AzureDevops: Updates failed LibGit2SharpException : request failed with status code: 403

[usma0118]

Platform: AzureDevops Build setup as: https://nukeeper.com/platform/azure-devops/#extension

Build Agent: Hosted 2017

Failure on: Git push to origin/nukeeper-update-AutoMapper-to-8.1.1 Updates failed LibGit2SharpException : request failed with status code: 403

Log Git commit with message '📦 Automatic update of AutoMapper to 8.1.1' Git push to origin/nukeeper-update-AutoMapper-to-8.1.1 Updates failed LibGit2SharpException : request failed with status code: 403 at LibGit2Sharp.Core.Ensure.HandleError(Int32 result) at LibGit2Sharp.Core.Proxy.git_remote_push(RemoteHandle remote, IEnumerable1 refSpecs, GitPushOptions opts) at LibGit2Sharp.Network.Push(Remote remote, IEnumerable1 pushRefSpecs, PushOptions pushOptions) at LibGit2Sharp.Network.Push(IEnumerable1 branches, PushOptions pushOptions) at NuKeeper.Git.LibGit2SharpDriver.<>c__DisplayClass17_0.b__0() in /home/vsts/work/r1/a/drop/NuKeeper.Git/LibGit2SharpDriver.cs:line 189 at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state) --- End of stack trace from previous location where exception was thrown --- at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot) --- End of stack trace from previous location where exception was thrown --- at NuKeeper.Engine.Packages.PackageUpdater.MakeUpdatePullRequests(IGitDriver git, RepositoryData repository, NuGetSources sources, SettingsContainer settings, IReadOnlyCollection1 updates) in /home/vsts/work/r1/a/drop/NuKeeper/Engine/Packages/PackageUpdater.cs:line 85 at NuKeeper.Engine.Packages.PackageUpdater.MakeUpdatePullRequests(IGitDriver git, RepositoryData repository, IReadOnlyCollection1 updates, NuGetSources sources, SettingsContainer settings) in /home/vsts/work/r1/a/drop/NuKeeper/Engine/Packages/PackageUpdater.cs:line 46`

[FlamingFirewolf]

I'm also getting this error; found in another thread that setting access rights for the build user could be a possible fix - sadly this did not work for me, but reposting below.

1. Go to "Project settings" in your ADO home screen.
2. Click repositories
3. Click Git repositories
4. Click the build service User(the bottom one, something like: Project collection build service)

Give it the following rights:

• Contribute Allow
• Contribute to pull requests Allow
• Create branch Allow That will give your build service user enough rights to do it.

[MarcWils]

I was able to workaround the issue by changing the project visibility from private to public.

Can anyone else confirm that the issue caused by the project visibility?

[Baisakhc]

I have the same issue and setting access rights for build user does not fix the issue for me. I too could workaround by changing the project visibility from private to public and with that the issue disappeared and the pull request was generated. However, making the project as public is not really a viable option for our production Azure Devops project. Can someone please look into this issue?

[phatcher]

I have the same issue with version 0.4.34 of the extension/0.25 nukeeper running on the windows-latest pipeline, checked the Build user permissions and are set correctly,

Log is quite empty...

....
Updates failed LibGit2SharpException : request failed with status code: 403
Attempted 1 updates and did 0
##[debug]task result: Succeeded
##[debug]Processed: ##vso[task.complete result=Succeeded;]done

[ohoover]

I am having the same issue as @phatcher . I did also verify the build user permissions are set with the 3 permissions listed in the documentation. My repo is private and it is not an option to make it public

[crystalgeek]

In case anyone else is having this issue the fix I found is from this site (https://developercommunity.visualstudio.com/content/problem/826481/systemaccesstoken-allows-reading-git-repository-wi.html)

"When the project-level setting Limit job authorization scope to current project is disabled the System.AccessToken refers to an app-level account that cannot be removed as reader of all repositories." - This is likely why it's not affecting public repositories and only private repos

Fix: Enable the project-level pipeline setting Limit job authorization scope to current project Make sure that the user [project] Build Service ([organisation]) is member of the organisation level group Project Collection Build Service Group (otherwise pipelines will not be fired because not able to access the orchestration plan)

[mburumaxwell]

Didn't need to change project visibility instead, assign the required permissions to two accounts named with the format:

1. [project-name] Build Service (organization-name)
2. Project Collection Build Service (organization-name)

The permissions are the same:

1. Contribute (set to allow)
2. Contribute to pull requests (set to allow)
3. Create branch (set to allow)

Guided by https://www.edvella.com/Post/46/Keep_your_solution_up_to_date_with_NuKeeper

Hope that helps someone.