Answers2

3

I was able to make this work by setting the security for the build account ({Project Name} Build Service ({organization}) ) on the specific branch instead of just on the repo itself. In the Branches page, click the ellipsis to the right of the target branch and select Branch Security and then make sure that the build account has permissions:

enter image description here

TimTheEnchanter
  • 3,370
  • 1
  • 26
  • 47
1

Make sure that the build service is the one you expect. I tried to reproduce this and was able to at first. I was following these instructions on granting version control permissions to the build service.

Got the same error as you:

Azure DevOps Pipline failure showing same error as OP

TF401027: You need the Git 'GenericContribute' permission to perform this action. Details: identity 'Build\2e5d905b-bbb1-49b6-bffe-540999a98f35', scope 'repository'

What I did next is confirmed that the GUID I got here was the same as the Project Collection Build Service ({organization}) as mentioned in the instructions above. You can do this by grabbing all the users via the Graph API: https://vssps.dev.azure.com/{organization}/_apis/graph/users?api-version=7.1-preview.1

However, I found that the GUID instead belonged to the {Project Name} Build Service ({organization}).

GUID of user indicates it parts of project service

When I changed the permissions to that service, then it succeeded.

enter image description here enter image description here

Hank
  • 1,976
  • 10
  • 15
  • 1
    Thanks, but that isn't my situation. The GUID in the error message is for `{Project Name} Build Service ({organization})`. I confirmed that with the REST endpoint you have above. I also just took the GUID and pasted it into the search box for checking permissions on the repo. They both take me to the same account, which has the proper permissions. I added a screenshot to my original question showing the permissions and the GUID in the user search – TimTheEnchanter Mar 20 '23 at 17:49
  • Also, just for fun, I added the `Project Collection Build Service ({organization})` account and gave it the permissions to the repo, but I still get the error with the GUID referencing `{Project Name} Build Service ({organization})`. I *think* that means that I probably have the account correct, but it isn't seeing the permissions – TimTheEnchanter Mar 20 '23 at 18:04
  • I was about to suggest that but you are on top of it! I will try to recreate it further. – Hank Mar 20 '23 at 18:07
  • This wasn't quite what I needed, but it helped, and I can't award the bounty to myself, so @Hank - here you go... thanks for the effort. – TimTheEnchanter Mar 29 '23 at 23:07