debug: upload-pipeline-artifact fails with ContainerWriteAccessDeniedException when uploading to other builds

[jamesadevine]

Diagnostic Report

1. Build Information

Field	Value
Organization	msazuresphere
Project	4x4
Pipeline	OS Triage Summary (Definition ID: 2504)
Build ID	604715
Branch	refs/heads/feature/failure-summary-agent
Source Version	b4cd14b0a4c11c582f1eb8c92d85b7e2ce489fae
Requested By	James Devine
Run Time	2026-05-08 16:00–16:15 UTC (~13 min)
Build URL	https://dev.azure.com/msazuresphere/4x4/_build/results?buildId=604715
Compiler Version	v0.27.0

2. Failure Classification

Field	Value
Failing Stage	Execution (Stage 3)
Failing Step	"Execute safe outputs (Stage 3)"
Category	Safe output execution — upload-pipeline-artifact permission error

3. Root Cause

All 3 upload-pipeline-artifact safe outputs failed with ContainerWriteAccessDeniedException:

[WARN] [ado_aw::execute] [1/3] upload-pipeline-artifact failed: Failed to upload file to
container #9724846 (HTTP 404 Not Found): {"message":"You do not have permission to create,
update, or delete items in container 9724846.",
"typeName":"Microsoft.VisualStudio.Services.FileContainer.ContainerWriteAccessDeniedException",
"typeKey":"ContainerWriteAccessDeniedException","errorCode":0,"eventId":4700}

The pipeline is designed to analyze builds from other pipeline definitions (IDs: 85, 1076, 105, 107, 110, 464, 1084, 84, 363, 576, 584, 1083) and upload TriageSummary artifacts back to those builds using upload-pipeline-artifact with a build_id targeting the analyzed build.

The ARM service connection (agentic-pipelines-write-connection) acquires an ADO token via az account get-access-token --resource 499b84ac-.... This token authenticates successfully but lacks permission to upload artifacts to file containers owned by other pipeline builds.

Azure DevOps file container write access is typically scoped to the build that created the container. Cross-build artifact uploads require the identity to have elevated permissions (e.g., vso.build_execute or project-level Build Administrator) that the ARM service principal may not have.

4. Impact

• All 5 builds of this pipeline (definition 2504) have failed with the same error — it has never succeeded.
• Stages 1 (Agent) and 2 (Detection) complete successfully; only Stage 3 (Execution) fails.

5. Evidence

Execution Summary (from log 72):

--- Execution Summary ---
Total: 3 | Success: 0 | Warnings: 0 | Failed: 3

Write token acquisition (log 67): ARM login succeeds, subscription d2e52c98-eb50-49bb-8b22-27581e724f66 ("4x4 Engineering") is set. Token is acquired without errors.

Agent front matter (agents/failure-summary.md):

permissions:
  write: agentic-pipelines-write-connection
  read: agentic-pipelines-ro-connection
safe-outputs:
  upload-pipeline-artifact:
    allowed-extensions: [".md"]
    allowed-artifact-names: ["TriageSummary"]
    max: 20

6. Questions for Maintainers

1. Does the upload-pipeline-artifact executor support uploading to a different build's artifact container (i.e., cross-build uploads via build_id)? The error suggests the token cannot write to containers it does not own.
2. If cross-build uploads are supported, what ADO permissions or scopes does the ARM service principal need on the target project/pipeline?
3. Should the compiler or executor validate at compile time or pre-execution that the token has the necessary container write scopes for cross-build scenarios?