Open
Conversation
The git checkout credential emitted by emit-github-vars-and-tag-build is generated by AzDO with limited scope (git operations only), which causes a 403 when used to create GitHub releases via the REST API. The 1ES pipeline template injects a properly-scoped GITHUB_TOKEN into the job environment via its 'Get GitHub Token' step; removing the env override lets that token be used instead. Also normalize raw bearer tokens (no space) to `token <value>` format in GitHubClient, so the code handles both the old `basic <base64>` format and a plain installation token interchangeably. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adjusts the SPFx publishing pipeline and repo-toolbox GitHub client behavior so GitHub releases are created using the properly-scoped 1ES-provided GITHUB_TOKEN (instead of the AzDO git checkout credential that cannot create releases).
Changes:
- Stop overriding
GITHUB_TOKENinspfx-esrp-publish.yamlso the 1ES-injected token is used for release creation. - Update
GitHubClientto accept either a fullAuthorizationheader value or a raw token (auto-prefixing raw tokens). - Refresh CLI help text/snapshots to reflect the updated token semantics.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| tools/repo-toolbox/src/utilities/GitHubClient.ts | Normalizes auth input so raw tokens are converted into an Authorization header value for Octokit requests. |
| tools/repo-toolbox/src/cli/actions/CreateGitHubReleasesAction.ts | Updates --github-token parameter description to reflect that raw tokens are accepted. |
| tools/repo-toolbox/src/cli/test/snapshots/CommandLineHelp.test.ts.snap | Updates snapshot output for the revised help text. |
| common/config/azure-pipelines/spfx-esrp-publish.yaml | Removes the GITHUB_TOKEN override and unused GitHubToken variable mapping to allow 1ES token usage. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Without a checkout, the 1ES PT 'Get GitHub Token' step has no repo context and does not inject GITHUB_TOKEN into the job environment. A fetchDepth: 1 checkout is sufficient to provide that context while minimizing overhead. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
Author
|
Pushed a follow-up commit: the |
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- emit-github-vars: emits GitHubRepoSlug and GitHubToken. Reads GITHUB_TOKEN from the 1ES PT environment (normalizing raw tokens to a full Authorization header value) with a fallback to the git checkout extraheader. - tag-build: emits BumpSha and tags the AzDO build. Only called from the bump-versions pipeline, not the publish pipeline. Introduces GitHubTokenActionBase as a shared base class for actions that need a GitHub token via the GITHUB_TOKEN environment variable. The publish pipeline now gets GitHubToken from emit-github-vars (which uses the 1ES PT token), eliminating the need for a shallow checkout in the Tag stage to trigger token injection. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
GitHub App installation tokens (ghs_xxx) require "Authorization: token ghs_xxx" and do not support the legacy "Authorization: basic base64(x-access-token:ghs_xxx)" format that git checkout extraheaders use. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… a normalized token Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
iclanton
changed the title
nick-pape
requested changes
Apr 1, 2026
tools/repo-toolbox/src/utilities/test/__snapshots__/GitUtilities.test.ts.snap
Show resolved
Hide resolved
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes 403 "Resource not accessible by integration" errors when creating GitHub releases.
Root cause: Git checkout extraheaders store credentials as
Authorization: basic base64(x-access-token:ghs_xxx). This format is legacy Basic auth and is not supported for GitHub App installation tokens (ghs_xxx) — they requireAuthorization: token ghs_xxx. OAuth tokens happen to support both formats, which is why earlier runs with OAuth tokens succeeded.Fix:
getGitAuthorizationHeaderAsyncnow normalizes the value it returns vianormalizeGitHubAuthorizationHeader, which decodes Basic auth credentials and re-emits them astoken <value>. This means all callers —EmitGitHubVarsAction(which re-emits the token as theGitHubTokenpipeline variable) andGitHubClient(which sets the header on every Octokit request) — automatically receive a properly-formatted token.Also in this PR:
emit-github-vars-and-tag-buildinto two actions (emit-github-varsandtag-build) so the release creation job no longer needs a git checkout just to get the token, and the release pipeline isn't tagged as a buildGitHubTokenActionBasebase class for actions that accept a--github-token/GITHUB_TOKENparameter##vso[task.logissue type=error]-formatted error logging for GitHub API failures to aid future debuggingnormalizeGitHubAuthorizationHeader, including an idempotency testHow was this tested
Multiple pipeline runs confirmed the 403 behavior. Build 12427 confirmed releases can be successfully created with the corrected token format.
Type of change
templates/andexamples/)