From a4181b2cf10a55f7c387981f6d63729ff91a083d Mon Sep 17 00:00:00 2001 From: Chidozie Ononiwu Date: Thu, 11 Jun 2026 12:39:29 -0700 Subject: [PATCH] Switch PAT to GitHubApps --- eng/pipelines/templates/steps/publish-cli-winget.yml | 4 +++- eng/pipelines/templates/steps/publish-cli.yml | 11 ++++++++--- eng/pipelines/templates/steps/publish-extension.yml | 9 +++++++-- eng/pipelines/templates/steps/set-git-credentials.yml | 7 ++++++- eng/pipelines/templates/steps/update-prcomment.yml | 7 ++++++- 5 files changed, 30 insertions(+), 8 deletions(-) diff --git a/eng/pipelines/templates/steps/publish-cli-winget.yml b/eng/pipelines/templates/steps/publish-cli-winget.yml index 538cdfde229..cdbeef3b52b 100644 --- a/eng/pipelines/templates/steps/publish-cli-winget.yml +++ b/eng/pipelines/templates/steps/publish-cli-winget.yml @@ -1,12 +1,14 @@ parameters: - name: GitHubToken type: string - default: $(azuresdk-github-pat) + default: $(GH_TOKEN) displayName: GitHub token steps: - template: /eng/pipelines/templates/steps/set-metadata-variables.yml + - template: /eng/common/pipelines/templates/steps/login-to-github.yml + - pwsh: | $PSNativeCommandArgumentPassing = 'Legacy' Invoke-WebRequest https://aka.ms/wingetcreate/latest -OutFile wingetcreate.exe diff --git a/eng/pipelines/templates/steps/publish-cli.yml b/eng/pipelines/templates/steps/publish-cli.yml index 9336881bc42..4ca9b668a5e 100644 --- a/eng/pipelines/templates/steps/publish-cli.yml +++ b/eng/pipelines/templates/steps/publish-cli.yml @@ -6,6 +6,11 @@ parameters: steps: - ${{ if eq('true', parameters.CreateGitHubRelease) }}: + - template: /eng/common/pipelines/templates/steps/login-to-github.yml + parameters: + TokenOwners: + - ${{ split(variables['Build.Repository.Name'], '/')[0] }} + # This step must run first because a duplicated tag means we don't need to # continue with any of the subsequent steps. - pwsh: | @@ -32,7 +37,7 @@ steps: exit 0 displayName: Check for existing GitHub release env: - GH_TOKEN: $(azuresdk-github-pat) + GH_TOKEN: $(GH_TOKEN) - pwsh: | Remove-Item -Path release/_manifest -Recurse -Force @@ -50,7 +55,7 @@ steps: gh release upload $(GH_RELEASE_TAG) release/* --repo $(Build.Repository.Name) displayName: Create GitHub Release and upload artifacts env: - GH_TOKEN: $(azuresdk-github-pat) + GH_TOKEN: $(GH_TOKEN) - pwsh: | $goModuleTag = "cli/azd/v$(CLI_VERSION)" @@ -115,7 +120,7 @@ steps: Write-Host "Successfully created tag: $goModuleTag" displayName: Create Go module version tag env: - GH_TOKEN: $(azuresdk-github-pat) + GH_TOKEN: $(GH_TOKEN) - ${{ if eq('true', parameters.UploadInstaller) }}: - pwsh: | diff --git a/eng/pipelines/templates/steps/publish-extension.yml b/eng/pipelines/templates/steps/publish-extension.yml index 6608941e932..db67afeafec 100644 --- a/eng/pipelines/templates/steps/publish-extension.yml +++ b/eng/pipelines/templates/steps/publish-extension.yml @@ -10,6 +10,11 @@ parameters: type: string steps: + - template: /eng/common/pipelines/templates/steps/login-to-github.yml + parameters: + TokenOwners: + - ${{ split(variables['Build.Repository.Name'], '/')[0] }} + # This step must run first because a duplicated tag means we don't need to # continue with any of the subsequent steps. - pwsh: | @@ -36,7 +41,7 @@ steps: exit 0 displayName: Check for existing GitHub release env: - GH_TOKEN: $(azuresdk-github-pat) + GH_TOKEN: $(GH_TOKEN) - pwsh: | Remove-Item -Path release/_manifest -Recurse -Force @@ -62,7 +67,7 @@ steps: gh release upload $(GH_RELEASE_TAG) release/* --repo $(Build.Repository.Name) displayName: Create GitHub Release and upload artifacts env: - GH_TOKEN: $(azuresdk-github-pat) + GH_TOKEN: $(GH_TOKEN) - task: AzurePowerShell@5 displayName: Upload release to storage account diff --git a/eng/pipelines/templates/steps/set-git-credentials.yml b/eng/pipelines/templates/steps/set-git-credentials.yml index 942594cb294..1a7469a3200 100644 --- a/eng/pipelines/templates/steps/set-git-credentials.yml +++ b/eng/pipelines/templates/steps/set-git-credentials.yml @@ -1,9 +1,14 @@ parameters: Username: azure-sdk Email: azuresdk@microsoft.com - GitHubPat: $(azuresdk-github-pat) + GitHubPat: $(GH_TOKEN) steps: + - template: /eng/common/pipelines/templates/steps/login-to-github.yml + parameters: + TokenOwners: + - ${{ parameters.Username }} + - pwsh: | git config --global user.name "${{ parameters.Username }}" git config --global user.email "${{ parameters.Email }}" diff --git a/eng/pipelines/templates/steps/update-prcomment.yml b/eng/pipelines/templates/steps/update-prcomment.yml index bfc71810d38..e7e29898994 100644 --- a/eng/pipelines/templates/steps/update-prcomment.yml +++ b/eng/pipelines/templates/steps/update-prcomment.yml @@ -13,9 +13,14 @@ parameters: default: '' - name: GitHubToken type: string - default: $(azuresdk-github-pat) + default: $(GH_TOKEN) steps: + - template: /eng/common/pipelines/templates/steps/login-to-github.yml + parameters: + TokenOwners: + - ${{ split(parameters.Repo, '/')[0] }} + - pwsh: | $Repo = "${{ parameters.Repo }}" $PrNumber = "${{ parameters.PrNumber }}"