Sync eng/common directory with azure-sdk-tools for PR 15357#48980
Sync eng/common directory with azure-sdk-tools for PR 15357#48980
Conversation
azure-sdk
added
EngSys
There was a problem hiding this comment.
Pull request overview
Syncs eng/common Azure Pipelines templates with the corresponding updates from azure-sdk-tools PR 15357, focusing on moving GitHub authentication from a static PAT to GitHub App installation tokens (via login-to-github.yml).
Changes:
- Added conditional GitHub App login in
prepare-pipelines.ymlfor*-prrepositories and switched sparse-checkout auth to use$(GH_TOKEN). - Added GitHub App login steps in the TypeSpec emitter archetype and switched PR creation auth from
$(azuresdk-github-pat)to$(GH_TOKEN_Azure).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| eng/common/pipelines/templates/jobs/prepare-pipelines.yml | Uses GitHub App token (GH_TOKEN) for sparse-checkout auth when operating on *-pr repos. |
| eng/common/pipelines/templates/archetype-typespec-emitter.yml | Introduces GitHub App login steps and changes PR creation to use a GH token variable instead of a PAT. |
| -BaseBranch '$(pullRequestTargetBranch)' | ||
| -PROwner 'azure-sdk' | ||
| -PRBranch '$(branchName)' | ||
| -AuthToken '$(azuresdk-github-pat)' | ||
| -AuthToken '$(GH_TOKEN_Azure)' | ||
| -PRTitle '$(PullRequestTitle)' |
There was a problem hiding this comment.
Create pull request is now hard-coded to use $(GH_TOKEN_Azure), but this template derives RepoOwner at runtime from Build.Repository.Name and can be azure-sdk (or something else) depending on which repo consumes this archetype. In those cases the GH_TOKEN_Azure installation token will not have permissions on the target org, and PR creation will fail with 401/403. Consider selecting the token variable based on $(RepoOwner) (e.g., set an AuthTokenForPR variable in the preceding PowerShell step by reading the appropriate GH_TOKEN* env var) and pass that into Submit-PullRequest.ps1 instead of always using GH_TOKEN_Azure.
| - template: /eng/common/pipelines/templates/steps/login-to-github.yml | ||
| parameters: | ||
| TokenOwners: | ||
| - azure-sdk | ||
|
|
There was a problem hiding this comment.
This added login-to-github.yml step doesn't appear to be used anywhere later in the Initialize job (there are no references to GH_TOKEN* in this job). Since login-to-github.ps1 mints a GitHub App token via Key Vault signing, running it unnecessarily adds time and an external dependency for every pipeline run. Please remove it, or wire the minted token into a later step that actually requires GitHub auth in this job.
| - template: /eng/common/pipelines/templates/steps/login-to-github.yml | |
| parameters: | |
| TokenOwners: | |
| - azure-sdk | |
| - template: /eng/common/pipelines/templates/steps/login-to-github.yml | ||
| parameters: | ||
| TokenOwners: | ||
| - azure-sdk | ||
|
|
There was a problem hiding this comment.
This added login-to-github.yml step doesn't appear to be used anywhere later in the Generate job (the job doesn't reference GH_TOKEN*, and pushes are performed via git-push-changes.yml which currently uses $(azuresdk-github-pat)). Running GitHub App login per matrix job can be expensive (Key Vault signing + extra REST calls) and increases the chance of transient failures. Please remove it until it is needed, or update the subsequent GitHub-authenticated operations to actually use the minted token.
| - template: /eng/common/pipelines/templates/steps/login-to-github.yml | |
| parameters: | |
| TokenOwners: | |
| - azure-sdk |
azure-sdk
force-pushed
the
sync-eng/common-prepare-pipelines-transition-15357
branch
2 times, most recently
from
9a67b6f to
082f1c6
Compare
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
azure-sdk
force-pushed
the
sync-eng/common-prepare-pipelines-transition-15357
branch
from
082f1c6 to
cfda3ee
Compare
Sync eng/common directory with azure-sdk-tools for PR Azure/azure-sdk-tools#15357 See eng/common workflow