Switch from bot PAT to GitHub App token via Azure Key Vault#63538
Open
jakebailey wants to merge 3 commits into
Open
Switch from bot PAT to GitHub App token via Azure Key Vault#63538jakebailey wants to merge 3 commits into
jakebailey wants to merge 3 commits into
Conversation
typescript-bot
added
Author: Team
For Uncommitted Bug
jakebailey
force-pushed
the
github-app-keyvault-auth
branch
from
4894981 to
3cededd
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates several GitHub Actions workflows to stop using the TS_BOT_GITHUB_TOKEN secret (PAT) and instead mint a short-lived GitHub App token via Azure Key Vault using GitHub OIDC (id-token: write) and azure/login.
Changes:
- Add OIDC permissions (
id-token: write) and bind jobs to theazureenvironment to support Azure federated authentication. - Disable persisted checkout credentials (
persist-credentials: false) and push using a GitHub App token configured via anhttp.https://github.com/.extraheader. - Replace workflow consumers of
secrets.TS_BOT_GITHUB_TOKENwithmicrosoft/create-github-app-token-via-key-vaultoutputs.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/update-package-lock.yaml | Push package-lock.json updates using a Key Vault–minted GitHub App token instead of a PAT. |
| .github/workflows/twoslash-repros.yaml | Run Twoslash repro automation using a GitHub App token minted via Azure Key Vault. |
| .github/workflows/sync-wiki.yml | Sync wiki repos using OIDC→Azure→Key Vault to mint an App token (and configure git auth header). |
| .github/workflows/sync-branch.yaml | Use App token auth for sync/push and for posting workflow result comments. |
| .github/workflows/set-version.yaml | Use App token auth for version bump pushes and workflow result comments. |
| .github/workflows/pr-modified-files.yml | Use App token auth (minted via Key Vault) for PR management automation triggered by pull_request_target. |
| .github/workflows/new-release-branch.yaml | Use App token auth for creating/pushing release branches and posting workflow results. |
| .github/workflows/lkg.yml | Use App token auth for LKG update pushes. |
| .github/workflows/create-cherry-pick-pr.yml | Use App token auth for cherry-pick PR creation and status reporting. |
| .github/workflows/close-issues.yml | Use App token auth (minted via Key Vault) for scheduled issue-closing automation. |
| .github/workflows/accept-baselines-fix-lints.yaml | Use App token auth for pushing baseline/lint/format fixes. |
| deployment: false | ||
| if: github.repository == 'microsoft/TypeScript' | ||
|
|
||
| # No need to set explicit permissions; we are using typescript-bot's token, not github-actions' token. |
| key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }} | ||
| owner: microsoft | ||
| repositories: TypeScript | ||
| permission-contents: write |
Comment on lines
+47
to
+49
| permission-contents: write | ||
| permission-issues: write | ||
| permission-pull-requests: write |
Comment on lines
+57
to
+59
| permission-contents: write | ||
| permission-issues: write | ||
| permission-pull-requests: write |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.