docs: add safe-output permissions reference and TF401027 troubleshooting guide#981
Open
jamesadevine wants to merge 1 commit into
Open
docs: add safe-output permissions reference and TF401027 troubleshooting guide#981jamesadevine wants to merge 1 commit into
jamesadevine wants to merge 1 commit into
Conversation
…ing guide Adds a dedicated reference for the most common Stage 3 runtime failure: 401/403 on safe outputs because $(System.AccessToken) resolves to a build-service identity (PCBS or per-project Build Service) that lacks PullRequestContribute / GenericContribute / CreateBranch on the target repo, sometimes via an explicit Deny. - New repo reference: docs/safe-output-permissions.md (linked from AGENTS.md docs index) - New site page: site/src/content/docs/troubleshooting/safe-output-permissions.mdx - common-issues.mdx: cross-link the new dedicated page - service-connections.mdx: add same-project TF401027 row to the troubleshooting table - debug-ado-agentic-workflow.md prompt: Stage 3 "Write Token Issues" rewritten with the TF401027 decoder table, Build\<guid> -> identity mapping, the explicit-Deny-wins note, and a link to the reference Covers: TF401027 error format, default build identity mapping, "Limit job authorization scope to current project" toggle and its cross-project caveat, Git Repositories permission bitmask decoder, which safe-output tool needs which bit, az + REST recipe to dump the ACL for any identity on any repo, and the three fix paths in recommended order (write service connection / flip the auth-scope toggle / lift the Deny). Site builds clean with starlight-links-validator (35 pages, including the new /troubleshooting/safe-output-permissions/). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a dedicated reference for the most common Stage 3 runtime
failure: 401/403 on safe outputs because
$(System.AccessToken)resolves to a build-service identity (Project Collection Build
Service or per-project Build Service) that lacks
PullRequestContribute/GenericContribute/CreateBranchonthe target repo — sometimes via an explicit Deny, which can't
be defeated by group-level Allow.
This grew out of a real failed run where the agent produced 8 valid
add-pr-commentproposals and every one came back from ADO with:There was nothing in the docs that explained which identity that
Build\<guid>actually is, that the project-level "Limit jobauthorization scope to current project" toggle is what flips
$(System.AccessToken)between the collection-scoped andproject-scoped build services, or how to read the permission
bitmasks the Security REST API returns. This PR fixes that.
What's new
docs/safe-output-permissions.md— repo-level reference,linked from the
AGENTS.mddocs index next tosafe-outputs.md.site/src/content/docs/troubleshooting/safe-output-permissions.mdx— site mirror. Auto-included in the sidebar via the
troubleshooting/autogenerate config.What's updated
AGENTS.md— new bullet in the "Authoring agent files" docsindex pointing at the reference page.
site/.../troubleshooting/common-issues.mdx— new"Stage 3 SafeOutputs fails with HTTP 403 /
TF401027" entry thatcross-links the dedicated page.
site/.../setup/service-connections.mdx— new row in thetroubleshooting table for the same-project
TF401027 … PullRequestContributecase (the existing row only covered thecross-project variant).
prompts/debug-ado-agentic-workflow.md— Stage 3 "WriteToken Issues" section rewritten with the
TF401027decodertable,
Build\<guid>→ identity mapping, an explicit-Deny-winsnote, and a pointer to the new reference. Teaches the debug
agent to dump the right diagnostic detail when filing issues for
this failure class.
Content covered (consistently across all entry points)
TF401027error format & how to read<PermissionName>/Build\<guid>/<scope>$(System.AccessToken)→ PCBS vs project-scoped Build Service mappingextends:)az+ REST recipe to dump the ACL for any identity on any repoTF400813,TF401027,VS800075,TF401019, silent 404)Test plan
cd site && npm run build:/troubleshooting/safe-output-permissions/).starlight-links-validatorreports "All internal links arevalid."
in the two new files (
docs/safe-output-permissions.md→safe-outputs.md,network.md,audit.md; site page →/ado-aw/setup/service-connections/,/ado-aw/reference/safe-outputs/,/ado-aw/reference/audit/) resolves.permission table in both new files was generated by querying
securitynamespaces/2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87againsta live ADO org and ordered by bit value, so the bit/name/display-name
triples match what the ADO REST API actually returns today.
az+curlsnippetsin the reference page are the exact commands used during the
investigation that motivated this PR; they produced the example
effectiveDeny: 16404response quoted in the doc.No code changes — docs and prompt content only. No compiler / tool
behavior changes.