Sorry to answer my own question here...

很抱歉在这里回答我自己的问题......

I just got some hint from some TFS expert, who pointed me to this article: https://www.visualstudio.com/en-us/docs/build/scripts/git-commands, which perfectly solved my problem.

我刚刚从一些 TFS 专家那里得到了一些提示，他向我指出了这篇文章：https: //www.visualstudio.com/en-us/docs/build/scripts/git-commands，它完美地解决了我的问题。

I think I should share it out to help whoever might run into the same situation as I did.

我想我应该把它分享出来，以帮助可能遇到和我一样情况的人。

Here I am quoting the key steps (reformatted a bit):

在这里，我引用了关键步骤（重新格式化了一点）：

Grant version control permissions to the build service

Go to the Version Control control panel tab

• Team Services: https://{your-account}.visualstudio.com/DefaultCollection/{your-team-project}/_admin/_versioncontrol

• On-premises: https://{your-server}:8080/tfs/DefaultCollection/{your-team-project}/_admin/_versioncontrol

On the Version Controltab, select the repository in which you want to run Git commands, and then select Project Collection Build Service (account_name). Grant permissions needed for the Git commands you want to run. Typically you'll want to grant:

• Branch creation: Allow
• Contribute: Allow
• Read: Inherited allow
• Tag creation: Inherited allow

When you're done granting the permissions, make sure to click Save changes.

Enable your build definition to run Git.exe

• On the variables tabset this variable: system.prefergit = true
• On the options tabselect Allow scripts to access OAuth token.

向构建服务授予版本控制权限

转到版本控制控制面板选项卡

• 团队服务：https://{your-account}.visualstudio.com/DefaultCollection/{your-team-project}/_admin/_versioncontrol

• 本地：https://{your-server}:8080/tfs/DefaultCollection/{your-team-project}/_admin/_versioncontrol

在Version Control选项卡上，选择要在其中运行 Git 命令的存储库，然后选择Project Collection Build Service (account_name)。授予您要运行的 Git 命令所需的权限。通常，您需要授予：

• 分支创建：允许
• 贡献：允许
• 阅读：继承允许
• 标签创建：继承允许

完成授予权限后，请务必点击保存更改。

启用构建定义以运行 Git.exe

• 在变量选项卡上设置这个变量：system.prefergit = true
• 在选项选项卡上选择允许脚本访问 OAuth 令牌。

With these settings, there is no need to install the Git Build Tools extension or tweak the Credential Manager. You don't need to explicitly set the extra header for OAuth token, either. I feel it's indeed a very neat solution. :)

使用这些设置，无需安装 Git Build Tools 扩展或调整 Credential Manager。您也不需要为 OAuth 令牌显式设置额外的标头。我觉得这确实是一个非常巧妙的解决方案。:)

But really appreciate the help from Eddie and VonC!

但真的很感谢 Eddie 和 VonC 的帮助！

Visual Studio Team Services (VSTS) now has built in functionality to do this:

Visual Studio Team Services (VSTS) 现在具有执行此操作的内置功能：

1. Grant the account Project Collection Build Service (account_name)access to the appropriate repository in VSTS.
2. In the Agent phase, check the box to Allow scripts to access OAuth token.
3. Now within the task you can reference the variable SYSTEM_ACCESSTOKENto access the git repository: git clone https://randomusername:${SYSTEM_ACCESSTOKEN}@instance.visualstudio.com/proj1/_git/repo

1. 授予帐户项目集合构建服务 (account_name)访问 VSTS 中相应存储库的权限。
2. 在 Agent 阶段，选中Allow scripts to access OAuth token框。
3. 现在在任务中，您可以引用变量SYSTEM_ACCESSTOKEN来访问 git 存储库： git clone https://randomusername:${SYSTEM_ACCESSTOKEN}@instance.visualstudio.com/proj1/_git/repo

Ref: https://github.com/Microsoft/vsts-tasks/issues/962

参考：https: //github.com/Microsoft/vsts-tasks/issues/962

You can install Git Build Toolsextension and then add "Allow Git remote access" task in your build definition. Make sure "Allow Scripts to Access OAuth Token" feature under "Options" tab is enabled.

您可以安装Git 构建工具扩展，然后在构建定义中添加“允许 Git 远程访问”任务。确保启用了“选项”选项卡下的“允许脚本访问 OAuth 令牌”功能。

Enable Git Remote Access

Certain operations require access to the remote repository from during a build. This task updates a remote of the Git repository on the agent to allow access to the upstream repository on Visual Studio Team Services.

Requirements

For this build task to work it is required that the Allow Scripts to Access OAuth Token option is set in the build definition options.

Parameters

Enable Git Remote Access

Remote name: Name of the remote which should be updated. Default is origin.

Related Tasks

Restore Git Remote should be called at the end of the build definition to restore the remote to its original value.

Known issues

Git-Lfs operations, like git lfs fetch still won't work with this. See this Git-Lfs issue

启用 Git 远程访问

某些操作需要在构建期间访问远程存储库。此任务更新代理上 Git 存储库的远程，以允许访问 Visual Studio Team Services 上的上游存储库。

要求

要使此构建任务工作，需要在构建定义选项中设置允许脚本访问 OAuth 令牌选项。

参数

启用 Git 远程访问

远程名称：应更新的远程名称。默认为原点。

相关任务

应在构建定义的末尾调用 Restore Git Remote 以将远程恢复到其原始值。

已知的问题

Git-Lfs 操作，如 git lfs fetch 仍然无法使用它。看到这个 Git-Lfs 问题

Add the steps for using the powershell script in the extension:

在扩展中添加使用powershell脚本的步骤：

1. Create a power-shell script with the code in the "EnableGitRemoteAccess.ps1" script and add the script into source control.
2. Enable the "Allow Scripts to Access OAuth Token" option in the build definition.
3. Add a PowerShell task in build definition and set the script path the script to enable the git remote access.
4. Add another PowerShell task in build definition to commit and push the changes.

1. 使用“EnableGitRemoteAccess.ps1”脚本中的代码创建一个 power-shell 脚本，并将该脚本添加到源代码管理中。
2. 在构建定义中启用“允许脚本访问 OAuth 令牌”选项。
3. 在构建定义中添加 PowerShell 任务并设置脚本的脚本路径以启用 git 远程访问。
4. 在构建定义中添加另一个 PowerShell 任务以提交和推送更改。

The code I use to commit and push changes:

我用来提交和推送更改的代码：

git add .
git commit -m "changesinbuild"
git push origin master 2>&1 | Write-Host

Any file that you can generate from the source is generally considered as build artifact, and notadded/committed/pushed to a git repo.

您可以从源生成的任何文件通常被视为构建工件，而不是添加/提交/推送到 git 存储库。

That being said, if you can, you should use an ssh url instead of an https one: ssh would require an ssh key, and if your private ssh key is passphrase-less, git won't have to query anything on stdin.

话虽如此，如果可以，您应该使用 ssh url 而不是 https url：ssh 需要一个 ssh 密钥，如果您的私人 ssh 密钥没有密码，git 将不必在标准输入上查询任何内容。

Another way is to use the Microsoft GCH (Git Credential Helper), which is included in Git for Windows(since Git 2.7.3, March 2016).
See this answerfor an example. That would cache your login/password within the Windows Credential store.

另一种方法是使用Microsoft GCH (Git Credential Helper)，它包含在Git for Windows 中（自Git 2.7.3 起，2016 年 3 月）。
有关示例，请参阅此答案。这会将您的登录名/密码缓存在 Windows 凭据存储中。

This is just a followup of Tony's Blues answer.

这只是 Tony's Blues 回答的后续。

Sorry I can't post links since my reputation is below 10, but all are placed at visualstudio website, so I'm sure you can figure this out yourself.

抱歉，我无法发布链接，因为我的声誉低于 10，但所有链接都放在 Visualstudio 网站上，所以我相信您可以自己解决这个问题。

To allow GIT contributions within a script you need to

要在脚本中允许 GIT 贡献，您需要

1. Make sure you have all stuff mentioned in VSTS Agent prerequisites done

   • Mac OS: https://www.visualstudio.com/en-us/docs/build/admin/agents/v2-osx
   • Windows: /en-us/docs/build/admin/agents/v2-windows
   • Linux: /en-us/docs/build/admin/agents/v2-linux

2. Make sure you followed instructions at /en-us/docs/build/scripts/git-commands

   • Especially add required permissions to Project Build Service accounton your repository - at least Contribute(feel free to consider other permissions according to your needs) - this is the real cause of "SSL read error"

1. 确保您已完成 VSTS 代理先决条件中提到的所有内容

   • Mac 操作系统：https: //www.visualstudio.com/en-us/docs/build/admin/agents/v2-osx
   • Windows：/en-us/docs/build/admin/agents/v2-windows
   • Linux：/en-us/docs/build/admin/agents/v2-linux

2. 确保您遵循 /en-us/docs/build/scripts/git-commands 中的说明

   • 特别是在您的存储库上为Project Build Service 帐户添加所需的权限- 至少是Contribute（根据您的需要随意考虑其他权限） -这是“SSL 读取错误”的真正原因

What's different between this post and Tony's one is that in our configuration (TFS 2015; VSTS Agent installed on Mac OS Sierra) we've had to add permission "Contribute" for account "Project Build Service" - so not the account with the word "collection" mentioned in name. Also be careful and not mix it up with the group named Project Collection Build Service Accounts- I believe it may be used under certain conditions but it doesn't work by default. I'm pointing this out since this is what I've accidentally did and so I've spent additional time debugging what's wrong.

这篇文章和 Tony 的文章之间的不同之处在于，在我们的配置（TFS 2015；安装在 Mac OS Sierra 上的 VSTS 代理）中，我们必须为帐户“ Project Build Service”添加权限“Contribute ”——所以不是带有这个词的帐户名称中提到的“集合”。还要小心，不要将它与名为 Project Collection Build Service Accounts 的组混淆- 我相信它可以在某些条件下使用，但默认情况下它不起作用。我指出这一点，因为这是我不小心做的，所以我花了额外的时间调试出了什么问题。

Please check following picture It can be found under your project --> Control Panel --> Version control --> GIT repository

请查看下图可以在您的项目--> 控制面板--> 版本控制--> GIT 存储库下找到

Also please be careful with system requirements since in my case (on MacOS Sierra) the part with symbolic links for two specific directories turned critical. Specific system requirements for OSX are placed at [github]/Microsoft/vsts-agent/blob/master/docs/start/envosx.md and states

另外请注意系统要求，因为在我的情况下（在 MacOS Sierra 上），带有两个特定目录的符号链接的部分变得至关重要。OSX 的特定系统要求放在 [github]/Microsoft/vsts-agent/blob/master/docs/start/envosx.md 和状态

Install openssl

安装openssl

$ brew update
$ brew install openssl

Create symbolic links to openssl libs-- this is required on MacOS (Sierra)

创建指向 openssl 库的符号链接——这在 MacOS (Sierra) 上是必需的

$ mkdir -p /usr/local/lib/
$ ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/
$ ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/

Find out your version of GIT

找出您的 GIT 版本

$ git --version

Update GIT in case you have lower than 2.9.0

如果您的版本低于 2.9.0，请更新 GIT

$ brew update
$ brew install git

I was having this same issue. The solution was to put the git config options within the script portion of the yaml. See this GitHub issue for examples:

我遇到了同样的问题。解决方案是将 git 配置选项放在 yaml 的脚本部分。有关示例，请参阅此 GitHub 问题：

https://github.com/Microsoft/azure-pipelines-agent/issues/1925

https://github.com/Microsoft/azure-pipelines-agent/issues/1925