Why Can't I Push to Azure Git From DevOps Pipeline
The error message is (TF401027: You need the Git 'GenericContribute' permission to perform this action. Details: identity 'Build\8ec5f0f1-6bca-4182-bb3e-2d47a64262bf', scope 'repository'.)
I've taken that GUID and confirmed that the account it represents has all of the necessary permissions on the repo, plus more:
- Contribute
- Create branch
- Read
- Bypass policies when pushing
The target branch is not locked and there are no policies applied.
The relevant portion of the YAML for my pipeline looks like this:
steps:
- task: PowerShell@2
inputs:
targetType: 'inline'
script: |
git config --global user.email "[email protected]"
git config --global user.name "Build Agent1"
pwsh: true
- checkout: self
persistCredentials: true
- task: PowerShell@2
inputs:
targetType: 'inline'
pwsh: true
script: |
Write-Host "------------------------------------------------------------"
# Update the file src\version.ts here
git add src\version.ts
git commit -m "Version bump from build pipeline [skip ci]"
git push origin HEAD:Eval
Eval is the name of the branch I'm pushing to (the same branch the pipeline is running against). The version file gets updated but the last line fails. I've tried it without the HEAD:Eval but then I get an error that I'm in a disconnected Head state and need to add HEAD:branchName
Update:
Here's an image showing permissions for the account referenced by the GUID from the error message:
I was able to make this work by setting the security for the build account ({Project Name} Build Service ({organization}) ) on the specific branch instead of just on the repo itself. In the Branches page, click the ellipsis to the right of the target branch and select Branch Security and then make sure that the build account has permissions:
