Pat to GitHub apps two#8734
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the Azure DevOps release/publish pipeline templates to switch GitHub CLI authentication from a stored PAT to a GitHub App installation token minted at runtime (via eng/common/scripts/login-to-github.ps1), aiming to standardize token handling across jobs and stages.
Changes:
- Adds
ExportAsOutputVariablesupport tologin-to-github.ps1and plumbs it through thelogin-to-github.ymlstep template. - Updates publishing stage templates to generate a GitHub token and pass it to PR-commenting and release-related steps.
- Replaces
$(azuresdk-github-pat)with$(GH_TOKEN)in the extension release step template.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| eng/common/scripts/login-to-github.ps1 | Adds output-variable support and more robust installation owner matching for GitHub App token minting. |
| eng/common/pipelines/templates/steps/login-to-github.yml | Plumbs ExportAsOutputVariable through to the PowerShell script. |
| eng/pipelines/templates/steps/publish-extension.yml | Switches GH_TOKEN env usage from PAT to $(GH_TOKEN) for gh calls. |
| eng/pipelines/templates/stages/vscode-publish-integration.yml | Adds a token-generation job and passes $(GH_TOKEN) into the PR comment step. |
| eng/pipelines/templates/stages/publish.yml | Adds token generation (currently in Publish_Brew) and passes $(GH_TOKEN) into the PR comment step. |
| eng/pipelines/templates/stages/publish-extension.yml | Adds a token-generation job and makes release publishing depend on it. |
| eng/pipelines/release-cli.yml | Contains a whitespace-only line change near the publish stage template inclusion. |
90c9ae3 to
45eb23d
Compare
jongio
left a comment
There was a problem hiding this comment.
Reviewed: 6 files, +189 -47
This PR is a solid security improvement: replacing stored PATs with dynamically minted GitHub App tokens via Azure Key Vault signing. The ExportAsOutputVariable flow, Get-PropertyValue utility, and Pester testability guard are all well-done. Most concerns from the earlier automated review are addressed by the current state of the code.
One issue that needs fixing before merge (see inline comment).
jongio
left a comment
There was a problem hiding this comment.
Incremental review (1 new commit since my last review)
The new commit 8fee6ca6 ("Update Generate_GH_Token dependency") addresses my previous finding correctly. Update_Registry now lists both Publish_Release and Generate_GH_Token in dependsOn, which is required for the dependencies.Generate_GH_Token.outputs[...] expression to resolve at runtime.
Fix is correct. No remaining concerns from my side.
jongio
left a comment
There was a problem hiding this comment.
Incremental review of commit 3170f53 ("Use regular jobs for step requiring GH_TOKEN").
The refactoring approach is sound: splitting GH_TOKEN-dependent work into regular jobs (where each job runs its own login-to-github step) is cleaner than passing output variables across deployment boundaries. The new split templates (publish-extension-github-release.yml, publish-extension-storage.yml) are well-structured.
One pipeline-breaking issue remains (see inline comment).
jongio
left a comment
There was a problem hiding this comment.
Dependency fix is correct. Update_Registry now points at Publish_Storage, and the transitive chain (Create_GitHub_Release -> Publish_Storage -> Update_Registry) ensures the registry update still waits for the release on production builds. No remaining concerns.
|
/check-enforcer override |
Switch PAT to GitHubApps Changes to Token flow
557b4b4 to
bb35b8a
Compare
jongio
left a comment
There was a problem hiding this comment.
Incremental review after force-push to bb35b8a ("Update login-to-github placement").
Pipeline-breaking regression: Update_Registry still references the old job name Publish_Release in its dependsOn. That deployment was renamed to Publish_Storage in this rebase, so ADO will reject the pipeline definition. This was fixed in the previous push (557b4b4) but lost in the rebase. See inline comment.
Dead code: ExportAsOutputVariable is defined in login-to-github.yml and login-to-github.ps1, but no caller in this PR passes ExportAsOutputVariable: true. Since each job now runs its own login-to-github step (obtaining a process-scoped token), cross-job token export isn't needed. @danieljurek's feedback to simplify the login-to-github changes seems right here.
This pull request introduces improvements to the GitHub authentication flow in the CI/CD pipeline, enhancing token generation, handling, and usage across various pipeline templates and scripts. The main changes add support for exporting the GitHub token as an output variable, improve robustness in handling installation owners, and update pipeline stages to use the new token flow.
Enhancements to GitHub Token Handling:
eng/common/scripts/login-to-github.ps1:ExportAsOutputVariableparameter to allow exporting the GitHub token as an Azure DevOps output variable for downstream jobs. [1] [2]InstallationTokenOwners, including normalization and more robust matching logic for GitHub App installations. [1] [2]Invoke-LoginToGitHuband ensured test runs are skipped.Get-PropertyValuefor safer property access.eng/common/pipelines/templates/steps/login-to-github.yml:ExportAsOutputVariableparameter and passed it through to the script. [1] [2]Pipeline Integration:
publish.yml,publish-extension.yml,vscode-publish-integration.yml) to:GH_TOKENto subsequent jobs and tasks instead of using the previousazuresdk-github-patvariable. [1] [2] [3] [4]Other Minor Changes:
These changes make the pipeline more secure, flexible, and maintainable by standardizing GitHub token usage and improving compatibility with Azure DevOps output variables.
Fixes Azure/azure-sdk-tools#9842
azure-dev - ext - microsoft.azd.demo - public