Pat to GitHub apps two

[chidozieononiwu]

This pull request introduces improvements to the GitHub authentication flow in the CI/CD pipeline, enhancing token generation, handling, and usage across various pipeline templates and scripts. The main changes add support for exporting the GitHub token as an output variable, improve robustness in handling installation owners, and update pipeline stages to use the new token flow.

Enhancements to GitHub Token Handling:

• eng/common/scripts/login-to-github.ps1:

  • Added the ExportAsOutputVariable parameter to allow exporting the GitHub token as an Azure DevOps output variable for downstream jobs. [1] [2]
  • Improved handling of InstallationTokenOwners, including normalization and more robust matching logic for GitHub App installations. [1] [2]
  • Refactored the main script logic into Invoke-LoginToGitHub and ensured test runs are skipped.
  • Added a utility function Get-PropertyValue for safer property access.

• eng/common/pipelines/templates/steps/login-to-github.yml:

  • Added the ExportAsOutputVariable parameter and passed it through to the script. [1] [2]

Pipeline Integration:

• Updated pipeline templates (publish.yml, publish-extension.yml, vscode-publish-integration.yml) to:
  • Insert a new job or step to generate the GitHub token using the enhanced script and export it as an output variable. [1] [2] [3]
  • Pass the generated GH_TOKEN to subsequent jobs and tasks instead of using the previous azuresdk-github-pat variable. [1] [2] [3] [4]

Other Minor Changes:

• Improved documentation and parameter descriptions in the PowerShell script.
• Minor whitespace and formatting changes in pipeline YAML files.

These changes make the pipeline more secure, flexible, and maintainable by standardizing GitHub token usage and improving compatibility with Azure DevOps output variables.

Part of resolving Azure/azure-sdk-tools#9842

azure-dev - ext - microsoft.azd.demo - public

[github-actions]

🔗 Linked Issue Required

Thanks for the contribution! Please link a GitHub issue to this PR by adding Fixes #123 to the description or using the sidebar.
No issue yet? Feel free to create one!

[Copilot]

Pull request overview

This PR updates the Azure DevOps release/publish pipeline templates to switch GitHub CLI authentication from a stored PAT to a GitHub App installation token minted at runtime (via eng/common/scripts/login-to-github.ps1), aiming to standardize token handling across jobs and stages.

Changes:

• Adds ExportAsOutputVariable support to login-to-github.ps1 and plumbs it through the login-to-github.yml step template.
• Updates publishing stage templates to generate a GitHub token and pass it to PR-commenting and release-related steps.
• Replaces $(azuresdk-github-pat) with $(GH_TOKEN) in the extension release step template.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
eng/common/scripts/login-to-github.ps1	Adds output-variable support and more robust installation owner matching for GitHub App token minting.
eng/common/pipelines/templates/steps/login-to-github.yml	Plumbs ExportAsOutputVariable through to the PowerShell script.
eng/pipelines/templates/steps/publish-extension.yml	Switches GH_TOKEN env usage from PAT to $(GH_TOKEN) for gh calls.
eng/pipelines/templates/stages/vscode-publish-integration.yml	Adds a token-generation job and passes $(GH_TOKEN) into the PR comment step.
eng/pipelines/templates/stages/publish.yml	Adds token generation (currently in Publish_Brew) and passes $(GH_TOKEN) into the PR comment step.
eng/pipelines/templates/stages/publish-extension.yml	Adds a token-generation job and makes release publishing depend on it.
eng/pipelines/release-cli.yml	Contains a whitespace-only line change near the publish stage template inclusion.

[jongio]

Reviewed: 6 files, +189 -47

This PR is a solid security improvement: replacing stored PATs with dynamically minted GitHub App tokens via Azure Key Vault signing. The ExportAsOutputVariable flow, Get-PropertyValue utility, and Pester testability guard are all well-done. Most concerns from the earlier automated review are addressed by the current state of the code.

One issue that needs fixing before merge (see inline comment).

[jongio]

[HIGH] Update_Registry only has dependsOn: Publish_Release, but this expression references Generate_GH_Token which is not a direct dependency. In Azure DevOps YAML, the dependencies context only contains jobs explicitly listed in dependsOn. Transitive access is not supported.

This means GH_TOKEN will resolve to an empty string at runtime, causing gh and azd x publish commands in this job to fail with auth errors.

Fix:

- job: Update_Registry
  dependsOn:
    - Publish_Release
    - Generate_GH_Token

The other files (publish.yml, vscode-publish-integration.yml) are fine because their consuming jobs directly depend on Generate_GH_Token.