Skip to content

Transition to GitHub App auth, remove azuresdk-github-pat usage#49049

Open
scbedd wants to merge 1 commit into
mainfrom
RemoveAzsdkPatUsage
Open

Transition to GitHub App auth, remove azuresdk-github-pat usage#49049
scbedd wants to merge 1 commit into
mainfrom
RemoveAzsdkPatUsage

Conversation

@scbedd
Copy link
Copy Markdown
Member

@scbedd scbedd commented May 4, 2026
edited by chidozieononiwu
Loading

This pull request updates multiple Azure pipeline YAML files to explicitly set the AuthToken parameter (usually as an empty string) in various pipeline steps and templates. Additionally, it updates the Git URL used for pushing release branches to use a different authentication method and adds a login step before pushing branches. These changes are primarily aimed at improving authentication handling and consistency across pipeline automation.

Authentication and Token Handling:

  • Added AuthToken: '' to various pipeline steps and templates in files such as eng/automation/generation.yml, eng/pipelines/docindex.yml, eng/pipelines/prepare-pipelines.yml, and multiple archetype release batch/patch templates. This ensures that the AuthToken parameter is always defined, which can help prevent errors related to missing authentication tokens. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]

Pipeline Security and Git Operations:

  • Updated the Git URL in the patch release preparation pipeline to use the GH_TOKEN with the x-access-token authentication method instead of the previous PAT variable, improving security and standardization.
  • Added a step to login to GitHub before pushing the release branch in the patch release preparation pipeline, ensuring proper authentication is established before performing Git operations.

Related to Azure/azure-sdk-tools#9842

@scbedd scbedd self-assigned this May 5, 2026
@scbedd scbedd moved this from 🤔 Triage to 🐝 Dev in Azure SDK EngSys 🚀🌒🧑‍🚀 May 5, 2026
@chidozieononiwu chidozieononiwu marked this pull request as ready for review May 29, 2026 18:32
Copilot AI review requested due to automatic review settings May 29, 2026 18:32
Copilot AI reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to transition Azure DevOps pipeline automation away from the azuresdk-github-pat secret toward GitHub App-based authentication by standardizing an AuthToken parameter on shared pipeline steps and updating patch-release branch push authentication.

Changes:

  • Adds AuthToken: '' to several pipeline/template invocations to make token passing explicit and consistent.
  • Updates patch release branch push to use a GitHub App installation token (GH_TOKEN) and adds a login-to-github.yml step before the push.
  • Propagates the new AuthToken parameter into generation, docindex, prepare-pipelines, and release archetype templates.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 20 comments.

Show a summary per file
File Description
eng/pipelines/templates/stages/archetype-java-release-pom-only.yml Adds AuthToken: '' to the GitHub release/tagging step invocation.
eng/pipelines/templates/stages/archetype-java-release-patch.yml Adds AuthToken: '' to GitHub release/tagging and PR creation step invocations.
eng/pipelines/templates/stages/archetype-java-release-batch.yml Adds AuthToken: '' to GitHub release/tagging and PR creation step invocations.
eng/pipelines/prepare-pipelines.yml Passes AuthToken: '' into the shared prepare-pipelines job template.
eng/pipelines/patch-release-prepare.yml Adds GitHub login step and switches git push URL to use GH_TOKEN; also passes AuthToken: '' to PR creation.
eng/pipelines/docindex.yml Passes AuthToken: '' into git push steps for docs repo updates.
eng/automation/generation.yml Passes AuthToken: '' into PR creation for automation-generated changes.

Comment thread eng/pipelines/templates/stages/archetype-java-release-pom-only.yml
ArtifactLocation: $(Pipeline.Workspace)/packages-signed/${{artifact.groupId}}/${{artifact.name}}
PackageRepository: Maven
ReleaseSha: $(Build.SourceVersion)
AuthToken: ''
Comment thread eng/pipelines/templates/stages/archetype-java-release-patch.yml
ArtifactLocation: $(Pipeline.Workspace)/packages-signed/${{artifact.groupId}}/${{artifact.name}}
PackageRepository: Maven
ReleaseSha: $(Build.SourceVersion)
AuthToken: ''
Comment thread eng/pipelines/templates/stages/archetype-java-release-patch.yml
CommitMsg: "Increment package versions for patch releases"
PRTitle: "Increment versions for patch releases"
CloseAfterOpenForTesting: '${{ parameters.TestPipeline }}'
AuthToken: ''
Comment thread eng/pipelines/templates/stages/archetype-java-release-batch.yml
ArtifactLocation: $(Pipeline.Workspace)/packages-signed/${{artifact.groupId}}/${{artifact.name}}
PackageRepository: Maven
ReleaseSha: $(Build.SourceVersion)
AuthToken: ''
Comment thread eng/pipelines/templates/stages/archetype-java-release-batch.yml
CommitMsg: "Increment package versions for ${{ parameters.ServiceDirectory }} releases"
PRTitle: "Increment versions for ${{ parameters.ServiceDirectory }} releases"
CloseAfterOpenForTesting: '${{ parameters.TestPipeline }}'
AuthToken: ''
Comment thread eng/pipelines/prepare-pipelines.yml Outdated
template: /eng/common/pipelines/templates/jobs/prepare-pipelines.yml
parameters:
Repository: Azure/azure-sdk-for-java
AuthToken: ''
Comment thread eng/pipelines/patch-release-prepare.yml
PROwner: Azure
CommitMsg: "Patch release preparation $(PatchDate)"
PRTitle: "Prepare patch release $(PatchDate)"
AuthToken: ''
Comment thread eng/pipelines/docindex.yml
TargetRepoName: $(DocRepoName)
TargetRepoOwner: $(DocRepoOwner)
WorkingDirectory: $(DocRepoLocation)
AuthToken: ''
Comment thread eng/pipelines/docindex.yml
WorkingDirectory: $(DocRepoLocation)
ScriptDirectory: $(Build.SourcesDirectory)/eng/common/scripts
PushArgs: -f
AuthToken: ''
Comment thread eng/automation/generation.yml
PRTitle: '[Automation] Generate Fluent Lite from Swagger $(README)#$(TAG)'
PRLabels: 'Mgmt - Track 2'
OpenAsDraft: '$(DRAFT_PULL_REQUEST)'
AuthToken: ''
@scbedd @chidozieononiwu
Transition to GitHub App auth, remove azuresdk-github-pat usage
2a77579 
Related to Azure/azure-sdk-tools#9842

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@danieljurek danieljurek Awaiting requested review from danieljurek danieljurek is a code owner

@raych1 raych1 Awaiting requested review from raych1 raych1 is a code owner

@benbp benbp Awaiting requested review from benbp benbp is a code owner

@weidongxu-microsoft weidongxu-microsoft Awaiting requested review from weidongxu-microsoft weidongxu-microsoft is a code owner

@haolingdong-msft haolingdong-msft Awaiting requested review from haolingdong-msft haolingdong-msft is a code owner

@XiaofeiCao XiaofeiCao Awaiting requested review from XiaofeiCao XiaofeiCao is a code owner

@ArthurMa1978 ArthurMa1978 Awaiting requested review from ArthurMa1978 ArthurMa1978 is a code owner

@mikeharder mikeharder Awaiting requested review from mikeharder mikeharder is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@chidozieononiwu chidozieononiwu

Labels

None yet

Projects

Azure SDK EngSys 🚀🌒🧑‍🚀
Status: 🐝 Dev

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@scbedd @chidozieononiwu