Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Define PAT permission scope requirements for DevOps #1547

Closed
nwcm opened this issue Aug 18, 2023 · 2 comments
Closed

Define PAT permission scope requirements for DevOps #1547

nwcm opened this issue Aug 18, 2023 · 2 comments
Labels
bug GenerateReleaseNotes (XPlat version) Stale

Comments

@nwcm
Copy link

nwcm commented Aug 18, 2023

Azure DevOps Extensions

Generate Release Notes (Node Cross Platform)

Platform

Azure DevOps Services

Azure DevOps Server (TFS) Version

No response

Extension Version

No response

Describe the bug

Using a fully scoped PAT in local development may be disallowed in some DevOps organisations. It is unclear with scopes are required. And a failure in one will result in no output.

For example the Testing callouts fail and return 401 there will be no commit or work items outputted for use.

Repo Steps

  1. create PAT with limited scopes for READ work items, builds, releases
  2. Run node .\GenerateReleaseNotesConsoleTester.js
  3. See error and o outputs

Expected Behavior

I would expect if some endpoints were to fail we could have some output. However, it looks like all the API callouts are pretty much wrapped in one big try{}. Likewise you also cannot see which API callout has failed

Easiest to define a minimum list of scopes of PATs to function

Logging Information

The most common runtime reason for the task to fail is due API ECONNRESET issues. To avoid this failing the pipeline these will be treated as warnings and an attempt to generate any release notes possible
Error: Failed request: (401)
    at RestClient.<anonymous> (C:\Users\NickW\repos\AzurePipelines-1\Extensions\XplatGenerateReleaseNotes\XplatGenerateReleaseNotesTask\node_modules\typed-rest-client\RestClient.js:202:31)
    at Generator.next (<anonymous>)
    at fulfilled (C:\Users\NickW\repos\AzurePipelines-1\Extensions\XplatGenerateReleaseNotes\XplatGenerateReleaseNotesTask\node_modules\typed-rest-client\RestClient.js:6:58)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
  statusCode: 401
}
@nwcm nwcm added the bug label Aug 18, 2023
@rfennell
Copy link
Owner

Firstly, the task only requires read access, it never writes back to the API.As to which read sco pes are required. It depends on the template needs i.e. there are some flags that enable or disable parts of API call logic, but basically the APIs used (and hence PAT scopes are)

  • Build
  • Code (for PR decoration)
  • Release (for Classic Releases)
  • Work Items
  • Test Management

The reason for the outer catch was to try (unsuccessfully) to capture state in some retry conditions when the API failed with timeouts. The best option to work out which API call actually failed is to look at the log with the system.debug=true setting on, which the local tester defaults to, and just see where it got up to.

@github-actions
Copy link

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days

@github-actions github-actions bot added the Stale label Sep 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug GenerateReleaseNotes (XPlat version) Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rfennell @nwcm