Switch PAT to GitHubApps#8616
Conversation
chidozieononiwu
requested review from
RickWinter,
danieljurek,
tg-msft and
vhvb1989
as code owners
🔗 Linked Issue RequiredThanks for the contribution! Please link a GitHub issue to this PR by adding |
There was a problem hiding this comment.
Pull request overview
This PR updates Azure DevOps pipeline step templates to standardize GitHub authentication by switching from the legacy azuresdk-github-pat variable to a GitHub App–minted GH_TOKEN, and by adding a shared login-to-github.yml step to centralize token acquisition.
Changes:
- Replaced
$(azuresdk-github-pat)usage with$(GH_TOKEN)(or parameters defaulting to it) across multiple templates. - Added
/eng/common/pipelines/templates/steps/login-to-github.ymlahead of GitHub CLI / token-dependent actions, with explicitTokenOwnersin most templates. - Updated templates to make token ownership more explicit/traceable via
TokenOwners.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| eng/pipelines/templates/steps/update-prcomment.yml | Uses GH_TOKEN by default and adds a GitHub App login step with owner derived from Repo. |
| eng/pipelines/templates/steps/set-git-credentials.yml | Switches git credential token default to GH_TOKEN and adds a GitHub App login step. |
| eng/pipelines/templates/steps/publish-extension.yml | Adds GitHub App login step and replaces PAT usage with GH_TOKEN for gh operations. |
| eng/pipelines/templates/steps/publish-cli.yml | Adds GitHub App login step (conditional) and replaces PAT usage with GH_TOKEN for gh operations. |
| eng/pipelines/templates/steps/publish-cli-winget.yml | Switches default token to GH_TOKEN and adds GitHub App login step before WinGet submission. |
|
|
chidozieononiwu
force-pushed
the
pat-to-github-apps
branch
5 times, most recently
from
0e1e2ca to
ac9e0ba
Compare
| steps: | ||
| - template: /eng/pipelines/templates/steps/set-metadata-variables.yml | ||
|
|
||
| - template: /eng/common/pipelines/templates/steps/login-to-github.yml |
There was a problem hiding this comment.
I don't think the default Azure installation token is the right credential for this step. wingetcreate update --token needs to work against microsoft/winget-pkgs (and create/update the submission PR), but this login mints a token for the Azure org. Can we request the installation owner that has access to the WinGet repo instead, or keep this step on a credential that can actually submit the package?
There was a problem hiding this comment.
You are probably right. But the bigger issue is I cannot find a way to actually test these pipelines end to end without doing an unauthorized release. Could you advice on how to test these pipelines. Without a canary pipeline I can almost guarantee changes here will break the release on merge.
| GitHubPat: $(GH_TOKEN) | ||
|
|
||
| steps: | ||
| - template: /eng/common/pipelines/templates/steps/login-to-github.yml |
There was a problem hiding this comment.
This switches the git credential helper to $(GH_TOKEN), but callers that create PRs still hit eng/common/pipelines/templates/steps/create-pull-request.yml, which passes $(azuresdk-github-pat) into Submit-PullRequest.ps1. For example, the docs publishing flow uses this template and then opens a PR in MicrosoftDocs/azure-dev-docs-pr, so the PAT dependency is still on the release path.
There was a problem hiding this comment.
Thank you for review, I would need a way to test the pipeline to be able to get this working well. Is there a template package that could be used to test these changes?
chidozieononiwu
force-pushed
the
pat-to-github-apps
branch
from
b5c51e8 to
f576d37
Compare
| - name: PublishToDevRegistry | ||
| type: boolean | ||
| default: false | ||
| - name: PublishAsDraft |
There was a problem hiding this comment.
Revert draft stuff. Just run the demo extension publish pipieline to see everything working as intended. https://dev.azure.com/azure-sdk/internal/_build?definitionId=7720
Success criteria: New release and tag in repo for demo extension.
| PrNumber: $(PRNumber) | ||
| BodyFile: $(CommentBodyFile) | ||
| Tag: '<!-- #comment-cli-pr -->' | ||
| GitHubToken: $(GH_TOKEN) |
There was a problem hiding this comment.
To test this change, open a PR to your branch that does some trivial change to https://github.com/Azure/azure-dev/blob/main/cli/azd/README.md
Success criteria: The PR you opened gets a comment in it with links to azd that you can download.
| PrNumber: $(PRNumber) | ||
| Tag: '<!-- #comment-vscode-pr -->' | ||
| BodyFile: $(CommentBodyFile) | ||
| GitHubToken: $(GH_TOKEN) |
There was a problem hiding this comment.
This is also a deploy job so you don't have access to source. Plumb the variable in through a different job.
To test: Open a PR to your branch that adds a trivial change to https://github.com/Azure/azure-dev/blob/main/ext/vscode/README.md
Success criteria: After build you get a comment in the PR that includes links to download the extension file.
|
|
||
| steps: | ||
| - ${{ if eq('true', parameters.CreateGitHubRelease) }}: | ||
| - template: /eng/common/pipelines/templates/steps/login-to-github.yml |
There was a problem hiding this comment.
This is a deployment job with no access to source. You'll need to set up the secret somehow.
| default: false | ||
|
|
||
| steps: | ||
| - template: /eng/common/pipelines/templates/steps/login-to-github.yml |
There was a problem hiding this comment.
This runs in the context of a deploy job with no access to source. GH_TOKEN will need to come from somewhere.
Success criteria: Run a release of the demo extension against this branch and if everything succeeds you're good.
| steps: | ||
| - template: /eng/common/pipelines/templates/steps/login-to-github.yml | ||
| parameters: | ||
| TokenOwners: |
There was a problem hiding this comment.
Token needs to be issued to MicrosoftDocs org
| - template: /eng/common/pipelines/templates/steps/login-to-github.yml | ||
| parameters: | ||
| ExportAsOutputVariable: true |
There was a problem hiding this comment.
This won't work. It needs to be added at the level of steps, right now it's in a stage
danieljurek
left a comment
danieljurek
left a comment
There was a problem hiding this comment.
Things to change:
- Release deployment jobs that tag the repo and upload bits to GitHub releases should be "jobs" (not deployments) have access to source (same as SDK)
This pull request updates several pipeline templates to standardize GitHub authentication and token usage. The main improvements are the switch from the
azuresdk-github-patvariable toGH_TOKENfor GitHub authentication, and the addition of a shared login step to ensure tokens are properly configured. These changes improve maintainability and security by centralizing authentication logic and making token ownership explicit.Authentication and Token Management Improvements:
Replaced usage of the
azuresdk-github-patvariable withGH_TOKENfor theGitHubTokenandGitHubPatparameters in multiple pipeline templates, includingpublish-cli.yml,publish-extension.yml,publish-cli-winget.yml,set-git-credentials.yml, andupdate-prcomment.yml. This ensures consistency and better aligns with current token management practices. [1] [2] [3] [4] [5] [6] [7] [8]Added the
/eng/common/pipelines/templates/steps/login-to-github.ymltemplate step to all relevant pipeline templates. This step ensures that GitHub authentication is properly established before any GitHub-related actions are performed. [1] [2] [3] [4] [5]Token Ownership Explicitness:
TokenOwnersbased on repository or username context, improving traceability and clarity of token usage in the pipeline. [1] [2] [3] [4]These changes collectively improve the security, clarity, and maintainability of the CI/CD pipeline authentication process.
azure-dev - ext - microsoft.azd.extensions
azure-dev - ext - microsoft.azd.demo - public