Azure Pipelines + Repos Rest API:使用 System.AccessToken 创建 Pull Request 的权限 via API

huangapple go评论78阅读模式
英文:

Azure Pipelines + Repos Rest API: Permissions for creating a Pull Request via API using System.AccessToken

问题

我正试图从Azure管道创建一个Pull Request,使用Repos REST API。

不是使用个人令牌,而是使用System.AccessToken预定义变量进行身份验证的管道。构建服务角色在存储库上具有所有权限。

然而,我一直收到403的返回。
对API抛出的其他请求有效 - 因此令牌编码似乎不是问题。(#PrintStatementsAreAValidDebugger! ;))

当我在项目中使用自己的PAT - 在那里我只是一个贡献者,我可以轻松创建PR。所以可能不是请求本身的问题。

与我的团队成员一起,我们尝试了各种方法。构建服务代理在存储库上具有完全权限。假设是,当使用预定义的管道变量System.AccessToken进行身份验证时,它会自动使用构建服务代理的身份。

当使用我的令牌时,可以轻松创建PR。

有任何想法我们可能漏掉了什么吗?

英文:

I am trying to create a Pull Request from an Azure Pipeline, using the Repos REST API.

Instead of using a personal token, the pipeline is supposed to authenticate using the System.AccessToken Pre-defined variable. The Build Service role has all permissions on the repository.

Yet, I keep getting 403 returned.
Other requests thrown at the API work - so the token encoding appears to not be the issue. (#PrintStatementsAreAValidDebugger! Azure Pipelines + Repos Rest API:使用 System.AccessToken 创建 Pull Request 的权限 via API )

Azure Pipelines + Repos Rest API:使用 System.AccessToken 创建 Pull Request 的权限 via API

When I use my own PAT for the project - where I'm merely a contributor, I can create the PR no problem. So it is probably not the request itself.

With my team members, we have tried various things. The Build Service Agent has full permissions on the repository. The assumption is that when using the predefined pipeline variable System.AccessToken to authenticate, it's automatically using the Build Service Agent's identity.

When using my own token, the PR is created no problem.

Azure Pipelines + Repos Rest API:使用 System.AccessToken 创建 Pull Request 的权限 via API

Any idea what we might be missing?

edit: added the code.

# calling pipeline task

  - task: PowerShell@2
    displayName: create_pull_request
    inputs:
      #targetType: 'inline'
      filePath: 99_cicd/scripts/create_pr/create_pull_request.ps1
      arguments: '
        -source_branch "[SOURCE]" 
        -target_branch "[TARGET]" 
        -pr_title "TEST Merge " 
        -pr_description "Platzhalter"
        '
      workingDirectory: '$(Agent.BuildDirectory)/s/'
    env:
      repository_name: $(Build.Repository.Name)
      org_url: $(System.CollectionUri)
      project_name: $(System.TeamProject)
      SYSTEM_ACCESSTOKEN: $(System.AccessToken)

Called script

# called script
param(
    [string] $source_branch,
    [string] $target_branch,
    [string] $pr_title,
    [string] $pr_description
)

$org_url = $env:org_url
$project_name = $env:project_name
$repository_name = $env:repository_name

# encode Access Tokens for REST API Use
$bytes_PAT = [System.Text.Encoding]::ASCII.GetBytes(":$env:SYSTEM_ACCESSTOKEN")
$encoded_PAT = [System.Convert]::ToBase64String($bytes_PAT)

$encoded_source_branch = [System.Uri]::EscapeDataString($source_branch)
$encoded_target_branch = [System.Uri]::EscapeDataString($target_branch)

$base_url = "$org_url/$project_name/_apis/git/repositories/$repository_name"

# Create the JSON Body for the Pull Request
$jsonBody = @{
    "sourceRefName" = "refs/heads/$source_branch";
    "targetRefName" = "refs/heads/$target_branch";
    "title" = $pr_title;
    "description" = $pr_description;
    "isDraft" = $true
} | ConvertTo-Json

# Define the API URL to create the Pull Request
$api_url = "$base_url/pullrequests?api-version=7.0"

try{
    # Make the REST API call to create the Pull Request
    write-Host "Creating PR"
    $response = $response = Invoke-RestMethod -Uri $api_url -ErrorAction Stop -Body $jsonBody -Method Post -Headers @{
        "Authorization" = "Basic $encoded_PAT";
        "Content-Type" = "application/json"
    }
} catch {
    # Dig into the exception to get the Response details.
    # Note that value__ is not a typo.
    Write-Host "StatusCode:" $_.Exception.Response.StatusCode.value__ 
    Write-Host "StatusDescription:" $_.Exception.Response.StatusDescription
    Write-Host "There was an Error with the API Call..."

}

答案1

得分: 2

你需要授予以下权限:

  1. 项目集构建服务帐户
  2. 项目构建服务(用户名)
  3. 项目集构建服务(用户名)

此外,你可以使用创建拉取请求扩展来为你创建拉取请求。

英文:

You need to grant the Contribute and Contribute to Pull Requests permissions to:

  1. Project Collection Build Service Accounts
  2. Project Build Service (username)
  3. Project Collection Build Service (username)

Azure Pipelines + Repos Rest API:使用 System.AccessToken 创建 Pull Request 的权限 via API

In addition, you can use the Create Pull Request extension that create the PR for you.

huangapple
  • 本文由 发表于 2023年6月13日 16:01:50
  • 转载请务必保留本文链接:https://go.coder-hub.com/76462837.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定