403 error when Dependabot tries to create a pull request

[semkeijsper]

Describe the bug
Dependabot fails when trying to create a pull request

To Reproduce
Steps to reproduce the behavior:

1. Run the pipeline with the Dependabot task
2. The plugin access the code and checks all the packages
3. It fails when trying to create a pull request

Expected behavior
It should create a pull request

Screenshots

Extension (please complete the following information):

• Host: Azure DevOps
• Version: 1.28.0.708 (Latest)

Server (please complete the following information):

• Region: westeurope
• Version: ?

Additional context
The plugin can access the code in the repository, so the API connection works. It can also do GET requests for fetching the existing pull requests. So the basic permissions work, but as soon as it tries a POST request, it fails.
We have tried all different options but cannot find where we can configure the permissions for this plugin, or for the 'user' that runs this plugin. The documentation of this plugin is unclear about where we can configure the required permissions.
We use minimal configs for dependabot and we use the standard Azure Pipelines agent pool. Please advice on where this goes wrong.

[ahmed-ben10]

I encountered a similar issue just a few days ago. To resolve it, ensure that your build service user has been granted the following permissions:

[semkeijsper]

@ahmed-ben10 Thanks for your reply. How did you discover/find who your build service user is? And in what menu was that screenshot taken, Project settings, Organization settings, and which submenu? Thanks.

[sambouchard-newforma]

@ahmed-ben10 Thanks for your reply. How did you discover/find who your build service user is? And in what menu was that screenshot taken, Project settings, Organization settings, and which submenu? Thanks.

To find who your Build service user is, go to the dropdown menu on the right in the pipeline page and click on ''Manage security'' :

Here at the bottom of the list you will see under users who your build service user(s) is/are :

Then go to the permissions tab of the Azure DevOps project settings in the users section you will most likely find the user that you found previously. From here on, you can either modify its permission or add the user to be the member of a group that has the correct permissions!

[semkeijsper]

@sambouchard-newforma Unfortunately none of the users listed in the Pipeline dropdown can be found in the Permissions > Users tab... thanks for the reply though :)

[mburumaxwell]

Check #1095 (comment)

[rdehouss]

Hi everyone,
I'm having exactly the same issue (403 on pushes api) using dependabot extension 1.29.769

I tried to give my "Build service" user and Project Collection Build Service Accounts the mentioned permission without success :


https://github.com/dependabot/dependabot-core/blob/main/common/lib/dependabot/clients/azure.rb#L183C11-L183C24

With my user PAT in inputs: azureDevOpsAccessToken, it works fine.

Any other idea?

Thanks in advance!

Cheers,
Raphaël

[rdehouss]

Finally, I could make it work by following this article : https://medium.com/@sugam.arora23/automated-dependency-management-harnessing-dependabot-for-seamless-updates-on-azure-devops-ea5d1a7aa82c
Basically, I gave the permissions to the user (search for it) "Project Collection Build Service ()" on the security tab on All repositories

[thepaulmacca]

I'm seeing a completely new set of permissions here now