问题描述
正在尝试使用Azure Pipelines来“自动化”Salesforce开发。由于Salesforce在部署更改时非常独特,用户尝试创建一个Pipeline,手动运行以将Salesforce Sandbox中的任何更改保存到分支中。目标是最终将这些更改合并到其他分支并部署到其他Salesforce环境中。
用户在Pipeline中使用了SFDX cli来执行这些任务。以下是用户的yml文件的副本:
trigger:
- developer
pool:
vmImage: 'ubuntu-latest'
variables:
- group: DeveloperVariables
steps:
- checkout: self
persistCredentials: true
- task: DownloadSecureFile@1
inputs:
secureFile: server.key
- task: Bash@3
inputs:
workingDirectory: ''
targetType: inline
script: |
wget https://developer.salesforce.com/media/salesforce-cli/sfdx-linux-amd64.tar.xz;
mkdir sfdx;
tar xJf sfdx-linux-amd64.tar.xz -C sfdx --strip-components 1;
sudo ./sfdx/install;
sfdx force:auth:jwt:grant --clientid $CONSUMER_KEY --jwtkeyfile $DOWNLOADSECUREFILE_SECUREFILEPATH --username $USERNAME --setalias developer;
sfdx force:mdapi:retrieve -u $USERNAME -k src/package.xml -r .;
unzip unpackaged.zip;
cd unpackaged;
git config --global user.email "test@test.com"
git config --global user.name "Test User"
git checkout -t origin/developer;
git add .;
git status;
echo "This is me: ";
whoami;
git commit -m "Retrieved latest Developer SB changes!"
echo "Pushing now!!!";
git push --set-upstream origin HEAD:developer;
根据Microsoft的文档,我们需要确保为构建服务授予权限。已经按要求授予了所有权限,但仍无法正常工作。
以下是运行Pipeline时生成的日志副本:
##[section]Starting: Bash==============================================================================
Task : Bash
Description : Run a Bash script on macOS, Linux, or Windows
Version : 3.151.3
Author : Microsoft Corporation
Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/bash
==============================================================================
Generating script.
========================== Starting Command Output ===========================
[command]/bin/bash --noprofile --norc /home/vsts/work/_temp/9d534f54-57b8-44a0-8d10-2e3d8c334bbf.sh
--2019-08-13 13:27:00-- https://developer.salesforce.com/media/salesforce-cli/sfdx-linux-amd64.tar.xz
Resolving developer.salesforce.com (developer.salesforce.com)... 151.101.249.145
Connecting to developer.salesforce.com (developer.salesforce.com)|151.101.249.145|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19686680 (19M) [application/x-tar]
Saving to: ‘sfdx-linux-amd64.tar.xz’
0K .......... .......... .......... .......... .......... 0% 25.6M 1s
50K .......... .......... .......... .......... .......... 0% 27.2M 1s
...
19150K .......... .......... .......... .......... .......... 99% 171M 0s
19200K .......... .......... ..... 100% 247M=0.1s
2019-08-13 13:27:00 (133 MB/s) - ‘sfdx-linux-amd64.tar.xz’ saved [19686680/19686680]
sfdx installed to 4m/usr/local/bin/sfdxsfdx-cli/7.8.1-8f830784cc linux-x64 node-v10.15.3
(node:3433) [EACCES] Error Plugin: sfdx-cli: EACCES: permission denied, open '/home/vsts/.cache/sfdx/lastrun'
module: @oclif/config@1.13.0
task: runHook init
plugin: sfdx-cli
root: /usr/local/lib/sfdx
See more details with DEBUG=*
Successfully authorized pipeline@coop.org.developer with org ID 00D560340009rbvEAA
(node:3469) [EACCES] Error Plugin: sfdx-cli: EACCES: permission denied, open '/home/vsts/.cache/sfdx/lastrun'
module: @oclif/config@1.13.0
task: runHook init
plugin: sfdx-cli
root: /usr/local/lib/sfdx
See more details with DEBUG=*
this.retrieveTargetPath: /home/vsts/work/1/s
Retrieving source...
=== Status
Status: InProgress
jobid: 09S56000001G6fmEAC
...
=== Result
Status: Succeeded
jobid: 09S56000001G6fmEAC
Wrote retrieve zip to /home/vsts/work/1/s/unpackaged.zip.
Archive: unpackaged.zip
inflating: unpackaged/settings/Account.settings ...
inflating: unpackaged/pathAssistants/TMG_CBE_Path.pathAssistant
inflating: unpackaged/package.xml
Switched to a new branch 'developer'
Branch 'developer' set up to track remote branch 'developer' from 'origin'.
On branch developer
Your branch is up to date with 'origin/developer'.
Changes to be committed:
(use "git reset HEAD <file>..." to unstage)
new file: approvalProcesses/Billing_Item__c.Billable_Item_Less_than_0.approvalProcess
...
new file: workflows/Touchpoint__c.workflow
new file: workflows/User.workflow
Untracked files:
(use "git add <file>..." to include in what will be committed)
../sfdx-linux-amd64.tar.xz
../sfdx/
../unpackaged.zip
This is me: vsts
[developer f8ea8ed] Retrieved latest Developer SB changes!
1332 files changed, 452246 insertions(+)
create mode 100644 unpackaged/approvalProcesses/Billing_Item__c.Billable_Item_Less_than_0.approvalProcess
...
create mode 100644 unpackaged/workflows/Touchpoint__c.workflow
create mode 100644 unpackaged/workflows/User.workflow
Pushing now!!!
remote: 001f# service=git-receive-pack
remote: 0000000000aaTF401027: You need the Git 'GenericContribute' permission to perform this action. Details: identity 'Build\49a2cab3-a4ad-46c4-994c-35f429c806d2', scope 'repository'.
remote: TF401027: You need the Git 'GenericContribute' permission to perform this action. Details: identity 'Build\49a2cab3-a4ad-46c4-994c-35f429c806d2', scope 'repository'.
fatal: unable to access 'https://dev.azure.com/cooporg/test/_git/test/': The requested URL returned error: 403
##[error]Bash exited with code '128'.
##[section]Finishing: Bash
用户添加了”whoami”命令以确认运行用户,令人惊讶的是它以”vsts”身份运行。用户尝试搜索此用户以授予权限,但找不到。
是否有人实现过类似的功能?我们如何在Pipeline中以特定用户的身份执行Git命令,以便将更改推送回我们的分支?理想情况下,将根据手动运行Pipeline的用户提交这些更改。
谢谢。
解决方案
请注意以下操作注意版本差异及修改前做好备份。
方案
根据您提供的日志,问题可能是缺少对”Project Collection Build Service Accounts”的”contribute”权限。还有一个名为”Project Collection Build Service”的用户。将”Project Collection Build Service”用户显式添加到具有贡献权限的用户中后,问题得到解决。
正文完