Skip to content

Commit 83d711f

Browse files
Merge pull request #1447 from microsoftgraph/ramsessanchez/clarify-github-app-auth-comments
docs(ci): clarify why GitHub App auth is used for cross-org repos
2 parents 1d68024 + 9d34ff5 commit 83d711f

2 files changed

Lines changed: 15 additions & 8 deletions

File tree

.azure-pipelines/generation-templates/language-generation-kiota.yml

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -56,10 +56,13 @@ parameters:
5656
type: string
5757
default: "-e '/copilot' -e '/copilot/**'"
5858

59-
# When true, the target repository is read anonymously (public repo) and the generated
60-
# files are pushed using a GitHub App installation token instead of a PAT-backed service
61-
# connection. PR creation is App-based regardless. Defaults to false to preserve the
62-
# existing service connection based behaviour for the microsoftgraph SDK repos.
59+
# Set this to true for target repos that live in a different GitHub org than the shared
60+
# service connection covers. Those repos can't ride on that connection and historically
61+
# needed their own separate PAT-backed one. This flag removes that PAT by reusing the
62+
# GitHub App identity (which already creates the PRs) for the push as well.
63+
#
64+
# Defaults to false, which keeps the other SDK repos on their existing service-connection
65+
# checkout/push flow, unchanged.
6366
- name: useGitHubAppAuth
6467
type: boolean
6568
default: false
@@ -83,8 +86,9 @@ steps:
8386
fetchDepth: 1
8487
persistCredentials: true
8588

86-
# App-auth path: the target repo is public, so clone it anonymously (no PAT). The push
87-
# remote is switched to a GitHub App token in a later step before the push happens.
89+
# App-auth path: read the target with no credential. This is possible because the repo is
90+
# public - it is not why App auth is used (see the useGitHubAppAuth param notes). The push
91+
# remote is switched to a GitHub App token in a later step, before the push happens.
8892
- ${{ if eq(parameters.useGitHubAppAuth, true) }}:
8993
- pwsh: |
9094
$repoDir = "$(Build.SourcesDirectory)/${{ parameters.repoName }}"

scripts/set-app-token-push-url.ps1

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,12 @@
22
# Licensed under the MIT License.
33

44
# Configure the 'origin' push URL of an already-cloned repository to authenticate with a
5-
# GitHub App installation token instead of a PAT. The fetch URL is left untouched so reads
6-
# stay anonymous for public repositories.
5+
# GitHub App installation token instead of a PAT. This lets a repo be pushed to using the
6+
# App identity (the same one that opens the PRs), which removes the need for a dedicated
7+
# PAT when the repo isn't covered by the pipeline's shared service connection.
78
#
9+
# Only the push URL is changed; the fetch URL is left untouched (repos are public hence reads
10+
# can be maintained as anonymous).
811
# Required environment variables:
912
# GhAppId - GitHub App client ID (from AKV)
1013
# GhAppKey - GitHub App private key (from AKV)

0 commit comments

Comments
 (0)