Refresh GitHub App installation token before pushing to azure-sdk-for-net (#10737)

Copilot · jorgerangel-msft · web-flow · commit 5ee6fffecfed · 2026-05-20T20:37:35.000Z
`Submit-AzureSdkForNetPr.ps1` fails at `git push` with `Invalid username or token. Password authentication is not supported for Git operations.` after regenerating Azure data-plane / mgmt libraries. #10710 fixed the URL scheme (`x-access-token:<token>`) but didn't address token lifetime: the `CreatePR` job mints a GitHub App installation token once up front, then `Submit-AzureSdkForNetPr.ps1` regenerates SDKs (118 files / 6353 insertions in the failing run) before pushing. Installation tokens expire after **1 hour**, so the regen routinely outlives the token. ### Changes - **`Submit-AzureSdkForNetPr.ps1`** — Immediately before `git push`, invoke `eng/common/scripts/login-to-github.ps1` to mint a fresh installation token, then use it for both the push URL and (via `$env:GH_TOKEN`) `gh pr create`. The login script is invoked with the same params as the `login-to-github.yml` template at `publish.yml#L221` (`-InstallationTokenOwners 'Azure' -VariableNamePrefix 'GH_TOKEN'`). Existence of the refreshed token is checked via `Test-Path Env:GH_TOKEN` to avoid dereferencing the value. Falls back to the original `$AuthToken` with a warning when the login script is unavailable or fails (e.g., local/manual runs with a classic PAT). - **`packages/http-client-csharp/eng/pipeline/publish.yml`** — Switch the step that runs `Submit-AzureSdkForNetPr.ps1` from `PowerShell@2` to `AzureCLI@2` (with `azureSubscription: "AzureSDKEngKeyVault Secrets"`, the same subscription `login-to-github.yml` uses). The `az` CLI auth from the upstream `AzureCLI@2`-based `login-to-github.yml` step does **not** persist into the next task, so the in-script call to `login-to-github.ps1` previously failed to sign the JWT with Key Vault (`ERROR: Please run 'az login' to setup account.`). Running the script under `AzureCLI@2` gives it the `az` auth context it needs to mint a fresh installation token mid-run. ```powershell $loginScript = Join-Path $PSScriptRoot "../../../../eng/common/scripts/login-to-github.ps1" if (Test-Path $loginScript) { try { & $loginScript -InstallationTokenOwners 'Azure' -VariableNamePrefix 'GH_TOKEN' if ($LASTEXITCODE -eq 0 -and (Test-Path Env:GH_TOKEN)) { $AuthToken = $env:GH_TOKEN } } catch { Write-Warning "Failed to refresh token: $($_.Exception.Message). Falling back." } } $remoteUrl = "******github.com/$RepoOwner/$RepoName.git" git push $remoteUrl $PRBranch ``` --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: jorgerangel-msft <102122018+jorgerangel-msft@users.noreply.github.com>
diff --git a/packages/http-client-csharp/eng/pipeline/publish.yml b/packages/http-client-csharp/eng/pipeline/publish.yml
@@ -223,11 +223,13 @@ extends:
                   TokenOwners:
                     - Azure
 
-              - task: PowerShell@2
+              - task: AzureCLI@2
                 displayName: Generate emitter-package.json files & create PR in azure-sdk-for-net
                 inputs:
-                  pwsh: true
-                  filePath: $(Build.SourcesDirectory)/packages/http-client-csharp/eng/scripts/Submit-AzureSdkForNetPr.ps1
+                  azureSubscription: "AzureSDKEngKeyVault Secrets"
+                  scriptType: pscore
+                  scriptLocation: scriptPath
+                  scriptPath: $(Build.SourcesDirectory)/packages/http-client-csharp/eng/scripts/Submit-AzureSdkForNetPr.ps1
                   arguments: >
                     -PackageVersion '$(PackageVersion)'
                     -TypeSpecCommitUrl '$(TypeSpecCommitUrl)'
diff --git a/packages/http-client-csharp/eng/scripts/Submit-AzureSdkForNetPr.ps1 b/packages/http-client-csharp/eng/scripts/Submit-AzureSdkForNetPr.ps1
@@ -689,6 +689,24 @@ try {
         throw "Failed to commit changes"
     }
 
+    $loginScript = Join-Path $PSScriptRoot "../../../../eng/common/scripts/login-to-github.ps1"
+    if (Test-Path $loginScript) {
+        Write-Host "Refreshing GitHub App installation token before push..."
+        try {
+            & $loginScript -InstallationTokenOwners 'Azure' -VariableNamePrefix 'GH_TOKEN'
+            if ($LASTEXITCODE -eq 0 -and (Test-Path Env:GH_TOKEN)) {
+                $AuthToken = $env:GH_TOKEN
+                Write-Host "GitHub App installation token refreshed."
+            } else {
+                Write-Warning "login-to-github.ps1 did not produce a fresh token (exit code $LASTEXITCODE); falling back to existing token."
+            }
+        } catch {
+            Write-Warning "Failed to refresh GitHub App installation token: $($_.Exception.Message). Falling back to existing token."
+        }
+    } else {
+        Write-Host "login-to-github.ps1 not found at $loginScript; skipping token refresh (assuming a non-pipeline run with a long-lived token)."
+    }
+
     # Push the branch. Use the x-access-token username scheme so the URL works
     # both with classic PATs and with GitHub App installation tokens (ghs_*).
     Write-Host "Pushing branch to remote..."
