Make ado token command environment-aware for SYSTEM_ACCESSTOKEN#447
Draft
dggsax wants to merge 5 commits intoAzureAD:mainfrom
Draft
Make ado token command environment-aware for SYSTEM_ACCESSTOKEN#447dggsax wants to merge 5 commits intoAzureAD:mainfrom
dggsax wants to merge 5 commits intoAzureAD:mainfrom
Conversation
Refactor the ado token command to detect ADO Pipeline environments via the TF_BUILD env var and adjust SYSTEM_ACCESSTOKEN handling: - AZUREAUTH_ADO_PAT is always checked first (explicit user override) - In ADO Pipeline: use SYSTEM_ACCESSTOKEN if found, error if missing (interactive auth is not possible in pipelines) - Outside ADO Pipeline: warn if SYSTEM_ACCESSTOKEN is unexpectedly set, ignore it, and continue to normal AAD token auth Addresses AzureAD#422 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
dggsax
force-pushed
the
users/danigon/system-access-token-surprises
branch
from
c51cc91 to
13ae83b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses #422
Makes the
ado tokencommand environment-aware so thatSYSTEM_ACCESSTOKENis handled appropriately based on context, and adds authenticated NuGet feed configuration.Behavior
AZUREAUTH_ADO_PAT(explicit user override, always honored)SYSTEM_ACCESSTOKENChanges
nuget.config— AddedpackageSourceCredentialsfor authenticated package restore viaADO_TOKENenv varEnvVars.cs— AddedTfBuildconstant for theTF_BUILDenv varIEnvExtensions.cs— AddedIsAdoPipeline()extension method (checksTF_BUILD == "True")PatFromEnv.cs— Kept as a pure environment lookup (unchanged behavior);CommandTokennow applies environment-aware policy on top of its resultsCommandToken.cs— After callingPatFromEnv.Get(), checks the token source: ifSYSTEM_ACCESSTOKENwas found outside a pipeline, logs a warning and falls through to AAD authPatFromEnvTest.cs— Original tests preservedIEnvExtensionsTest.cs— 6 test cases forIsAdoPipeline()CommandTokenTest.cs— 5 newOnExecutetests covering all environment/token combinationsWhy
Previously, the
ado tokencommand would silently returnSYSTEM_ACCESSTOKENeven on developer machines where it was unexpectedly set, causing confusing auth behavior. This change ensures the token is only used in pipeline environments where it is expected, and provides clear feedback in all other cases.