Switch PAT to GitHubApps

[chidozieononiwu]

This pull request updates several pipeline templates to standardize GitHub authentication and token usage. The main improvements are the switch from the azuresdk-github-pat variable to GH_TOKEN for GitHub authentication, and the addition of a shared login step to ensure tokens are properly configured. These changes improve maintainability and security by centralizing authentication logic and making token ownership explicit.

Authentication and Token Management Improvements:

• Replaced usage of the azuresdk-github-pat variable with GH_TOKEN for the GitHubToken and GitHubPat parameters in multiple pipeline templates, including publish-cli.yml, publish-extension.yml, publish-cli-winget.yml, set-git-credentials.yml, and update-prcomment.yml. This ensures consistency and better aligns with current token management practices. [1] [2] [3] [4] [5] [6] [7] [8]

• Added the /eng/common/pipelines/templates/steps/login-to-github.yml template step to all relevant pipeline templates. This step ensures that GitHub authentication is properly established before any GitHub-related actions are performed. [1] [2] [3] [4] [5]

Token Ownership Explicitness:

• Updated the login step to explicitly set TokenOwners based on repository or username context, improving traceability and clarity of token usage in the pipeline. [1] [2] [3] [4]

These changes collectively improve the security, clarity, and maintainability of the CI/CD pipeline authentication process.

azure-dev - ext - microsoft.azd.extensions
azure-dev - ext - microsoft.azd.demo - public

[github-actions]

🔗 Linked Issue Required

Thanks for the contribution! Please link a GitHub issue to this PR by adding Fixes #123 to the description or using the sidebar.
No issue yet? Feel free to create one!

[Copilot]

Pull request overview

This PR updates Azure DevOps pipeline step templates to standardize GitHub authentication by switching from the legacy azuresdk-github-pat variable to a GitHub App–minted GH_TOKEN, and by adding a shared login-to-github.yml step to centralize token acquisition.

Changes:

• Replaced $(azuresdk-github-pat) usage with $(GH_TOKEN) (or parameters defaulting to it) across multiple templates.
• Added /eng/common/pipelines/templates/steps/login-to-github.yml ahead of GitHub CLI / token-dependent actions, with explicit TokenOwners in most templates.
• Updated templates to make token ownership more explicit/traceable via TokenOwners.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
eng/pipelines/templates/steps/update-prcomment.yml	Uses GH_TOKEN by default and adds a GitHub App login step with owner derived from Repo.
eng/pipelines/templates/steps/set-git-credentials.yml	Switches git credential token default to GH_TOKEN and adds a GitHub App login step.
eng/pipelines/templates/steps/publish-extension.yml	Adds GitHub App login step and replaces PAT usage with GH_TOKEN for gh operations.
eng/pipelines/templates/steps/publish-cli.yml	Adds GitHub App login step (conditional) and replaces PAT usage with GH_TOKEN for gh operations.
eng/pipelines/templates/steps/publish-cli-winget.yml	Switches default token to GH_TOKEN and adds GitHub App login step before WinGet submission.

[danieljurek]

Publish_For_PR is a deployment job and doesn't have access to eng scripts https://dev.azure.com/azure-sdk/internal/_build/results?buildId=6425687&view=logs&jobId=0a6b4591-5f26-5cef-64a5-4edabbe4f4b4&j=0a6b4591-5f26-5cef-64a5-4edabbe4f4b4&t=a1b24c41-3bbc-5be5-d6ca-e2a0af2abd8f

[RickWinter]

I don't think the default Azure installation token is the right credential for this step. wingetcreate update --token needs to work against microsoft/winget-pkgs (and create/update the submission PR), but this login mints a token for the Azure org. Can we request the installation owner that has access to the WinGet repo instead, or keep this step on a credential that can actually submit the package?

[chidozieononiwu]

You are probably right. But the bigger issue is I cannot find a way to actually test these pipelines end to end without doing an unauthorized release. Could you advice on how to test these pipelines. Without a canary pipeline I can almost guarantee changes here will break the release on merge.

[danieljurek]

I can help with that.

[RickWinter]

This switches the git credential helper to $(GH_TOKEN), but callers that create PRs still hit eng/common/pipelines/templates/steps/create-pull-request.yml, which passes $(azuresdk-github-pat) into Submit-PullRequest.ps1. For example, the docs publishing flow uses this template and then opens a PR in MicrosoftDocs/azure-dev-docs-pr, so the PAT dependency is still on the release path.

[chidozieononiwu]

Thank you for review, I would need a way to test the pipeline to be able to get this working well. Is there a template package that could be used to test these changes?

[danieljurek]

To test this change, open a PR to your branch that does some trivial change to https://github.com/Azure/azure-dev/blob/main/cli/azd/README.md

Success criteria: The PR you opened gets a comment in it with links to azd that you can download.

[danieljurek]

This is also a deploy job so you don't have access to source. Plumb the variable in through a different job.

To test: Open a PR to your branch that adds a trivial change to https://github.com/Azure/azure-dev/blob/main/ext/vscode/README.md

Success criteria: After build you get a comment in the PR that includes links to download the extension file.

[danieljurek]

This is a deployment job with no access to source. You'll need to set up the secret somehow.

[danieljurek]

Token needs to be issued to MicrosoftDocs org

[danieljurek]

This won't work. It needs to be added at the level of steps, right now it's in a stage

[danieljurek]

Things to change:

• Release deployment jobs that tag the repo and upload bits to GitHub releases should be "jobs" (not deployments) have access to source (same as SDK)