From d85d73848634bd6f4de6a941668d95ed9721a853 Mon Sep 17 00:00:00 2001 From: ramsessanchez <63934382+ramsessanchez@users.noreply.github.com> Date: Fri, 10 Jul 2026 14:18:01 -0700 Subject: [PATCH 1/3] docs(ci): clarify why GitHub App auth is used for cross-org repos Reword the useGitHubAppAuth comments and set-app-token-push-url.ps1 header so they no longer imply repo visibility is what selects App auth. Make clear the real driver is a target repo living in a different org than the shared service connection covers (which would otherwise need its own PAT), and that public visibility only enables the anonymous clone / credential-free read, not App auth itself. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Copilot-Session: e612601e-259f-4cfe-8924-337af9663c80 --- .../language-generation-kiota.yml | 22 ++++++++++++++----- scripts/set-app-token-push-url.ps1 | 9 ++++++-- 2 files changed, 23 insertions(+), 8 deletions(-) diff --git a/.azure-pipelines/generation-templates/language-generation-kiota.yml b/.azure-pipelines/generation-templates/language-generation-kiota.yml index 09944949f..3bd88cdb4 100644 --- a/.azure-pipelines/generation-templates/language-generation-kiota.yml +++ b/.azure-pipelines/generation-templates/language-generation-kiota.yml @@ -56,10 +56,19 @@ parameters: type: string default: "-e '/copilot' -e '/copilot/**'" -# When true, the target repository is read anonymously (public repo) and the generated -# files are pushed using a GitHub App installation token instead of a PAT-backed service -# connection. PR creation is App-based regardless. Defaults to false to preserve the -# existing service connection based behaviour for the microsoftgraph SDK repos. +# Set this to true for target repos that live in a different GitHub org than the shared +# service connection covers. Those repos can't ride on that connection and historically +# needed their own separate PAT-backed one. This flag removes that PAT by reusing the +# GitHub App identity (which already creates the PRs) for the push as well. +# +# NOTE: repo visibility is NOT what selects this path - the SDK repos on the default path +# are public too. Visibility only affects HOW the target is read: when the repo is public +# we can clone it anonymously and avoid needing any read credential at all, leaving the +# App token needed only for the push. A private repo could still use App auth, but would +# need a read credential instead of an anonymous clone. +# +# Defaults to false, which keeps the other SDK repos on their existing service-connection +# checkout/push flow, unchanged. - name: useGitHubAppAuth type: boolean default: false @@ -83,8 +92,9 @@ steps: fetchDepth: 1 persistCredentials: true -# App-auth path: the target repo is public, so clone it anonymously (no PAT). The push -# remote is switched to a GitHub App token in a later step before the push happens. +# App-auth path: read the target with no credential. This is possible because the repo is +# public - it is not why App auth is used (see the useGitHubAppAuth param notes). The push +# remote is switched to a GitHub App token in a later step, before the push happens. - ${{ if eq(parameters.useGitHubAppAuth, true) }}: - pwsh: | $repoDir = "$(Build.SourcesDirectory)/${{ parameters.repoName }}" diff --git a/scripts/set-app-token-push-url.ps1 b/scripts/set-app-token-push-url.ps1 index a7aa22c31..5a6a4e50d 100644 --- a/scripts/set-app-token-push-url.ps1 +++ b/scripts/set-app-token-push-url.ps1 @@ -2,8 +2,13 @@ # Licensed under the MIT License. # Configure the 'origin' push URL of an already-cloned repository to authenticate with a -# GitHub App installation token instead of a PAT. The fetch URL is left untouched so reads -# stay anonymous for public repositories. +# GitHub App installation token instead of a PAT. This lets a repo be pushed to using the +# App identity (the same one that opens the PRs), which removes the need for a dedicated +# PAT when the repo isn't covered by the pipeline's shared service connection. +# +# Only the push URL is changed; the fetch URL is left untouched. That is a deliberate +# optimization for public repos (their initial clone was anonymous, so reads never needed +# a credential) - it is not a requirement of using App auth. # # Required environment variables: # GhAppId - GitHub App client ID (from AKV) From b28cea133e74dfeeed2faa096b382530e311e00a Mon Sep 17 00:00:00 2001 From: Ramses Sanchez-Hernandez <63934382+ramsessanchez@users.noreply.github.com> Date: Fri, 10 Jul 2026 15:25:48 -0700 Subject: [PATCH 2/3] Condense comments --- .../generation-templates/language-generation-kiota.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.azure-pipelines/generation-templates/language-generation-kiota.yml b/.azure-pipelines/generation-templates/language-generation-kiota.yml index 3bd88cdb4..b8145e5a6 100644 --- a/.azure-pipelines/generation-templates/language-generation-kiota.yml +++ b/.azure-pipelines/generation-templates/language-generation-kiota.yml @@ -61,12 +61,6 @@ parameters: # needed their own separate PAT-backed one. This flag removes that PAT by reusing the # GitHub App identity (which already creates the PRs) for the push as well. # -# NOTE: repo visibility is NOT what selects this path - the SDK repos on the default path -# are public too. Visibility only affects HOW the target is read: when the repo is public -# we can clone it anonymously and avoid needing any read credential at all, leaving the -# App token needed only for the push. A private repo could still use App auth, but would -# need a read credential instead of an anonymous clone. -# # Defaults to false, which keeps the other SDK repos on their existing service-connection # checkout/push flow, unchanged. - name: useGitHubAppAuth From 9d34ff5a21ef1a74311281f71afc1e18dda81404 Mon Sep 17 00:00:00 2001 From: Ramses Sanchez-Hernandez <63934382+ramsessanchez@users.noreply.github.com> Date: Fri, 10 Jul 2026 15:29:44 -0700 Subject: [PATCH 3/3] Update comments in set-app-token-push-url.ps1 --- scripts/set-app-token-push-url.ps1 | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/scripts/set-app-token-push-url.ps1 b/scripts/set-app-token-push-url.ps1 index 5a6a4e50d..4754695f3 100644 --- a/scripts/set-app-token-push-url.ps1 +++ b/scripts/set-app-token-push-url.ps1 @@ -6,10 +6,8 @@ # App identity (the same one that opens the PRs), which removes the need for a dedicated # PAT when the repo isn't covered by the pipeline's shared service connection. # -# Only the push URL is changed; the fetch URL is left untouched. That is a deliberate -# optimization for public repos (their initial clone was anonymous, so reads never needed -# a credential) - it is not a requirement of using App auth. -# +# Only the push URL is changed; the fetch URL is left untouched (repos are public hence reads +# can be maintained as anonymous). # Required environment variables: # GhAppId - GitHub App client ID (from AKV) # GhAppKey - GitHub App private key (from AKV)