From 085e4152730c071bcdc733744ffebf85fa387317 Mon Sep 17 00:00:00 2001 From: James Suplizio Date: Thu, 13 Jun 2024 09:15:24 -0700 Subject: [PATCH] Removal of the devops release PAT (#8388) * Removal of the devops release PAT * Don't pass in the access token, just use the AzureCLI task and do everything in the scripts * Updates for feedback --- .../templates/steps/validate-all-packages.yml | 27 +++++------ .../Helpers/DevOps-WorkItem-Helpers.ps1 | 29 ++++-------- .../Update-DevOps-Release-WorkItem.ps1 | 15 ++---- eng/common/scripts/Validate-All-Packages.ps1 | 4 +- eng/common/scripts/Validate-Package.ps1 | 46 ++++++++----------- .../devops-create-package-workitem.yml | 29 ++++++------ eng/scripts/Create-Package-WorkItem.ps1 | 8 ++-- 7 files changed, 64 insertions(+), 94 deletions(-) diff --git a/eng/common/pipelines/templates/steps/validate-all-packages.yml b/eng/common/pipelines/templates/steps/validate-all-packages.yml index db374478a06..679d8830a45 100644 --- a/eng/common/pipelines/templates/steps/validate-all-packages.yml +++ b/eng/common/pipelines/templates/steps/validate-all-packages.yml @@ -10,20 +10,21 @@ steps: displayName: "Set as release build" condition: and(succeeded(), eq(variables['SetAsReleaseBuild'], '')) - - task: Powershell@2 + - task: AzureCLI@2 inputs: - filePath: $(Build.SourcesDirectory)/eng/common/scripts/Validate-All-Packages.ps1 - arguments: > - -ArtifactList ('${{ convertToJson(parameters.Artifacts) }}' | ConvertFrom-Json | Select-Object Name) - -ArtifactPath ${{ parameters.ArtifactPath }} - -RepoRoot $(Build.SourcesDirectory) - -APIKey $(azuresdk-apiview-apikey) - -ConfigFileDir '${{ parameters.ConfigFileDir }}' - -BuildDefinition $(System.CollectionUri)$(System.TeamProject)/_build?definitionId=$(System.DefinitionId) - -PipelineUrl $(System.CollectionUri)$(System.TeamProject)/_build/results?buildId=$(Build.BuildId) - -Devops_pat '$(azuresdk-azure-sdk-devops-release-work-item-pat)' - -IsReleaseBuild $$(SetAsReleaseBuild) - pwsh: true + azureSubscription: opensource-api-connection + scriptType: pscore + scriptLocation: inlineScript + inlineScript: | + $(Build.SourcesDirectory)/eng/common/scripts/Validate-All-Packages.ps1 ` + -ArtifactList ('${{ convertToJson(parameters.Artifacts) }}' | ConvertFrom-Json | Select-Object Name) ` + -ArtifactPath ${{ parameters.ArtifactPath }} ` + -RepoRoot $(Build.SourcesDirectory) ` + -APIKey $(azuresdk-apiview-apikey) ` + -ConfigFileDir '${{ parameters.ConfigFileDir }}' ` + -BuildDefinition $(System.CollectionUri)$(System.TeamProject)/_build?definitionId=$(System.DefinitionId) ` + -PipelineUrl $(System.CollectionUri)$(System.TeamProject)/_build/results?buildId=$(Build.BuildId) ` + -IsReleaseBuild $$(SetAsReleaseBuild) workingDirectory: $(Pipeline.Workspace) displayName: Validate packages and update work items continueOnError: true diff --git a/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1 b/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1 index 805486245c5..4707517d8cc 100644 --- a/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1 +++ b/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1 @@ -5,19 +5,15 @@ $ReleaseDevOpsCommonParametersWithProject = $ReleaseDevOpsCommonParameters + @(" function Get-DevOpsRestHeaders() { - $headers = $null - if (Get-Variable -Name "devops_pat" -ValueOnly -ErrorAction "Ignore") - { - $encodedToken = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes([string]::Format("{0}:{1}", "", $devops_pat))) - $headers = @{ Authorization = "Basic $encodedToken" } - } - else - { - # Get a temp access token from the logged in az cli user for azure devops resource - $jwt_accessToken = (az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" --query "accessToken" --output tsv) - $headers = @{ Authorization = "Bearer $jwt_accessToken" } + # Get a temp access token from the logged in az cli user for azure devops resource + $headerAccessToken = (az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" --query "accessToken" --output tsv) + + if ([System.String]::IsNullOrEmpty($headerAccessToken)) { + throw "Unable to create the DevOpsRestHeader due to access token being null or empty. The caller needs to be logged in with az login to an account with enough permissions to edit work items in the azure-sdk Release team project." } + $headers = @{ Authorization = "Bearer $headerAccessToken" } + return $headers } @@ -103,15 +99,6 @@ function Invoke-Query($fields, $wiql, $output = $true) return $workItems } -function LoginToAzureDevops([string]$devops_pat) -{ - if (!$devops_pat) { - return - } - # based on the docs at https://aka.ms/azure-devops-cli-auth the recommendation is to set this env variable to login - $env:AZURE_DEVOPS_EXT_PAT = $devops_pat -} - function BuildHashKeyNoNull() { $filterNulls = $args | Where-Object { $_ } @@ -374,7 +361,7 @@ function CreateWorkItem($title, $type, $iteration, $area, $fields, $assignedTo, { CreateWorkItemRelation $workItemId $parentId "parent" $outputCommand } - + # Add a work item as related if given. if ($relatedId) { diff --git a/eng/common/scripts/Update-DevOps-Release-WorkItem.ps1 b/eng/common/scripts/Update-DevOps-Release-WorkItem.ps1 index 11f0505f63f..aa3f98860c4 100644 --- a/eng/common/scripts/Update-DevOps-Release-WorkItem.ps1 +++ b/eng/common/scripts/Update-DevOps-Release-WorkItem.ps1 @@ -15,7 +15,6 @@ param( [string]$packageNewLibrary = "true", [string]$relatedWorkItemId = $null, [string]$tag = $null, - [string]$devops_pat = $env:DEVOPS_PAT, [bool]$inRelease = $true ) #Requires -Version 6.0 @@ -29,16 +28,10 @@ if (!(Get-Command az -ErrorAction SilentlyContinue)) { . (Join-Path $PSScriptRoot SemVer.ps1) . (Join-Path $PSScriptRoot Helpers DevOps-WorkItem-Helpers.ps1) -if (!$devops_pat) { - az account show *> $null - if (!$?) { - Write-Host 'Running az login...' - az login *> $null - } -} -else { - # Login using PAT - LoginToAzureDevops $devops_pat +az account show *> $null +if (!$?) { + Write-Host 'Running az login...' + az login *> $null } az extension show -n azure-devops *> $null diff --git a/eng/common/scripts/Validate-All-Packages.ps1 b/eng/common/scripts/Validate-All-Packages.ps1 index 46d76195ba1..f327c455291 100644 --- a/eng/common/scripts/Validate-All-Packages.ps1 +++ b/eng/common/scripts/Validate-All-Packages.ps1 @@ -12,7 +12,6 @@ Param ( [string]$BuildDefinition, [string]$PipelineUrl, [string]$APIViewUri = "https://apiview.dev/AutoReview/GetReviewStatus", - [string]$Devops_pat = $env:DEVOPS_PAT, [bool] $IsReleaseBuild = $false ) @@ -33,8 +32,7 @@ function ProcessPackage($PackageName, $ConfigFileDir) -APIKey $APIKey ` -BuildDefinition $BuildDefinition ` -PipelineUrl $PipelineUrl ` - -ConfigFileDir $ConfigFileDir ` - -Devops_pat $Devops_pat + -ConfigFileDir $ConfigFileDir if ($LASTEXITCODE -ne 0) { Write-Error "Failed to validate package $PackageName" exit 1 diff --git a/eng/common/scripts/Validate-Package.ps1 b/eng/common/scripts/Validate-Package.ps1 index 4b9b9d864ab..070d7b23db0 100644 --- a/eng/common/scripts/Validate-Package.ps1 +++ b/eng/common/scripts/Validate-Package.ps1 @@ -2,20 +2,19 @@ [CmdletBinding()] param ( - [Parameter(Mandatory = $true)] + [Parameter(Mandatory = $true)] [string] $PackageName, - [Parameter(Mandatory = $true)] + [Parameter(Mandatory = $true)] [string] $ArtifactPath, [Parameter(Mandatory=$True)] [string] $RepoRoot, [Parameter(Mandatory=$True)] - [string] $APIKey, + [string] $APIKey, [Parameter(Mandatory=$True)] [string] $ConfigFileDir, [string] $BuildDefinition, [string] $PipelineUrl, [string] $APIViewUri, - [string] $Devops_pat = $env:DEVOPS_PAT, [bool] $IsReleaseBuild = $false ) Set-StrictMode -Version 3 @@ -24,16 +23,10 @@ Set-StrictMode -Version 3 . ${PSScriptRoot}\Helpers\ApiView-Helpers.ps1 . ${PSScriptRoot}\Helpers\DevOps-WorkItem-Helpers.ps1 -if (!$Devops_pat) { - az account show *> $null - if (!$?) { - Write-Host 'Running az login...' - az login *> $null - } -} -else { - # Login using PAT - LoginToAzureDevops $Devops_pat +az account show *> $null +if (!$?) { + Write-Host 'Running az login...' + az login *> $null } az extension show -n azure-devops *> $null @@ -57,12 +50,12 @@ function ValidateChangeLog($changeLogPath, $versionString, $validationStatus) Message = "" } $changeLogFullPath = Join-Path $RepoRoot $changeLogPath - Write-Host "Path to change log: [$changeLogFullPath]" + Write-Host "Path to change log: [$changeLogFullPath]" if (Test-Path $changeLogFullPath) { Confirm-ChangeLogEntry -ChangeLogLocation $changeLogFullPath -VersionString $versionString -ForRelease $true -ChangeLogStatus $ChangeLogStatus -SuppressErrors $true $validationStatus.Status = if ($ChangeLogStatus.IsValid) { "Success" } else { "Failed" } - $validationStatus.Message = $ChangeLogStatus.Message + $validationStatus.Message = $ChangeLogStatus.Message } else { $validationStatus.Status = "Failed" @@ -83,7 +76,7 @@ function VerifyAPIReview($packageName, $packageVersion, $language) $APIReviewValidation = [PSCustomObject]@{ Name = "API Review Approval" Status = "Pending" - Message = "" + Message = "" } $PackageNameValidation = [PSCustomObject]@{ Name = "Package Name Approval" @@ -101,7 +94,7 @@ function VerifyAPIReview($packageName, $packageVersion, $language) IsApproved = $false Details = "" } - Write-Host "Checking API review status for package $packageName with version $packageVersion. language [$language]." + Write-Host "Checking API review status for package $packageName with version $packageVersion. language [$language]." Check-ApiReviewStatus $packageName $packageVersion $language $APIViewUri $APIKey $apiStatus $packageNameStatus Write-Host "API review approval details: $($apiStatus.Details)" @@ -132,14 +125,14 @@ function VerifyAPIReview($packageName, $packageVersion, $language) function IsVersionShipped($packageName, $packageVersion) { - # This function will decide if a package version is already shipped or not + # This function will decide if a package version is already shipped or not Write-Host "Checking if a version is already shipped for package $packageName with version $packageVersion." $parsedNewVersion = [AzureEngSemanticVersion]::new($packageVersion) $versionMajorMinor = "" + $parsedNewVersion.Major + "." + $parsedNewVersion.Minor $workItem = FindPackageWorkItem -lang $LanguageDisplayName -packageName $packageName -version $versionMajorMinor -includeClosed $true -outputCommand $false if ($workItem) { - # Check if the package version is already shipped + # Check if the package version is already shipped $shippedVersionSet = ParseVersionSetFromMDField $workItem.fields["Custom.ShippedPackages"] if ($shippedVersionSet.ContainsKey($packageVersion)) { return $true @@ -163,8 +156,8 @@ function CreateUpdatePackageWorkItem($pkgInfo) $setReleaseState = $false $plannedDate = "unknown" } - - # Create or update package work item + + # Create or update package work item &$EngCommonScriptsDir/Update-DevOps-Release-WorkItem.ps1 ` -language $LanguageDisplayName ` -packageName $packageName ` @@ -175,9 +168,8 @@ function CreateUpdatePackageWorkItem($pkgInfo) -packageNewLibrary $pkgInfo.IsNewSDK ` -serviceName "unknown" ` -packageDisplayName "unknown" ` - -inRelease $IsReleaseBuild ` - -devops_pat $Devops_pat - + -inRelease $IsReleaseBuild + if ($LASTEXITCODE -ne 0) { Write-Host "Update of the Devops Release WorkItem failed." @@ -244,7 +236,7 @@ $updatedWi = CreateUpdatePackageWorkItem $pkgInfo # Update validation status in package work item if ($updatedWi) { Write-Host "Updating validation status in package work item." - $updatedWi = UpdateValidationStatus $pkgValidationDetails $BuildDefinition $PipelineUrl + $updatedWi = UpdateValidationStatus $pkgValidationDetails $BuildDefinition $PipelineUrl } # Fail the build if any validation is not successful for a release build @@ -254,7 +246,7 @@ Write-Host "Package Name status:" $apireviewDetails.PackageNameApproval.Status if ($IsReleaseBuild) { - if (!$updatedWi -or $changelogStatus.Status -ne "Success" -or $apireviewDetails.ApiviewApproval.Status -ne "Approved" -or $apireviewDetails.PackageNameApproval.Status -ne "Approved") { + if (!$updatedWi -or $changelogStatus.Status -ne "Success" -or $apireviewDetails.ApiviewApproval.Status -ne "Approved" -or $apireviewDetails.PackageNameApproval.Status -ne "Approved") { Write-Error "At least one of the Validations above failed for package $pkgName with version $versionString." exit 1 } diff --git a/eng/pipelines/devops-create-package-workitem.yml b/eng/pipelines/devops-create-package-workitem.yml index 532057d96a1..bc6f67dcf68 100644 --- a/eng/pipelines/devops-create-package-workitem.yml +++ b/eng/pipelines/devops-create-package-workitem.yml @@ -45,19 +45,20 @@ parameters: steps: - checkout: self -- task: PowerShell@2 +- task: AzureCLI@2 displayName: Create Package Work Item inputs: - pwsh: true - filePath: $(Build.SourcesDirectory)/eng/scripts/Create-Package-WorkItem.ps1 - arguments: > - -PackageLanguage "$(Language)" - -ServiceName "$(ServiceName)" - -PackageDisplayName "$(PackageDisplayName)" - -PackageName "$(PackageName)" - -PackageVersion "$(PackageVersion)" - -ReleaseDate "$(ReleaseDate)" - -RelatedWorkItemId "$(RelatedWorkItemId)" - -Tag "$(Tag)" - -WorkingDir "$(Pipeline.Workspace)" - -Devops_pat "$(azuresdk-azure-sdk-devops-release-work-item-pat)" + azureSubscription: opensource-api-connection + scriptType: pscore + scriptLocation: inlineScript + inlineScript: | + $(Build.SourcesDirectory)/eng/scripts/Create-Package-WorkItem.ps1 ` + -PackageLanguage "$(Language)" ` + -ServiceName "$(ServiceName)" ` + -PackageDisplayName "$(PackageDisplayName)" ` + -PackageName "$(PackageName)" ` + -PackageVersion "$(PackageVersion)" ` + -ReleaseDate "$(ReleaseDate)" ` + -RelatedWorkItemId "$(RelatedWorkItemId)" ` + -Tag "$(Tag)" ` + -WorkingDir "$(Pipeline.Workspace)" diff --git a/eng/scripts/Create-Package-WorkItem.ps1 b/eng/scripts/Create-Package-WorkItem.ps1 index 5eb2df3f8aa..292a90029c6 100644 --- a/eng/scripts/Create-Package-WorkItem.ps1 +++ b/eng/scripts/Create-Package-WorkItem.ps1 @@ -15,8 +15,7 @@ param ( [string]$RelatedWorkItemId, [string]$Tag = "", [string]$WorkingDir = ".", - [string]$PackageRootPath = "", - [string]$Devops_pat = $env:DEVOPS_PAT + [string]$PackageRootPath = "" ) Set-StrictMode -Version 3 @@ -62,7 +61,7 @@ try exit 1 } - # Create or update package work item + # Create or update package work item &$EngCommonScriptsDir/Update-DevOps-Release-WorkItem.ps1 ` -language $PackageLanguage ` -packageName $PackageName ` @@ -74,8 +73,7 @@ try -serviceName $ServiceName ` -packageDisplayName $PackageDisplayName ` -relatedWorkItemId $RelatedWorkItemId ` - -tag $Tag ` - -devops_pat $Devops_pat + -tag $Tag } finally { Pop-Location