Skip to content

Refresh GitHub App installation token before pushing to azure-sdk-for-net #10737

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Copilot wants to merge 6 commits into
base: main
Choose a base branch
from
+23 −3
Draft

Refresh GitHub App installation token before pushing to azure-sdk-for-net #10737

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0f5fcbd
Initial plan
Copilot May 19, 2026
6d666ba
refresh GitHub App installation token before push to azure-sdk-for-net
Copilot May 19, 2026
46d28bb
address review: remove verbose comment, use Test-Path Env:GH_TOKEN
Copilot May 19, 2026
3e636ee
Match publish.yml login-to-github param style
Copilot May 19, 2026
32061c1
Use AzureCLI@2 task so az auth is available for in-script token refresh
Copilot May 19, 2026
c233721
Remove explanatory comment above AzureCLI@2 task
Copilot May 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions packages/http-client-csharp/eng/pipeline/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -223,11 +223,13 @@ extends:
TokenOwners:
- Azure

- task: PowerShell@2
- task: AzureCLI@2
displayName: Generate emitter-package.json files & create PR in azure-sdk-for-net
inputs:
pwsh: true
filePath: $(Build.SourcesDirectory)/packages/http-client-csharp/eng/scripts/Submit-AzureSdkForNetPr.ps1
azureSubscription: "AzureSDKEngKeyVault Secrets"
scriptType: pscore
scriptLocation: scriptPath
scriptPath: $(Build.SourcesDirectory)/packages/http-client-csharp/eng/scripts/Submit-AzureSdkForNetPr.ps1
arguments: >
-PackageVersion '$(PackageVersion)'
-TypeSpecCommitUrl '$(TypeSpecCommitUrl)'
Expand Down
18 changes: 18 additions & 0 deletions packages/http-client-csharp/eng/scripts/Submit-AzureSdkForNetPr.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -689,6 +689,24 @@ try {
throw "Failed to commit changes"
}

$loginScript = Join-Path $PSScriptRoot "../../../../eng/common/scripts/login-to-github.ps1"
Comment thread
jorgerangel-msft marked this conversation as resolved.
if (Test-Path $loginScript) {
Copy link
Copy Markdown
Contributor

@jorgerangel-msft jorgerangel-msft May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot it looks like this is failing in CI on regeneration:

Refreshing GitHub App installation token before push...
Generating GitHub App JWT by signing via Azure Key Vault (no key export)...
ERROR: Please run 'az login' to setup account.
WARNING: Failed to refresh GitHub App installation token: Failed to sign JWT with Azure Key Vault. Error: . Falling back to existing token.
Pushing branch to remote...
remote: Invalid username or token. Password authentication is not supported for Git operations.

Copy link
Copy Markdown
Contributor Author

Copilot AI May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch — root cause is that az login context from the prior AzureCLI@2 task in login-to-github.yml does not persist into the next PowerShell@2 task. So when Submit-AzureSdkForNetPr.ps1 later invokes login-to-github.ps1 to mint a fresh token, the JWT-signing call to Key Vault fails with Please run 'az login'.

Fixed in 32061c1 by switching the script's task in publish.yml from PowerShell@2 to AzureCLI@2 (with azureSubscription: "AzureSDKEngKeyVault Secrets" — the same subscription login-to-github.yml uses). The script now runs inside an az-authenticated context, so the in-script login-to-github.ps1 call right before git push can sign the JWT and produce a fresh installation token.

Write-Host "Refreshing GitHub App installation token before push..."
try {
& $loginScript -InstallationTokenOwners 'Azure' -VariableNamePrefix 'GH_TOKEN'
if ($LASTEXITCODE -eq 0 -and (Test-Path Env:GH_TOKEN)) {
$AuthToken = $env:GH_TOKEN
Comment thread
jorgerangel-msft marked this conversation as resolved.
Write-Host "GitHub App installation token refreshed."
} else {
Write-Warning "login-to-github.ps1 did not produce a fresh token (exit code $LASTEXITCODE); falling back to existing token."
}
} catch {
Write-Warning "Failed to refresh GitHub App installation token: $($_.Exception.Message). Falling back to existing token."
}
} else {
Write-Host "login-to-github.ps1 not found at $loginScript; skipping token refresh (assuming a non-pipeline run with a long-lived token)."
}

# Push the branch. Use the x-access-token username scheme so the URL works
# both with classic PATs and with GitHub App installation tokens (ghs_*).
Write-Host "Pushing branch to remote..."
Expand Down
Loading