Skip to content

Commit feceb3e

Browse files
raych1Copilot
andauthored
Use GitHub App auth in spec-gen-sdk pipeline (#44291)
* Use GitHub App auth in spec-gen-sdk pipeline Fetch GitHub login scripts in internal PR pipeline runs and use the resulting GH_TOKEN for sparse checkout and SDK pull request creation instead of the legacy PAT variable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Add comment to tspconfig.yaml * use self checkout approach * Set token for push change step * Remove comment from tspconfig.yaml --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent b48bb52 commit feceb3e

1 file changed

Lines changed: 23 additions & 4 deletions

File tree

eng/pipelines/templates/stages/archetype-spec-gen-sdk.yml

Lines changed: 23 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -64,8 +64,6 @@ stages:
6464
os: linux
6565

6666
steps:
67-
- checkout: none
68-
6967
- pwsh: |
7068
$tspConfigPathPattern = '^specification\/([^\/]+\/)+tspconfig\.yaml$'
7169
$readmePathPattern = '^specification\/([^\/]+\/){2,}readme\.md$'
@@ -178,6 +176,22 @@ stages:
178176
Write-Host "Will use commitish for SDK repo checkout: '$checkoutCommitish'"
179177
displayName: "Validate and update SDK repository commitish"
180178
179+
# In the internal '-pr' flow the spec/SDK repos are private, so the sparse-checkout below
180+
# needs a GitHub App token (GH_TOKEN) minted by login-to-github. That login script lives in
181+
# this repo, so it must be available first. Use 'checkout: self' (authenticated by the
182+
# pipeline's GitHub service connection) at the default path so System.DefaultWorkingDirectory
183+
# stays at $(Pipeline.Workspace)/s; sparse-checkout keeps the footprint to eng/common/scripts.
184+
- ${{ if and(eq(variables['System.TeamProject'], 'internal'), endsWith(variables['Build.Repository.Name'], '-pr')) }}:
185+
- checkout: self
186+
displayName: 'Checkout eng/common/scripts for GitHub login'
187+
sparseCheckoutDirectories: eng/common/scripts
188+
fetchDepth: 1
189+
- template: /eng/common/pipelines/templates/steps/login-to-github.yml
190+
parameters:
191+
ScriptDirectory: $(System.DefaultWorkingDirectory)/eng/common/scripts
192+
- ${{ else }}:
193+
- checkout: none
194+
181195
- template: /eng/common/pipelines/templates/steps/sparse-checkout.yml
182196
parameters:
183197
Paths:
@@ -195,7 +209,7 @@ stages:
195209
WorkingDirectory: $(SdkRepoDirectory)
196210
SkipCheckoutNone: true
197211
${{ if and(eq(variables['System.TeamProject'], 'internal'), endsWith(variables['Build.Repository.Name'], '-pr')) }}:
198-
TokenToUseForAuth: $(azuresdk-github-pat)
212+
TokenToUseForAuth: $(GH_TOKEN)
199213
PreserveAuthToken: true
200214

201215
- task: UseNode@1
@@ -290,6 +304,10 @@ stages:
290304
CustomCondition: and(succeededOrFailed(), ne(variables['StagedArtifactsFolder'], ''))
291305

292306
- ${{ if and(eq(variables['System.TeamProject'], 'internal'), eq(parameters.CreatePullRequest, true), ne(variables['Build.Reason'], 'PullRequest')) }}:
307+
- template: /eng/common/pipelines/templates/steps/login-to-github.yml
308+
parameters:
309+
ScriptDirectory: $(SdkRepoDirectory)/eng/common/scripts
310+
293311
- pwsh: |
294312
$sdkPrBranchName = "$(PrBranch)-$(Build.BuildId)"
295313
$sdkRepoBranch = '${{ parameters.SdkRepoBranch }}'
@@ -325,6 +343,7 @@ stages:
325343
TargetRepoName: $(SdkRepoName)
326344
WorkingDirectory: $(SdkRepoDirectory)
327345
ScriptDirectory: $(SdkRepoDirectory)/eng/common/scripts
346+
AuthToken: $(GH_TOKEN)
328347

329348
- ${{ if eq(parameters.ForceCreateEvenWithFailures, true) }}:
330349
- pwsh: |
@@ -348,7 +367,7 @@ stages:
348367
-BaseBranch "main"
349368
-PROwner "$(SdkRepoOwner)"
350369
-PRBranch "$(SdkPullRequestSourceBranch)"
351-
-AuthToken "$(azuresdk-github-pat)"
370+
-AuthToken "$(GH_TOKEN)"
352371
-PRTitle "$(PrTitle)-generated-from-$(Build.DefinitionName)-$(Build.BuildId)"
353372
-PRBody "$(GeneratedSDKInformation) $(ReleasePlanInfo)"
354373
-OpenAsDraft $${{ not(endsWith(parameters.TriggerSource, '-release')) }}

0 commit comments

Comments
 (0)