Pat to GitHub apps two

[chidozieononiwu]

This pull request introduces improvements to the GitHub authentication flow in the CI/CD pipeline, enhancing token generation, handling, and usage across various pipeline templates and scripts. The main changes add support for exporting the GitHub token as an output variable, improve robustness in handling installation owners, and update pipeline stages to use the new token flow.

Enhancements to GitHub Token Handling:

• eng/common/scripts/login-to-github.ps1:

  • Added the ExportAsOutputVariable parameter to allow exporting the GitHub token as an Azure DevOps output variable for downstream jobs. [1] [2]
  • Improved handling of InstallationTokenOwners, including normalization and more robust matching logic for GitHub App installations. [1] [2]
  • Refactored the main script logic into Invoke-LoginToGitHub and ensured test runs are skipped.
  • Added a utility function Get-PropertyValue for safer property access.

• eng/common/pipelines/templates/steps/login-to-github.yml:

  • Added the ExportAsOutputVariable parameter and passed it through to the script. [1] [2]

Pipeline Integration:

• Updated pipeline templates (publish.yml, publish-extension.yml, vscode-publish-integration.yml) to:
  • Insert a new job or step to generate the GitHub token using the enhanced script and export it as an output variable. [1] [2] [3]
  • Pass the generated GH_TOKEN to subsequent jobs and tasks instead of using the previous azuresdk-github-pat variable. [1] [2] [3] [4]

Other Minor Changes:

• Improved documentation and parameter descriptions in the PowerShell script.
• Minor whitespace and formatting changes in pipeline YAML files.

These changes make the pipeline more secure, flexible, and maintainable by standardizing GitHub token usage and improving compatibility with Azure DevOps output variables.

Fixes Azure/azure-sdk-tools#9842

azure-dev - ext - microsoft.azd.demo - public

[Copilot]

Pull request overview

This PR updates the Azure DevOps release/publish pipeline templates to switch GitHub CLI authentication from a stored PAT to a GitHub App installation token minted at runtime (via eng/common/scripts/login-to-github.ps1), aiming to standardize token handling across jobs and stages.

Changes:

• Adds ExportAsOutputVariable support to login-to-github.ps1 and plumbs it through the login-to-github.yml step template.
• Updates publishing stage templates to generate a GitHub token and pass it to PR-commenting and release-related steps.
• Replaces $(azuresdk-github-pat) with $(GH_TOKEN) in the extension release step template.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
eng/common/scripts/login-to-github.ps1	Adds output-variable support and more robust installation owner matching for GitHub App token minting.
eng/common/pipelines/templates/steps/login-to-github.yml	Plumbs ExportAsOutputVariable through to the PowerShell script.
eng/pipelines/templates/steps/publish-extension.yml	Switches GH_TOKEN env usage from PAT to $(GH_TOKEN) for gh calls.
eng/pipelines/templates/stages/vscode-publish-integration.yml	Adds a token-generation job and passes $(GH_TOKEN) into the PR comment step.
eng/pipelines/templates/stages/publish.yml	Adds token generation (currently in Publish_Brew) and passes $(GH_TOKEN) into the PR comment step.
eng/pipelines/templates/stages/publish-extension.yml	Adds a token-generation job and makes release publishing depend on it.
eng/pipelines/release-cli.yml	Contains a whitespace-only line change near the publish stage template inclusion.

[jongio]

Reviewed: 6 files, +189 -47

This PR is a solid security improvement: replacing stored PATs with dynamically minted GitHub App tokens via Azure Key Vault signing. The ExportAsOutputVariable flow, Get-PropertyValue utility, and Pester testability guard are all well-done. Most concerns from the earlier automated review are addressed by the current state of the code.

One issue that needs fixing before merge (see inline comment).

[jongio]

Incremental review (1 new commit since my last review)

The new commit 8fee6ca6 ("Update Generate_GH_Token dependency") addresses my previous finding correctly. Update_Registry now lists both Publish_Release and Generate_GH_Token in dependsOn, which is required for the dependencies.Generate_GH_Token.outputs[...] expression to resolve at runtime.

Fix is correct. No remaining concerns from my side.

[jongio]

Incremental review of commit 3170f53 ("Use regular jobs for step requiring GH_TOKEN").

The refactoring approach is sound: splitting GH_TOKEN-dependent work into regular jobs (where each job runs its own login-to-github step) is cleaner than passing output variables across deployment boundaries. The new split templates (publish-extension-github-release.yml, publish-extension-storage.yml) are well-structured.

One pipeline-breaking issue remains (see inline comment).

[jongio]

Dependency fix is correct. Update_Registry now points at Publish_Storage, and the transitive chain (Create_GitHub_Release -> Publish_Storage -> Update_Registry) ensures the registry update still waits for the release on production builds. No remaining concerns.

[chidozieononiwu]

/check-enforcer override

[jongio]

Incremental review after force-push to bb35b8a ("Update login-to-github placement").

Pipeline-breaking regression: Update_Registry still references the old job name Publish_Release in its dependsOn. That deployment was renamed to Publish_Storage in this rebase, so ADO will reject the pipeline definition. This was fixed in the previous push (557b4b4) but lost in the rebase. See inline comment.

Dead code: ExportAsOutputVariable is defined in login-to-github.yml and login-to-github.ps1, but no caller in this PR passes ExportAsOutputVariable: true. Since each job now runs its own login-to-github step (obtaining a process-scoped token), cross-job token export isn't needed. @danieljurek's feedback to simplify the login-to-github changes seems right here.