Secure Git credential storage for Windows with support for Visual Studio Team Services, GitHub, and Bitbucket multi-factor authentication.
View the Project on GitHub microsoft/Git-Credential-Manager-for-Windows
Build agents, and other automation, often require specialized setup and configuration. While there is detailed documentation on GCM configuration options, below are common recommendations for settings agents often require to operate.
Note: SSH is often a better choice for automated system because requiring interactivity is a non-default option, and SSH is known to be secure and reliable.
The majority of build definitions will work with a single repository, or at least a set of repositories which all have the same authentication requirements.
In this case, it is generally better to rely on Azure DevOps Build Variables; specifically the $(System.AccessToken)
build process OAuth token.
To enable scripts to use the build process OAuth token, go to the Options
tab of the build definition and select Allow Scripts to Access OAuth Token
.
For more information, read Azure DevOps: Use the OAuth token to access the REST API.
Build agents cannot manage modal dialogs, therefore we recommended the following configuration.
git config --global credential.interactive never
Build agents often need to minimize the amount of network traffic they generate.
To avoid Microsoft Account vs. Azure Active Directory look-up against an Azure DevOps account use…
… for Azure Directory backed authentication:
git config --global credential.authority Azure
… for Microsoft Account backed authentication:
git config --global credential.authority Microsoft
… to restrict the lifetime of VSTS personal access tokens:
git config --global credential.tokenDuration 1
If your agents rely on an on premise instance of Team Foundation Server and Windows Domain Authentication, use:
git config --global credential.authority NTLM
To avoid unnecessary service account credential validation, when relying on Microsoft Account or Azure Active Directory use:
git config --global credential.validate false