From bc4a2914f9017300a98dc2af8934f9a51f21addd Mon Sep 17 00:00:00 2001 From: Scott Beddall Date: Wed, 29 Apr 2026 22:53:40 +0000 Subject: [PATCH 1/3] this is backwards compatible. new callers can explicitly add login-to-github and pass the authtoken parameter --- .../templates/steps/create-pull-request.yml | 12 +++++++++--- .../templates/steps/create-tags-and-git-release.yml | 3 ++- .../pipelines/templates/steps/git-push-changes.yml | 5 +++-- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/eng/common/pipelines/templates/steps/create-pull-request.yml b/eng/common/pipelines/templates/steps/create-pull-request.yml index 57e413c2db78..ba1c4a47abbe 100644 --- a/eng/common/pipelines/templates/steps/create-pull-request.yml +++ b/eng/common/pipelines/templates/steps/create-pull-request.yml @@ -1,5 +1,6 @@ -# Expects azuresdk-github-pat is set to the PAT for azure-sdk -# Expects the buildtools to be cloned +# Expects AuthToken to be a valid GitHub token. +# Defaults to azuresdk-github-pat for backwards compatibility. +# New callers should pass AuthToken: $(GH_TOKEN) after calling login-to-github.yml. parameters: BaseBranchName: $(Build.SourceBranch) @@ -21,6 +22,10 @@ parameters: SkipCheckingForChanges: false CloseAfterOpenForTesting: false OpenAsDraft: false + AuthToken: $(azuresdk-github-pat) + # PushAuthToken: for cross-org pushes (pushing to PROwner's fork in a different org). + # Defaults to AuthToken when not specified. + PushAuthToken: '' steps: - template: /eng/common/pipelines/templates/steps/git-push-changes.yml @@ -34,6 +39,7 @@ steps: WorkingDirectory: ${{ parameters.WorkingDirectory }} ScriptDirectory: ${{ parameters.ScriptDirectory }} SkipCheckingForChanges: ${{ parameters.SkipCheckingForChanges }} + AuthToken: ${{ coalesce(parameters.PushAuthToken, parameters.AuthToken) }} - task: PowerShell@2 displayName: Create pull request @@ -48,7 +54,7 @@ steps: -BaseBranch "${{ parameters.BaseBranchName }}" -PROwner "${{ parameters.PROwner }}" -PRBranch "${{ parameters.PRBranchName }}" - -AuthToken "$(azuresdk-github-pat)" + -AuthToken "${{ parameters.AuthToken }}" -PRTitle "${{ parameters.PRTitle }}" -PRBody "${{ coalesce(parameters.PRBody, parameters.CommitMsg, parameters.PRTitle) }}" -PRLabels "${{ parameters.PRLabels }}" diff --git a/eng/common/pipelines/templates/steps/create-tags-and-git-release.yml b/eng/common/pipelines/templates/steps/create-tags-and-git-release.yml index 3981dc1b2c52..566c70ea493d 100644 --- a/eng/common/pipelines/templates/steps/create-tags-and-git-release.yml +++ b/eng/common/pipelines/templates/steps/create-tags-and-git-release.yml @@ -8,6 +8,7 @@ parameters: ScriptDirectory: eng/common/scripts NpmConfigUserConfig: '' NpmConfigRegistry: '' + AuthToken: $(azuresdk-github-pat) steps: - task: PowerShell@2 @@ -24,7 +25,7 @@ steps: pwsh: true timeoutInMinutes: 5 env: - GH_TOKEN: $(azuresdk-github-pat) + GH_TOKEN: ${{ parameters.AuthToken }} SYSTEM_ACCESSTOKEN: $(System.AccessToken) ${{ if ne(parameters.NpmConfigUserConfig, '') }}: npm_config_userconfig: ${{ parameters.NpmConfigUserConfig }} diff --git a/eng/common/pipelines/templates/steps/git-push-changes.yml b/eng/common/pipelines/templates/steps/git-push-changes.yml index 53d70fac45be..2f0e208e9481 100644 --- a/eng/common/pipelines/templates/steps/git-push-changes.yml +++ b/eng/common/pipelines/templates/steps/git-push-changes.yml @@ -8,6 +8,7 @@ parameters: WorkingDirectory: $(System.DefaultWorkingDirectory)' ScriptDirectory: eng/common/scripts SkipCheckingForChanges: false + AuthToken: $(azuresdk-github-pat) steps: - task: PowerShell@2 @@ -31,7 +32,7 @@ steps: - template: /eng/common/pipelines/templates/steps/emit-rate-limit-metrics.yml parameters: GitHubUser: azure-sdk - GitHubToken: $(azuresdk-github-pat) + GitHubToken: ${{ parameters.AuthToken }} - task: PowerShell@2 displayName: Push changes @@ -43,6 +44,6 @@ steps: arguments: > -PRBranchName "${{ parameters.BaseRepoBranch }}" -CommitMsg "${{ parameters.CommitMsg }}" - -GitUrl "https://$(azuresdk-github-pat)@github.com/${{ parameters.BaseRepoOwner }}/$(RepoNameWithoutOwner).git" + -GitUrl "https://x-access-token:${{ parameters.AuthToken }}@github.com/${{ parameters.BaseRepoOwner }}/$(RepoNameWithoutOwner).git" -PushArgs "${{ parameters.PushArgs }}" -SkipCommit $${{ parameters.SkipCheckingForChanges }} From aa771e78f98daf5c73c3fb997ada03833ad5276d Mon Sep 17 00:00:00 2001 From: Scott Beddall <45376673+scbedd@users.noreply.github.com> Date: Wed, 29 Apr 2026 16:10:48 -0700 Subject: [PATCH 2/3] Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- eng/common/pipelines/templates/steps/git-push-changes.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eng/common/pipelines/templates/steps/git-push-changes.yml b/eng/common/pipelines/templates/steps/git-push-changes.yml index 2f0e208e9481..f0b769251a85 100644 --- a/eng/common/pipelines/templates/steps/git-push-changes.yml +++ b/eng/common/pipelines/templates/steps/git-push-changes.yml @@ -5,7 +5,7 @@ parameters: TargetRepoOwner: Azure TargetRepoName: $(Build.Repository.Name) PushArgs: - WorkingDirectory: $(System.DefaultWorkingDirectory)' + WorkingDirectory: $(System.DefaultWorkingDirectory) ScriptDirectory: eng/common/scripts SkipCheckingForChanges: false AuthToken: $(azuresdk-github-pat) From 539f954bfe1ad3474de3c16acd45bb5b5e5748df Mon Sep 17 00:00:00 2001 From: Scott Beddall Date: Thu, 30 Apr 2026 18:18:24 +0000 Subject: [PATCH 3/3] update to add fallback to login. will need to approve serviceConnection for the new builds, but other than that, no impact --- .../templates/steps/create-pull-request.yml | 13 ++++++++++--- .../templates/steps/create-tags-and-git-release.yml | 9 ++++++++- .../pipelines/templates/steps/git-push-changes.yml | 11 +++++++++-- 3 files changed, 27 insertions(+), 6 deletions(-) diff --git a/eng/common/pipelines/templates/steps/create-pull-request.yml b/eng/common/pipelines/templates/steps/create-pull-request.yml index ba1c4a47abbe..397856dd6032 100644 --- a/eng/common/pipelines/templates/steps/create-pull-request.yml +++ b/eng/common/pipelines/templates/steps/create-pull-request.yml @@ -1,6 +1,6 @@ # Expects AuthToken to be a valid GitHub token. # Defaults to azuresdk-github-pat for backwards compatibility. -# New callers should pass AuthToken: $(GH_TOKEN) after calling login-to-github.yml. +# New callers should pass AuthToken: '' to auto-login via login-to-github.yml. parameters: BaseBranchName: $(Build.SourceBranch) @@ -28,6 +28,13 @@ parameters: PushAuthToken: '' steps: +- ${{ if eq(parameters.AuthToken, '') }}: + - template: /eng/common/pipelines/templates/steps/login-to-github.yml + parameters: + TokenOwners: + - ${{ parameters.RepoOwner }} + ScriptDirectory: ${{ parameters.ScriptDirectory }} + - template: /eng/common/pipelines/templates/steps/git-push-changes.yml parameters: BaseRepoBranch: ${{ parameters.PRBranchName }} @@ -39,7 +46,7 @@ steps: WorkingDirectory: ${{ parameters.WorkingDirectory }} ScriptDirectory: ${{ parameters.ScriptDirectory }} SkipCheckingForChanges: ${{ parameters.SkipCheckingForChanges }} - AuthToken: ${{ coalesce(parameters.PushAuthToken, parameters.AuthToken) }} + AuthToken: ${{ coalesce(parameters.PushAuthToken, parameters.AuthToken, '$(GH_TOKEN)') }} - task: PowerShell@2 displayName: Create pull request @@ -54,7 +61,7 @@ steps: -BaseBranch "${{ parameters.BaseBranchName }}" -PROwner "${{ parameters.PROwner }}" -PRBranch "${{ parameters.PRBranchName }}" - -AuthToken "${{ parameters.AuthToken }}" + -AuthToken "${{ coalesce(parameters.AuthToken, '$(GH_TOKEN)') }}" -PRTitle "${{ parameters.PRTitle }}" -PRBody "${{ coalesce(parameters.PRBody, parameters.CommitMsg, parameters.PRTitle) }}" -PRLabels "${{ parameters.PRLabels }}" diff --git a/eng/common/pipelines/templates/steps/create-tags-and-git-release.yml b/eng/common/pipelines/templates/steps/create-tags-and-git-release.yml index 566c70ea493d..35df366c2322 100644 --- a/eng/common/pipelines/templates/steps/create-tags-and-git-release.yml +++ b/eng/common/pipelines/templates/steps/create-tags-and-git-release.yml @@ -11,6 +11,13 @@ parameters: AuthToken: $(azuresdk-github-pat) steps: +- ${{ if eq(parameters.AuthToken, '') }}: + - template: /eng/common/pipelines/templates/steps/login-to-github.yml + parameters: + TokenOwners: + - ${{ split(parameters.RepoId, '/')[0] }} + ScriptDirectory: ${{ parameters.ScriptDirectory }} + - task: PowerShell@2 displayName: 'Verify Package Tags and Create Git Releases' inputs: @@ -25,7 +32,7 @@ steps: pwsh: true timeoutInMinutes: 5 env: - GH_TOKEN: ${{ parameters.AuthToken }} + GH_TOKEN: ${{ coalesce(parameters.AuthToken, '$(GH_TOKEN)') }} SYSTEM_ACCESSTOKEN: $(System.AccessToken) ${{ if ne(parameters.NpmConfigUserConfig, '') }}: npm_config_userconfig: ${{ parameters.NpmConfigUserConfig }} diff --git a/eng/common/pipelines/templates/steps/git-push-changes.yml b/eng/common/pipelines/templates/steps/git-push-changes.yml index f0b769251a85..7df62145b980 100644 --- a/eng/common/pipelines/templates/steps/git-push-changes.yml +++ b/eng/common/pipelines/templates/steps/git-push-changes.yml @@ -11,6 +11,13 @@ parameters: AuthToken: $(azuresdk-github-pat) steps: +- ${{ if eq(parameters.AuthToken, '') }}: + - template: /eng/common/pipelines/templates/steps/login-to-github.yml + parameters: + TokenOwners: + - ${{ parameters.TargetRepoOwner }} + ScriptDirectory: ${{ parameters.ScriptDirectory }} + - task: PowerShell@2 displayName: Check for changes condition: and(succeeded(), eq(${{ parameters.SkipCheckingForChanges }}, false)) @@ -32,7 +39,7 @@ steps: - template: /eng/common/pipelines/templates/steps/emit-rate-limit-metrics.yml parameters: GitHubUser: azure-sdk - GitHubToken: ${{ parameters.AuthToken }} + GitHubToken: ${{ coalesce(parameters.AuthToken, '$(GH_TOKEN)') }} - task: PowerShell@2 displayName: Push changes @@ -44,6 +51,6 @@ steps: arguments: > -PRBranchName "${{ parameters.BaseRepoBranch }}" -CommitMsg "${{ parameters.CommitMsg }}" - -GitUrl "https://x-access-token:${{ parameters.AuthToken }}@github.com/${{ parameters.BaseRepoOwner }}/$(RepoNameWithoutOwner).git" + -GitUrl "https://x-access-token:${{ coalesce(parameters.AuthToken, '$(GH_TOKEN)') }}@github.com/${{ parameters.BaseRepoOwner }}/$(RepoNameWithoutOwner).git" -PushArgs "${{ parameters.PushArgs }}" -SkipCommit $${{ parameters.SkipCheckingForChanges }}