rarkins
commented
5 months ago Can you remind me how/when this token was set up? We should document this if it's part of ongoing maintenance
Closed jessehouwing closed 4 months ago
rarkins
commented
5 months ago Can you remind me how/when this token was set up? We should document this if it's part of ongoing maintenance
jessehouwing
commented
5 months ago The workflow relies on a Personal Access Token for any Azure DevOps organization with the scope:
marketplace:read from the top of my head.
https://github.com/renovatebot/renovate/issues/19694#issuecomment-1383174831
Since setting this up it would now also be possible to rewrite the auth logic to rely on an Azure Service principal using Azure Workload Federation and OIDC, but that requires a bit more work to make that work.
https://jessehouwing.net/publish-azure-devops-extensions-using-workload-identity-oidc/
jessehouwing
commented
5 months ago Hmmm and thinking about it, it probably also needs agentpool:read on the organization that is configured for the later added built-in tasks functionality.
I'll fork, verify and document
jessehouwing
commented
5 months ago Added docs to the repo with the combined scopes required to run the scripts:
https://github.com/renovatebot/azure-devops-marketplace/blob/main/docs/azure-devops-access.md
With it I moved the AZURE_DEVOPS_ORG from a secret to a variable. The needed scopes are indeed marketplace:read and agent pool: read to whatever organization is configured to read the data from.
I've also limited the permissions requested by the workflow to contents:write while I was af it, no need for any more permissions.
rarkins
commented
5 months ago @jessehouwing thanks. What's the difference between secret and variable here? I would have thought a token should be a secret.
Can you also clarify the meaning of the following?
The token must be generated for the Azure DevOps organization which agent pool will be queried.
I read that and think "is that me?" I assume the token still needs updating.
jessehouwing
commented
5 months ago @jessehouwing thanks. What's the difference between secret and variable here? I would have thought a token should be a secret.
Can you also clarify the meaning of the following?
There are 2 settings:
AZURE_DEVOPS_ORG - The name of the organization that we connect to, to read the official microsoft tasks. I believe this is currently configured to @JamieMagee's devops instance. This isn't a secret.AZURE_DEVOPS_PAT - This is the secret key we use to read the marketplace and the data in the devops instance. This needs to be protected. And again I think @JamieMagee's token was configured in the past.The token must be generated for the Azure DevOps organization which agent pool will be queried.
I read that and think "is that me?" I assume the token still needs updating.
This still needs doing. And they need to be stored in the Actions secrets and variables for this repo.
rarkins
commented
4 months ago I've created https://dev.azure.com/renovatebot-download/ but I'm not sure what I need to do about "agent pools". I see this:
rarkins
commented
4 months ago Added this PAT:
Unfortunately this error:
https://github.com/renovatebot/azure-devops-marketplace/actions/runs/8996125170/job/24726322791
jessehouwing
commented
4 months ago @rarkins looks like you did the right thing, the files are updated again. The API from the marketplace has been a bit flakey lately. I may actually add some retry-logic to the script when I have the time.
rarkins
commented
4 months ago Thanks, you're right: subsequent ones have all succeeded: https://github.com/renovatebot/azure-devops-marketplace/actions/workflows/create-renovate-data.yml
Look like the access token for the marketplace has expired and needs to be refreshed in the Actions Secrets for this repo
https://github.com/renovatebot/azure-devops-marketplace/actions/runs/8762477131/job/24050272144#step:3:19