Git push error for azdo

[puicchan]

PR 743 build -
azd version 0.2.0-beta.3-pr.1877365 (commit 33710f9)

azd init -t Azure-Samples/todo-nodejs-mongo -b pr/743

Scopes of PAT
Agent Pools (read, manage)
Build (read and execute)
Code (full)
Project and team (read, write and manage)
Release (read, write, execute and manage)
Service Endpoints (read, query and manage)

D:\codes\test\node927>azd pipeline config --provider azdo
Using pipeline provider: Azure DevOps
You need an Azure DevOps Personal Access Token (PAT). Please create a PAT by following the instructions here https://aka.ms/azure-dev/azdo-pat
? Personal Access Token (PAT): xxx

? Personal Access Token (PAT): xxx
? Save the PAT to the node927 environment file (.env)? Yes
? Please enter an Azure DevOps Organization Name: puichan0401

? Please enter an Azure DevOps Organization Name: puichan0401
Creating or updating service principal az-dev-09-27-2022-19-45-02.

? Initialize a new git repository? Yes
? A remote named "origin" was not found. Would you like to configure one? Yes
? How would you like to configure your project? Create a new Azure DevOps Project
? Enter the name for your new Azure DevOps Project OR Hit enter to use this name: (node927)

? Enter the name for your new Azure DevOps Project OR Hit enter to use this name: node927
using default repo (node927) in newly created project(node927)
? Would you like to commit and push your local changes to start the configured CI pipeline? Yes
Pushing changes
fatal: Authentication failed for 'https://dev.azure.com/puichan0401/node927/_git/node927/'
Error: git push: pushing changes: failed to push: exit code: 128, stdout: , stderr: : exit status 128

I ran this again with --debug. This time, I am prompted for credential. A new PAT entry is added:

End of the debug output
...

Service Connection azconnection already exists. Updating endpoint
? Would you like to commit and push your local changes to start the configured CI pipeline? Yes
2022/09/27 12:54:54 command_runner.go:95: Run exec: 'git -C D:\codes\test\node927 branch --show-current'
2022/09/27 12:54:54 command_runner.go:95: Run exec: 'git config credential.helper'
2022/09/27 12:54:54 command_runner.go:95: Run exec: 'git -C D:\codes\test\node927 add .'
2022/09/27 12:54:54 command_runner.go:95: Run exec: 'git -C D:\codes\test\node927 commit --allow-empty -m Configure Azure Developer Pipeline'
Pushing changes
2022/09/27 12:54:54 command_runner.go:95: Run exec: 'git -C D:\codes\test\node927 push --set-upstream origin main'
Enumerating objects: 182, done.
Counting objects: 100% (182/182), done.
Delta compression using up to 8 threads
Compressing objects: 100% (170/170), done.
Writing objects: 100% (182/182), 685.24 KiB | 7.29 MiB/s, done.
Total 182 (delta 19), reused 0 (delta 0), pack-reused 0
remote: Analyzing objects... (182/182) (48 ms)
remote: Storing packfile... done (91 ms)
remote: Storing index... done (35 ms)
To https://dev.azure.com/puichan0401/node927/_git/node927
 * [new branch]      main -> main
branch 'main' set up to track 'origin/main'.
2022/09/27 12:55:06 command_runner.go:95: Run exec: 'git -C D:\codes\test\node927 remote set-url origin https://puichan0401@dev.azure.com/puichan0401/node927/_git/node927'

Successfully configured Azure DevOps Repository https://dev.azure.com/puichan0401/node927/_git/node927

Error: post git push hook: Could not queue the build because there were validation errors or warnings.

Just checked the project. After running azd pipeline config --debug (and I suspect with the Git PAT),

• code is pushed and
• pipeline run is a success!

Not sure why the "Error: post git push hook: Could not queue the build because there were validation errors or warnings."

[hattan]

This has to do with the git credential being cached. I had a quick chat with @puicchan about this and the issue stems from running azd pipieline config --provider azdo with a valid pat, then regenerating the PAT (or creating a new one and deleting the old one.) Running azd pipeline config on another project targeting the same Azure DevOps Org will error out.

Git caches the credentials for https://dev.azure.com.When the second invocation comes through, it fails as the old pat is still in the credential helper cache.

I was able to successfully reproduce with the following steps (note bash seems to force a password prompt, but on PS core it defaults to an error):

• Ensure you are in a powershell terminal (powershell core )
• Clear all local git credentials for dev.azure.com from credential stores
• Ensure AZURE_DEVOPS_EXT_PAT environment variable is NOT set.
• Create a PAT with correct scopes (see above)
• azd init --template todo-python-mongo
• azd pipeline config --provider azdo.
• Tollow all prompts, create a new Azure DevOps instance successfully.
• Go back to Azure DevOps and Regenerate the same PAT
• Create a new folder and go through azd init process again
• azd pipeline config --provider azdo
• Provide new PAT when prompted
• Provide org when prompted
• Create new project and enter a unique name
• Select Yes to push remote.
• Error as it will try to use old pat in credential store and NOT prompt for a password.

Work around:
Update the PAT in the credential store you are using.

• Windows -
• Mac OS - Keychain Access 'dev.azure.com'

Regarding the second error in the original post. That is because the Git Credential Manager for windows created a PAT automatically and was able to push the code. However, since it lacked scopes to run the pipeline and configure a build policy it resulted in a failure. After updating the credential store with the correct PAT this second issue does not appear.

[vhvb1989]

Removed the blocker label from this issue.

The root cause is related to how git credentials are persisted and not related to azd.

Uses must be aware than rotating a PAT would affect any store credentials using that PAT, so they need to refresh the stores.

We can invest some time in the future on how to provide good error handling or messages about wrong PAT

[v-jiaodi]

We also encounter the same issue on Mac OS . By comparing successful logs in other environments , the code is pushed to the master branch , but on the Mac OS, the code is pushed to the main branch.
We try to run git checkout -b master before runing azd pipeline config --provider azdo, and it passes.

[puicchan]

@vhvb1989 what if I work on multiple repo and use diff PAR for my projects? This is not about rotating PAT. Previous credential is cached. How do we prevent that?

[vhvb1989]

what if I work on multiple repo and use diff PAR for my projects?

git-credential-manager automatically stores one credential per domain. This is because you would use the same PAT for all the projects/repos/pipelines within an Azdo Server. The PAT can't not be scoped to one project or repo only, as it is created for the entire Organization (or even across organizations).

The PAT is equivalent to your user-log-in credentials. You don't need a different user-account for each project.

Using one PAT per repo (within the same organization) is equivalent to have multiple user accounts (one account per repo)

It is more likely to think about a relation between a PAT and a tool. You might have one PAT for different tools. For example, one PAT for azd cli, another PAT for az cli, another PAT for some scripts, etc. Then you can control the access that each tool can have with the PAT.
The PAT is usually regenerated or expired when the tool is no longer in use, or after a time period. After that, people usually know that they need to update the PAT for that tool