From 9729d30d0005d1d793704bbddde74ad9797c3fcc Mon Sep 17 00:00:00 2001 From: James Suplizio Date: Thu, 6 Jun 2024 14:22:12 -0700 Subject: [PATCH 1/3] Removal of the devops release PAT --- .../templates/steps/validate-all-packages.yml | 29 +++++++------- .../Helpers/DevOps-WorkItem-Helpers.ps1 | 26 ++++++------- .../Update-DevOps-Release-WorkItem.ps1 | 8 +--- eng/common/scripts/Validate-All-Packages.ps1 | 4 +- eng/common/scripts/Validate-Package.ps1 | 38 +++++++++---------- 5 files changed, 48 insertions(+), 57 deletions(-) diff --git a/eng/common/pipelines/templates/steps/validate-all-packages.yml b/eng/common/pipelines/templates/steps/validate-all-packages.yml index db374478a06a..b2ba48e197b1 100644 --- a/eng/common/pipelines/templates/steps/validate-all-packages.yml +++ b/eng/common/pipelines/templates/steps/validate-all-packages.yml @@ -10,20 +10,23 @@ steps: displayName: "Set as release build" condition: and(succeeded(), eq(variables['SetAsReleaseBuild'], '')) - - task: Powershell@2 + - task: AzureCLI@2 inputs: - filePath: $(Build.SourcesDirectory)/eng/common/scripts/Validate-All-Packages.ps1 - arguments: > - -ArtifactList ('${{ convertToJson(parameters.Artifacts) }}' | ConvertFrom-Json | Select-Object Name) - -ArtifactPath ${{ parameters.ArtifactPath }} - -RepoRoot $(Build.SourcesDirectory) - -APIKey $(azuresdk-apiview-apikey) - -ConfigFileDir '${{ parameters.ConfigFileDir }}' - -BuildDefinition $(System.CollectionUri)$(System.TeamProject)/_build?definitionId=$(System.DefinitionId) - -PipelineUrl $(System.CollectionUri)$(System.TeamProject)/_build/results?buildId=$(Build.BuildId) - -Devops_pat '$(azuresdk-azure-sdk-devops-release-work-item-pat)' - -IsReleaseBuild $$(SetAsReleaseBuild) - pwsh: true + azureSubscription: opensource-api-connection + scriptType: pscore + scriptLocation: inlineScript + inlineScript: | + $accessToken = az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" --query "accessToken" --output tsv + $(Build.SourcesDirectory)/eng/common/scripts/Validate-All-Packages.ps1 ` + -ArtifactList ('${{ convertToJson(parameters.Artifacts) }}' | ConvertFrom-Json | Select-Object Name) ` + -ArtifactPath ${{ parameters.ArtifactPath }} ` + -RepoRoot $(Build.SourcesDirectory) ` + -APIKey $(azuresdk-apiview-apikey) ` + -ConfigFileDir '${{ parameters.ConfigFileDir }}' ` + -BuildDefinition $(System.CollectionUri)$(System.TeamProject)/_build?definitionId=$(System.DefinitionId) ` + -PipelineUrl $(System.CollectionUri)$(System.TeamProject)/_build/results?buildId=$(Build.BuildId) ` + -AccessToken $accessToken ` + -IsReleaseBuild $$(SetAsReleaseBuild) workingDirectory: $(Pipeline.Workspace) displayName: Validate packages and update work items continueOnError: true diff --git a/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1 b/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1 index 805486245c5c..0194c8f2e2a2 100644 --- a/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1 +++ b/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1 @@ -6,18 +6,23 @@ $ReleaseDevOpsCommonParametersWithProject = $ReleaseDevOpsCommonParameters + @(" function Get-DevOpsRestHeaders() { $headers = $null - if (Get-Variable -Name "devops_pat" -ValueOnly -ErrorAction "Ignore") + $headerAccessToken = $null + if (Get-Variable -Name "accessToken" -ValueOnly -ErrorAction "Ignore") { - $encodedToken = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes([string]::Format("{0}:{1}", "", $devops_pat))) - $headers = @{ Authorization = "Basic $encodedToken" } + $headerAccessToken = $accessToken } else { # Get a temp access token from the logged in az cli user for azure devops resource - $jwt_accessToken = (az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" --query "accessToken" --output tsv) - $headers = @{ Authorization = "Bearer $jwt_accessToken" } + $headerAccessToken = (az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" --query "accessToken" --output tsv) } + if ([System.String]::IsNullOrEmpty($headerAccessToken)) { + throw "Unable to create the DevOpsRestHeader due to access token being null or empy. The calling script needs to be pass an the accessToken value OR the calling script needs to be run in an azure authenticated environment." + } + + $headers = @{ Authorization = "Bearer $headerAccessToken" } + return $headers } @@ -103,15 +108,6 @@ function Invoke-Query($fields, $wiql, $output = $true) return $workItems } -function LoginToAzureDevops([string]$devops_pat) -{ - if (!$devops_pat) { - return - } - # based on the docs at https://aka.ms/azure-devops-cli-auth the recommendation is to set this env variable to login - $env:AZURE_DEVOPS_EXT_PAT = $devops_pat -} - function BuildHashKeyNoNull() { $filterNulls = $args | Where-Object { $_ } @@ -374,7 +370,7 @@ function CreateWorkItem($title, $type, $iteration, $area, $fields, $assignedTo, { CreateWorkItemRelation $workItemId $parentId "parent" $outputCommand } - + # Add a work item as related if given. if ($relatedId) { diff --git a/eng/common/scripts/Update-DevOps-Release-WorkItem.ps1 b/eng/common/scripts/Update-DevOps-Release-WorkItem.ps1 index 11f0505f63fa..4cc06c568090 100644 --- a/eng/common/scripts/Update-DevOps-Release-WorkItem.ps1 +++ b/eng/common/scripts/Update-DevOps-Release-WorkItem.ps1 @@ -15,7 +15,7 @@ param( [string]$packageNewLibrary = "true", [string]$relatedWorkItemId = $null, [string]$tag = $null, - [string]$devops_pat = $env:DEVOPS_PAT, + [string]$accessToken = $null, [bool]$inRelease = $true ) #Requires -Version 6.0 @@ -29,17 +29,13 @@ if (!(Get-Command az -ErrorAction SilentlyContinue)) { . (Join-Path $PSScriptRoot SemVer.ps1) . (Join-Path $PSScriptRoot Helpers DevOps-WorkItem-Helpers.ps1) -if (!$devops_pat) { +if (!$accessToken) { az account show *> $null if (!$?) { Write-Host 'Running az login...' az login *> $null } } -else { - # Login using PAT - LoginToAzureDevops $devops_pat -} az extension show -n azure-devops *> $null if (!$?){ diff --git a/eng/common/scripts/Validate-All-Packages.ps1 b/eng/common/scripts/Validate-All-Packages.ps1 index 46d76195ba14..20c9ffba2436 100644 --- a/eng/common/scripts/Validate-All-Packages.ps1 +++ b/eng/common/scripts/Validate-All-Packages.ps1 @@ -12,7 +12,7 @@ Param ( [string]$BuildDefinition, [string]$PipelineUrl, [string]$APIViewUri = "https://apiview.dev/AutoReview/GetReviewStatus", - [string]$Devops_pat = $env:DEVOPS_PAT, + [string]$AccessToken = $null, [bool] $IsReleaseBuild = $false ) @@ -34,7 +34,7 @@ function ProcessPackage($PackageName, $ConfigFileDir) -BuildDefinition $BuildDefinition ` -PipelineUrl $PipelineUrl ` -ConfigFileDir $ConfigFileDir ` - -Devops_pat $Devops_pat + -AccessToken $AccessToken if ($LASTEXITCODE -ne 0) { Write-Error "Failed to validate package $PackageName" exit 1 diff --git a/eng/common/scripts/Validate-Package.ps1 b/eng/common/scripts/Validate-Package.ps1 index 4b9b9d864abb..ee90752ad2e0 100644 --- a/eng/common/scripts/Validate-Package.ps1 +++ b/eng/common/scripts/Validate-Package.ps1 @@ -2,20 +2,20 @@ [CmdletBinding()] param ( - [Parameter(Mandatory = $true)] + [Parameter(Mandatory = $true)] [string] $PackageName, - [Parameter(Mandatory = $true)] + [Parameter(Mandatory = $true)] [string] $ArtifactPath, [Parameter(Mandatory=$True)] [string] $RepoRoot, [Parameter(Mandatory=$True)] - [string] $APIKey, + [string] $APIKey, [Parameter(Mandatory=$True)] [string] $ConfigFileDir, [string] $BuildDefinition, [string] $PipelineUrl, [string] $APIViewUri, - [string] $Devops_pat = $env:DEVOPS_PAT, + [string] $AccessToken = $null, [bool] $IsReleaseBuild = $false ) Set-StrictMode -Version 3 @@ -24,17 +24,13 @@ Set-StrictMode -Version 3 . ${PSScriptRoot}\Helpers\ApiView-Helpers.ps1 . ${PSScriptRoot}\Helpers\DevOps-WorkItem-Helpers.ps1 -if (!$Devops_pat) { +if (!$AccessToken) { az account show *> $null if (!$?) { Write-Host 'Running az login...' az login *> $null } } -else { - # Login using PAT - LoginToAzureDevops $Devops_pat -} az extension show -n azure-devops *> $null if (!$?){ @@ -57,12 +53,12 @@ function ValidateChangeLog($changeLogPath, $versionString, $validationStatus) Message = "" } $changeLogFullPath = Join-Path $RepoRoot $changeLogPath - Write-Host "Path to change log: [$changeLogFullPath]" + Write-Host "Path to change log: [$changeLogFullPath]" if (Test-Path $changeLogFullPath) { Confirm-ChangeLogEntry -ChangeLogLocation $changeLogFullPath -VersionString $versionString -ForRelease $true -ChangeLogStatus $ChangeLogStatus -SuppressErrors $true $validationStatus.Status = if ($ChangeLogStatus.IsValid) { "Success" } else { "Failed" } - $validationStatus.Message = $ChangeLogStatus.Message + $validationStatus.Message = $ChangeLogStatus.Message } else { $validationStatus.Status = "Failed" @@ -83,7 +79,7 @@ function VerifyAPIReview($packageName, $packageVersion, $language) $APIReviewValidation = [PSCustomObject]@{ Name = "API Review Approval" Status = "Pending" - Message = "" + Message = "" } $PackageNameValidation = [PSCustomObject]@{ Name = "Package Name Approval" @@ -101,7 +97,7 @@ function VerifyAPIReview($packageName, $packageVersion, $language) IsApproved = $false Details = "" } - Write-Host "Checking API review status for package $packageName with version $packageVersion. language [$language]." + Write-Host "Checking API review status for package $packageName with version $packageVersion. language [$language]." Check-ApiReviewStatus $packageName $packageVersion $language $APIViewUri $APIKey $apiStatus $packageNameStatus Write-Host "API review approval details: $($apiStatus.Details)" @@ -132,14 +128,14 @@ function VerifyAPIReview($packageName, $packageVersion, $language) function IsVersionShipped($packageName, $packageVersion) { - # This function will decide if a package version is already shipped or not + # This function will decide if a package version is already shipped or not Write-Host "Checking if a version is already shipped for package $packageName with version $packageVersion." $parsedNewVersion = [AzureEngSemanticVersion]::new($packageVersion) $versionMajorMinor = "" + $parsedNewVersion.Major + "." + $parsedNewVersion.Minor $workItem = FindPackageWorkItem -lang $LanguageDisplayName -packageName $packageName -version $versionMajorMinor -includeClosed $true -outputCommand $false if ($workItem) { - # Check if the package version is already shipped + # Check if the package version is already shipped $shippedVersionSet = ParseVersionSetFromMDField $workItem.fields["Custom.ShippedPackages"] if ($shippedVersionSet.ContainsKey($packageVersion)) { return $true @@ -163,8 +159,8 @@ function CreateUpdatePackageWorkItem($pkgInfo) $setReleaseState = $false $plannedDate = "unknown" } - - # Create or update package work item + + # Create or update package work item &$EngCommonScriptsDir/Update-DevOps-Release-WorkItem.ps1 ` -language $LanguageDisplayName ` -packageName $packageName ` @@ -176,8 +172,8 @@ function CreateUpdatePackageWorkItem($pkgInfo) -serviceName "unknown" ` -packageDisplayName "unknown" ` -inRelease $IsReleaseBuild ` - -devops_pat $Devops_pat - + -accessToken $AccessToken + if ($LASTEXITCODE -ne 0) { Write-Host "Update of the Devops Release WorkItem failed." @@ -244,7 +240,7 @@ $updatedWi = CreateUpdatePackageWorkItem $pkgInfo # Update validation status in package work item if ($updatedWi) { Write-Host "Updating validation status in package work item." - $updatedWi = UpdateValidationStatus $pkgValidationDetails $BuildDefinition $PipelineUrl + $updatedWi = UpdateValidationStatus $pkgValidationDetails $BuildDefinition $PipelineUrl } # Fail the build if any validation is not successful for a release build @@ -254,7 +250,7 @@ Write-Host "Package Name status:" $apireviewDetails.PackageNameApproval.Status if ($IsReleaseBuild) { - if (!$updatedWi -or $changelogStatus.Status -ne "Success" -or $apireviewDetails.ApiviewApproval.Status -ne "Approved" -or $apireviewDetails.PackageNameApproval.Status -ne "Approved") { + if (!$updatedWi -or $changelogStatus.Status -ne "Success" -or $apireviewDetails.ApiviewApproval.Status -ne "Approved" -or $apireviewDetails.PackageNameApproval.Status -ne "Approved") { Write-Error "At least one of the Validations above failed for package $pkgName with version $versionString." exit 1 } From 2a83a825ef3bedb3edc6a40b96974d0da2f09e01 Mon Sep 17 00:00:00 2001 From: James Suplizio Date: Fri, 7 Jun 2024 10:32:47 -0700 Subject: [PATCH 2/3] Don't pass in the access token, just use the AzureCLI task and do everything in the scripts --- .../templates/steps/validate-all-packages.yml | 2 -- .../scripts/Helpers/DevOps-WorkItem-Helpers.ps1 | 13 ++----------- .../scripts/Update-DevOps-Release-WorkItem.ps1 | 11 ++++------- eng/common/scripts/Validate-All-Packages.ps1 | 4 +--- eng/common/scripts/Validate-Package.ps1 | 14 +++++--------- 5 files changed, 12 insertions(+), 32 deletions(-) diff --git a/eng/common/pipelines/templates/steps/validate-all-packages.yml b/eng/common/pipelines/templates/steps/validate-all-packages.yml index b2ba48e197b1..679d8830a459 100644 --- a/eng/common/pipelines/templates/steps/validate-all-packages.yml +++ b/eng/common/pipelines/templates/steps/validate-all-packages.yml @@ -16,7 +16,6 @@ steps: scriptType: pscore scriptLocation: inlineScript inlineScript: | - $accessToken = az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" --query "accessToken" --output tsv $(Build.SourcesDirectory)/eng/common/scripts/Validate-All-Packages.ps1 ` -ArtifactList ('${{ convertToJson(parameters.Artifacts) }}' | ConvertFrom-Json | Select-Object Name) ` -ArtifactPath ${{ parameters.ArtifactPath }} ` @@ -25,7 +24,6 @@ steps: -ConfigFileDir '${{ parameters.ConfigFileDir }}' ` -BuildDefinition $(System.CollectionUri)$(System.TeamProject)/_build?definitionId=$(System.DefinitionId) ` -PipelineUrl $(System.CollectionUri)$(System.TeamProject)/_build/results?buildId=$(Build.BuildId) ` - -AccessToken $accessToken ` -IsReleaseBuild $$(SetAsReleaseBuild) workingDirectory: $(Pipeline.Workspace) displayName: Validate packages and update work items diff --git a/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1 b/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1 index 0194c8f2e2a2..ee55d23274d7 100644 --- a/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1 +++ b/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1 @@ -5,17 +5,8 @@ $ReleaseDevOpsCommonParametersWithProject = $ReleaseDevOpsCommonParameters + @(" function Get-DevOpsRestHeaders() { - $headers = $null - $headerAccessToken = $null - if (Get-Variable -Name "accessToken" -ValueOnly -ErrorAction "Ignore") - { - $headerAccessToken = $accessToken - } - else - { - # Get a temp access token from the logged in az cli user for azure devops resource - $headerAccessToken = (az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" --query "accessToken" --output tsv) - } + # Get a temp access token from the logged in az cli user for azure devops resource + $headerAccessToken = (az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" --query "accessToken" --output tsv) if ([System.String]::IsNullOrEmpty($headerAccessToken)) { throw "Unable to create the DevOpsRestHeader due to access token being null or empy. The calling script needs to be pass an the accessToken value OR the calling script needs to be run in an azure authenticated environment." diff --git a/eng/common/scripts/Update-DevOps-Release-WorkItem.ps1 b/eng/common/scripts/Update-DevOps-Release-WorkItem.ps1 index 4cc06c568090..aa3f98860c4c 100644 --- a/eng/common/scripts/Update-DevOps-Release-WorkItem.ps1 +++ b/eng/common/scripts/Update-DevOps-Release-WorkItem.ps1 @@ -15,7 +15,6 @@ param( [string]$packageNewLibrary = "true", [string]$relatedWorkItemId = $null, [string]$tag = $null, - [string]$accessToken = $null, [bool]$inRelease = $true ) #Requires -Version 6.0 @@ -29,12 +28,10 @@ if (!(Get-Command az -ErrorAction SilentlyContinue)) { . (Join-Path $PSScriptRoot SemVer.ps1) . (Join-Path $PSScriptRoot Helpers DevOps-WorkItem-Helpers.ps1) -if (!$accessToken) { - az account show *> $null - if (!$?) { - Write-Host 'Running az login...' - az login *> $null - } +az account show *> $null +if (!$?) { + Write-Host 'Running az login...' + az login *> $null } az extension show -n azure-devops *> $null diff --git a/eng/common/scripts/Validate-All-Packages.ps1 b/eng/common/scripts/Validate-All-Packages.ps1 index 20c9ffba2436..f327c455291e 100644 --- a/eng/common/scripts/Validate-All-Packages.ps1 +++ b/eng/common/scripts/Validate-All-Packages.ps1 @@ -12,7 +12,6 @@ Param ( [string]$BuildDefinition, [string]$PipelineUrl, [string]$APIViewUri = "https://apiview.dev/AutoReview/GetReviewStatus", - [string]$AccessToken = $null, [bool] $IsReleaseBuild = $false ) @@ -33,8 +32,7 @@ function ProcessPackage($PackageName, $ConfigFileDir) -APIKey $APIKey ` -BuildDefinition $BuildDefinition ` -PipelineUrl $PipelineUrl ` - -ConfigFileDir $ConfigFileDir ` - -AccessToken $AccessToken + -ConfigFileDir $ConfigFileDir if ($LASTEXITCODE -ne 0) { Write-Error "Failed to validate package $PackageName" exit 1 diff --git a/eng/common/scripts/Validate-Package.ps1 b/eng/common/scripts/Validate-Package.ps1 index ee90752ad2e0..ee347e5da928 100644 --- a/eng/common/scripts/Validate-Package.ps1 +++ b/eng/common/scripts/Validate-Package.ps1 @@ -15,7 +15,6 @@ param ( [string] $BuildDefinition, [string] $PipelineUrl, [string] $APIViewUri, - [string] $AccessToken = $null, [bool] $IsReleaseBuild = $false ) Set-StrictMode -Version 3 @@ -24,12 +23,10 @@ Set-StrictMode -Version 3 . ${PSScriptRoot}\Helpers\ApiView-Helpers.ps1 . ${PSScriptRoot}\Helpers\DevOps-WorkItem-Helpers.ps1 -if (!$AccessToken) { - az account show *> $null - if (!$?) { - Write-Host 'Running az login...' - az login *> $null - } +az account show *> $null +if (!$?) { +Write-Host 'Running az login...' +az login *> $null } az extension show -n azure-devops *> $null @@ -171,8 +168,7 @@ function CreateUpdatePackageWorkItem($pkgInfo) -packageNewLibrary $pkgInfo.IsNewSDK ` -serviceName "unknown" ` -packageDisplayName "unknown" ` - -inRelease $IsReleaseBuild ` - -accessToken $AccessToken + -inRelease $IsReleaseBuild if ($LASTEXITCODE -ne 0) { From d5c9389df1af39503e65938455186ec06aa0439e Mon Sep 17 00:00:00 2001 From: James Suplizio Date: Fri, 7 Jun 2024 10:54:40 -0700 Subject: [PATCH 3/3] Updates for feedback --- eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1 | 2 +- eng/common/scripts/Validate-Package.ps1 | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1 b/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1 index ee55d23274d7..4707517d8cc0 100644 --- a/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1 +++ b/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1 @@ -9,7 +9,7 @@ function Get-DevOpsRestHeaders() $headerAccessToken = (az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" --query "accessToken" --output tsv) if ([System.String]::IsNullOrEmpty($headerAccessToken)) { - throw "Unable to create the DevOpsRestHeader due to access token being null or empy. The calling script needs to be pass an the accessToken value OR the calling script needs to be run in an azure authenticated environment." + throw "Unable to create the DevOpsRestHeader due to access token being null or empty. The caller needs to be logged in with az login to an account with enough permissions to edit work items in the azure-sdk Release team project." } $headers = @{ Authorization = "Bearer $headerAccessToken" } diff --git a/eng/common/scripts/Validate-Package.ps1 b/eng/common/scripts/Validate-Package.ps1 index ee347e5da928..070d7b23db0c 100644 --- a/eng/common/scripts/Validate-Package.ps1 +++ b/eng/common/scripts/Validate-Package.ps1 @@ -25,8 +25,8 @@ Set-StrictMode -Version 3 az account show *> $null if (!$?) { -Write-Host 'Running az login...' -az login *> $null + Write-Host 'Running az login...' + az login *> $null } az extension show -n azure-devops *> $null