Reference package via git in pubspec.yaml does not work in Azure build pipeline

Question

I have two flutter projects. A package and an executable. Each of them is in a different git repository on different projects (within the same organization) on Azure DevOps.

I reference the package from the executable in the pubspec.yaml file like this:

  my_package:
    git:
      url: https://my_organization@dev.azure.com/my_organization/MyProject/_git/MyRepo
      path: path_to_my_package
      ref: v0.0.1

That works fine on my local machine. When I run flutter pub get it fetches my package and I can work with it.

When I push this now to git, my Azure pipeline stops with the following error:

Resolving dependencies...
Git error. Command: `git clone --mirror https://my_organization@dev.azure.com/my_organization/MyProject/_git/MyRepo C:\Users\VssAdministrator\AppData\Local\Pub\Cache\git\cache\my_package`
stdout: 
stderr: Cloning into bare repository 'C:\Users\VssAdministrator\AppData\Local\Pub\Cache\git\cache\my_package'...
fatal: Cannot prompt because user interactivity has been disabled.
fatal: Cannot prompt because user interactivity has been disabled.
fatal: could not read Password for 'https://my_organization@dev.azure.com/my_organization/MyProject/_git/MyRepo': terminal prompts disabled
exit code: 128

I don't want to provide the credentials or PAT directly in the pubspec.yaml file.

I granted read access to the Build Service user of the executable project to the project of the package but that didn't help.

I also switched off the "Limit job authorization scope to current project for non-release pipelines" setting.

Still fails. Any ideas?

Answer 1

I was able to solve it.

1. Create a personal access token (PAT) in Azure DevOps.
2. Add that PAT as a secret variable to your build pipeline (I named it PAT)
3. Add a powershell build step into your pipeline just before the compile step
4. Inject the PAT into the git url in your pubspec.yaml by script:

    - task: PowerShell@2
      displayName: "Modify pubspec.yaml"
      inputs:
        targetType: 'inline'
        script: |
          $file = '$(Build.SourcesDirectory)/my_app/pubspec.yaml'
          (Get-Content $file -Encoding UTF8) -replace 'https://my_organization@dev.azure.com/my_organization', 'https://$(PAT)@dev.azure.com/my_organization' | Set-Content $file 

Now the private access token will be injected into the url of the referenced git repositories in the pubspec.yaml. The output log only shows *** instead of the real PAT, since it is a private variable. So it remains secret.