Closed jessehouwing closed 4 months ago
Can you remind me how/when this token was set up? We should document this if it's part of ongoing maintenance
The workflow relies on a Personal Access Token for any Azure DevOps organization with the scope:
marketplace:read
from the top of my head.
https://github.com/renovatebot/renovate/issues/19694#issuecomment-1383174831
Since setting this up it would now also be possible to rewrite the auth logic to rely on an Azure Service principal using Azure Workload Federation and OIDC, but that requires a bit more work to make that work.
https://jessehouwing.net/publish-azure-devops-extensions-using-workload-identity-oidc/
Hmmm and thinking about it, it probably also needs agentpool:read on the organization that is configured for the later added built-in tasks functionality.
I'll fork, verify and document
Added docs to the repo with the combined scopes required to run the scripts:
https://github.com/renovatebot/azure-devops-marketplace/blob/main/docs/azure-devops-access.md
With it I moved the AZURE_DEVOPS_ORG
from a secret to a variable. The needed scopes are indeed marketplace:read
and agent pool: read
to whatever organization is configured to read the data from.
I've also limited the permissions requested by the workflow to contents:write
while I was af it, no need for any more permissions.
@jessehouwing thanks. What's the difference between secret and variable here? I would have thought a token should be a secret.
Can you also clarify the meaning of the following?
The token must be generated for the Azure DevOps organization which agent pool will be queried.
I read that and think "is that me?" I assume the token still needs updating.
@jessehouwing thanks. What's the difference between secret and variable here? I would have thought a token should be a secret.
Can you also clarify the meaning of the following?
There are 2 settings:
AZURE_DEVOPS_ORG
- The name of the organization that we connect to, to read the official microsoft tasks. I believe this is currently configured to @JamieMagee's devops instance. This isn't a secret.AZURE_DEVOPS_PAT
- This is the secret key we use to read the marketplace and the data in the devops instance. This needs to be protected. And again I think @JamieMagee's token was configured in the past.The token must be generated for the Azure DevOps organization which agent pool will be queried.
I read that and think "is that me?" I assume the token still needs updating.
This still needs doing. And they need to be stored in the Actions secrets and variables for this repo.
I've created https://dev.azure.com/renovatebot-download/ but I'm not sure what I need to do about "agent pools". I see this:
Added this PAT:
Unfortunately this error:
https://github.com/renovatebot/azure-devops-marketplace/actions/runs/8996125170/job/24726322791
@rarkins looks like you did the right thing, the files are updated again. The API from the marketplace has been a bit flakey lately. I may actually add some retry-logic to the script when I have the time.
Thanks, you're right: subsequent ones have all succeeded: https://github.com/renovatebot/azure-devops-marketplace/actions/workflows/create-renovate-data.yml
Look like the access token for the marketplace has expired and needs to be refreshed in the Actions Secrets for this repo
https://github.com/renovatebot/azure-devops-marketplace/actions/runs/8762477131/job/24050272144#step:3:19