Refresh GitHub App installation token before pushing to azure-sdk-for-net

[Copilot]

Submit-AzureSdkForNetPr.ps1 fails at git push with Invalid username or token. Password authentication is not supported for Git operations. after regenerating Azure data-plane / mgmt libraries.

#10710 fixed the URL scheme (x-access-token:<token>) but didn't address token lifetime: the CreatePR job mints a GitHub App installation token once up front, then Submit-AzureSdkForNetPr.ps1 regenerates SDKs (118 files / 6353 insertions in the failing run) before pushing. Installation tokens expire after 1 hour, so the regen routinely outlives the token.

Changes

• Submit-AzureSdkForNetPr.ps1 — Immediately before git push, invoke eng/common/scripts/login-to-github.ps1 to mint a fresh installation token, then use it for both the push URL and (via $env:GH_TOKEN) gh pr create. The login script is invoked with the same params as the login-to-github.yml template at publish.yml#L221 (-InstallationTokenOwners 'Azure' -VariableNamePrefix 'GH_TOKEN'). Existence of the refreshed token is checked via Test-Path Env:GH_TOKEN to avoid dereferencing the value. Falls back to the original $AuthToken with a warning when the login script is unavailable or fails (e.g., local/manual runs with a classic PAT).

• packages/http-client-csharp/eng/pipeline/publish.yml — Switch the step that runs Submit-AzureSdkForNetPr.ps1 from PowerShell@2 to AzureCLI@2 (with azureSubscription: "AzureSDKEngKeyVault Secrets", the same subscription login-to-github.yml uses). The az CLI auth from the upstream AzureCLI@2-based login-to-github.yml step does not persist into the next task, so the in-script call to login-to-github.ps1 previously failed to sign the JWT with Key Vault (ERROR: Please run 'az login' to setup account.). Running the script under AzureCLI@2 gives it the az auth context it needs to mint a fresh installation token mid-run.

$loginScript = Join-Path $PSScriptRoot "../../../../eng/common/scripts/login-to-github.ps1"
if (Test-Path $loginScript) {
    try {
        & $loginScript -InstallationTokenOwners 'Azure' -VariableNamePrefix 'GH_TOKEN'
        if ($LASTEXITCODE -eq 0 -and (Test-Path Env:GH_TOKEN)) {
            $AuthToken = $env:GH_TOKEN
        }
    } catch {
        Write-Warning "Failed to refresh token: $($_.Exception.Message). Falling back."
    }
}

$remoteUrl = "******github.com/$RepoOwner/$RepoName.git"
git push $remoteUrl $PRBranch

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@typespec/http-client-csharp@10737

commit: c233721

[jsquire]

per offline conversation, this runs in a trusted DevOps environment and only on merge commits to main - which would have already passed team review and been evaluated for malicious intent. No concerns.