Publishing NuGet packages to Azure Artifacts from PR's

0
votes

Can Azure Artifacts packages be made available publicly? If so, I'd like publish NuGet packages from a PR to my GitHub project. I currently get the following permissions error from PR builds:

[warning]Warning_SessionCreationFailed {"statusCode":500,"result":{"$id":"1","innerException":null,"message":"User '89e4e6df-0ac0-471f-ba63-0270050c3b79' lacks permission to complete this action. You need to have 'ReadPackages'.","typeName":"Microsoft.VisualStudio.Services.Feed.WebApi.FeedNeedsPermissionsException, Microsoft.VisualStudio.Services.Feed.WebApi","typeKey":"FeedNeedsPermissionsException","errorCode":0,"eventId":3000}} [error]Error: The process '/usr/bin/dotnet' failed with exit code 1 [error]Packages failed to publish

I'm using an azure-pipelines.yml file. Here is a link to my Azure Pipelines build.

Update 1

These are the users/groups I have already added to my feed:

enter image description here

These are the users/groups I can add to my feed, that I haven't already done:

enter image description here

Update 2

This is the yaml for the Azure Pipelines task I am using to publish the NuGet package:

- task: DotNetCoreCLI@2
  displayName: 'Dotnet NuGet Push'
  inputs:
    command: push
    nuGetFeedType: internal
    packagesToPush: '/home/vsts/work/1/Windows/*.nupkg'
    publishVstsFeed: schema-net
1
githubazure-devopsnugetazure-artifacts
In the feed settings check if there are permissions to "Project Collection Build Service (username)"Shayki Abramczyk
But the user submitting a PR on GitHub can be anyone.Muhammad Rehan Saeed
But the buid run with a special user, not the user who trigger the PRShayki Abramczyk

1 Answers

1
votes

According to the error message, your account does not have permissions on that feed which you want to operate.

You need verify whether your account has Contributor or higher permissions on the feed which you are trying push to.

In another, the group Project Collection Build Service is a default Contributor. But also, as default setting, it does not include the account Project Collection Build Service(xxxx) as a member. So, if you are the owner, you may need to add the Project Collection Build Service(xxxx) account into Project Collection Build Service group.

enter image description here

Edit:

As I check your org info from our back end, I found the user(89e4e6df-0ac0-xxxxxx-0270050c3b79), which displayed in your error message, is a Service identity account. And it's domain is build. It's a special account, not the normal user who may create or trigger the pr. So, if you do not grant permission to this service identity account, it will not have permission to access the feed you want to push to.

And also, the direct parents groups of this security account in your Org is [org name]\Security Service Group. You can check it under your org setting. You can also check its permission under your feed.

So, for solved, you need to add this service identity account in to your feed setting, and grant it contributor or higher role.

enter image description here

2nd Update:

For clearly understand, let me clear up some details.

At first,according to the error message which displayed in log said lack ReadPackage permission, I considered this firstly with the permission of the feed which you wanted push to in task.

In addition, the user number which also displayed in the log, 89e4e6df-0ac0-xxxxxx-0270050c3b79. As I checked from backend, it is a VSID that represent a build service account: Schema.NET Build Service (schema-net). So, firstly, it’s easy to think that this account does not has relevant permission so that it could not push package.

But, after you update the feed setting, I check user VSID from backend again and review the error log. I figure it out. According to the logs of #20190625.1, you can see that the error begin occurred on getting source package:

##[warning]Can\'t find loc string for key: Warning_SessionCreationFailed

Because of this error, it’s failed to create the correct package source package path so that the service account does not have permission to access it because it’s a wrong path:

enter image description here

In fact, the correct source package url should look like this( you can refer this from #2029062502)

https://pkgs.dev.azure.com/schema-net/_packaging/f43386ca-{package id}-d2f8da200fb3/nuget/v3/index.json

Now, I think this is a issue which about the configuration of your nuget.config file.