Don't require GitHub auth for public-repo PR status/label reads (#16210)#16292
Open
helen229 wants to merge 10 commits into
Open
Don't require GitHub auth for public-repo PR status/label reads (#16210)#16292helen229 wants to merge 10 commits into
helen229 wants to merge 10 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the azsdk CLI’s GitHub access layer to avoid prompting users to authenticate (gh auth login) when performing read-only lookups against public repositories (notably public azure-rest-api-specs PRs during SDK generation). It introduces an anonymous-first read pattern with authenticated fallback and adds tests + a changelog entry to document the behavior change.
Changes:
- Added an unauthenticated
GitHubClientplus aReadWithAnonymousFallbackAsynchelper to try public reads anonymously before falling back to authenticated access. - Updated public read paths (
GetPullRequestAsync,GetPullRequestHeadSha, check-runs lookup inGetPullRequestChecksAsync) to use anonymous-first behavior. - Added
GitHubServiceTestsand documented the fix in the CLI changelog.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| tools/azsdk-cli/Azure.Sdk.Tools.Cli/Services/GitHubService.cs | Adds anonymous client + helper and routes key public PR read operations through anonymous-first access. |
| tools/azsdk-cli/Azure.Sdk.Tools.Cli/CHANGELOG.md | Documents the behavior change under 0.6.25 bug fixes. |
| tools/azsdk-cli/Azure.Sdk.Tools.Cli.Tests/Services/GitHubServiceTests.cs | Adds coverage for anonymous success, authenticated retry, and auth prompting when no token is available. |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
praveenkuttappan
approved these changes
Jul 8, 2026
…vice.cs Co-authored-by: helen229 <19517014+helen229@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #16210.
SDK generation (and other release-plan operations) prompted users to authenticate with GitHub (
gh auth login) even when the only thing being read was the status, checks, and labels of a public spec pull request. For a PR in the publicazure-rest-api-specsrepository this information is available anonymously, so requiring authentication was unnecessary and confusing.Changes
ReadWithAnonymousFallbackAsynchelper inGitConnection. Read-only operations are attempted anonymously first; only if GitHub signals that authentication is required (anyOctokit.ApiException— private repo/404, forbidden/403, unauthorized/401, or rate limit) do they retry with an authenticated client, which prompts forgh auth loginwhen no token is available.GetPullRequestAsync,GetPullRequestHeadSha, and the check-runs lookup inGetPullRequestChecksAsync) to use the helper.GitHubServiceTestscovering: anonymous success (no auth attempted), retry-authenticated when anonymous is denied, and surfacing the auth prompt when no token is available.0.6.25Bugs Fixed.Testing
dotnet test --filter "FullyQualifiedName~GitHubServiceTests|FullyQualifiedName~SpecWorkFlowToolTests"— all passing.