发表新帖
发表新帖

How do I set the build authorization scope for my project?

前端 未结
关注
4 863
囚心锁ツ
囚心锁ツ 2021-01-20 14:50

Right now my NuGet restore fails since the project build user doesn\'t have contributor access to the package feed.

/usr/share/dotnet/sdk/3.0.100/NuGe

相关标签:
4条回答
  • 情话喂你
    2021-01-20 15:16

    There was a workaround for this 403 error posted a few hours ago: https://developercommunity.visualstudio.com/content/problem/795493/403-error-during-nuget-restore.html

    In short, this seems to affect new projects connecting to a private feed. Here's the suggested work around:

    1. Click "Artifacts" in the project with the failing build

    2. Select the feed you were trying to consume in your build and click the cog in the top right corner

    3. Click "Feed Settings"

    4. Go to the Permissions tab

    5. Click the 3 dots [...] that appeared to the right of the tab

    6. Click "Allow project-scoped builds"

    This adds the relevant user permissions that the error the OP posted was complaining about. Hopefully Microsoft will make a proper fix for this soon.

    Full credit to Tim Lynch from the developer community page.

    0 讨论(0)
  • 轻奢々
    2021-01-20 15:25

    It appears under Organization and Project Settings. Find Pipelines/Settings and there is a toggle option named Limit job authorization scope to current project.

    0 讨论(0)
  • 被撕碎了的回忆
    2021-01-20 15:30

    All answers are valid but it depends.

    Take into account that only Contributor and Owner roles are allowed to push packages read the docs here.

    Then also remember Scoped build identities .

    Azure DevOps uses two built-in identities to execute pipelines.

    • A collection-scoped identity, which has access to all projects in the collection (or organization for Azure DevOps Services)
    • A project-scoped identity, which has access to a single project

    ...

    By default, the collection-scoped identity is used, unless the Limit job authorization scope to current project is set in Project Settings > Settings.

    With this in mind follow the next steps:

    1. You need to check which identity is being used for your pipelines:

    For me is project-scoped identity

    1. Add/Check the Feed Permissions as it may apply (I'll leave a description below the image)

    • No. 1 If the identity is collection-scoped
    • No. 2 If the identity is project-scoped
    • No. 3 Give your contributors the least privilege principle if it applies. (For me its ok to leave them read the feed, and the pipeline or me are the only ones allowed to push packages)

    Remember again you need to use Owner or Contributor roles.

    0 讨论(0)
  • 臣服心动
    2021-01-20 15:31

    Go to your feed settings:

    In the Permissions tab verify that have at least reader permissions to "Project Collection Build Service (username)":

    0 讨论(0)
 看不清?
提交回复
热议问题