Creating a GitHub App based Azure DevOps Pipelines Service Connection
The Problem
The GitHub ‘Azure Pipelines’ App enables some really interesting ‘better together’ scenarios mixing the usage of Azure DevOps Pipelines for CI/CD processes while your source is stored on GitHub. It is particularly useful if an enterprise is migrating towards GitHub Enterprise over a period of time, maybe using GitHub Enterprise Importer (GEI) to do the migration.
I was recently working on such a migration for a client that involved numerous Azure DevOps organisations. In the past someone had setup the GitHub ‘Azure Pipelines’ App on their GitHub organisation and got it working with one of their Azure DevOps organisation.
The question was how do you setup a GitHub App based service connection in their other Azure DevOps organsations, without breaking what was already installed?
Service Connections & GitHub Authentication
The way Azure DevOps Pipelines communicate with GitHub is via a Service Connection.
To create a service connection you goto Project Settings > Pipelines > Service Connections
then press the New Service Connection
button, picking the service you require.
When you do this and pick the GitHub
option you are offered two ways to authenticate
- A PAT - linked to a specific user and will expire after a fixed period
- oAuth - again linked to a specific user, the one creating the service connection, but will not expire, so the preferred solution
But neither of these are authentication via the GitHub App
. So the question is how do you create a service connection of that type?
Solution
It turns out adding the ‘right type of service connection’ is easy, but really poorly documented. Every document seems to point to re-installing the Azure Pipelines App in GitHub, this is not required.
The process is as follows, assuming the Azure Pipeline GitHub App is installed and configured in your GitHub organisation.
- In a Team Project on the Azure DevOps organisation where you need the service connection create a new pipeline
- Pick GitHub as the source location. You maybe prompted to authenticate, and then will be given a list of repositories to pick from, pick one, the choice of which one is not important.
- Once this is done you are presented with a list of pipeline templates to use, at this point you can cancel the creation of the pipeline, completing it is not required.
- If you look in
Project Settings > Pipelines > Service Connections
you will see a new Git Service Connection has been created with the name of the Azure DevOps Team Project that has the authentication method GitHub App, exactly what we require.
In my scenario I was then able to rewire all the pipelines in my Azure DevOps organisation to point to GitHub using the GEI command gh ado2gh share-service-connection
to share the new service connection to other Team Projects, and then gh ado2gh rewire-pipeline
to change the source location.
For the original version of this post see Richard Fennell's personal blog at Creating a GitHub App based Azure DevOps Pipelines Service Connection