Execute git push within Azure DevOps pipeline but getting fatal error

0
votes

I'm trying to run git push command inside my Azure DevOps build pipeline but getting below error-

fatal: could not read Password for 'https://dev.azure.com': terminal prompts disabled.

Then I tried to execute same command with my Personal Access Token (PAT) like

MY_PAT= 'MY_PAT'

B64_PAT=$(printf ":$MY_PAT" | base64)

git -c http.extraHeader="Authorization: Basic ${B64_PAT}" push

https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page#use-a-pat

and it worked. But owing to security compliance I can't use my PAT in pipeline is there any way to use git push command without exposing my PAT. Please explain oauth2 authentication step by step if that will work.

2
gitoauth-2.0azure-devops
Use SYSTEM_ACCESSTOKEN instead. The build process already has a valid access token.Daniel Mann

2 Answers

0
votes

You do not need to use your PAT. You can use the predefined variable System.Accesstoken directly. See here.

System.AccessToken is a special variable that carries the security token used by the running build.

Change your command to below:

B64_PAT=$(printf ":$(System.AccessToken)" | base64)  

git -c http.extraHeader="Authorization: Basic ${B64_PAT}" push

You can also use the AccessToken directly like this:

git push https://$(System.AccessToken)@dev.azure.com/org/proj/_git/repo -q
-1
votes

There is a detailed documentation of using git commands in the pipelines without extraHeader and through PAT of the Build Service:Run Git commands in a script.

  1. Set identity information
  2. Check permissions of build service on your repository
  3. Allow scripts to access the system token
  4. Run commands in your script

Or you can store your PAT as a secret variable:

  1. Set secret variables
  2. Use secrets from Azure Key Vault in Azure Pipelines