fix: should run step no longer needs PAT token#516
fix: should run step no longer needs PAT token#516adrianignat13 wants to merge 4 commits intodevelopfrom
Conversation
eplacement for the GitHub API label check. It always sets BuildShouldRun=true because path-based triggers already ensure the pipeline only runs on relevant changes. No GithubAuthToken needed.
adrianignat13
force-pushed
the
fix/cryptography_build_pipeline
branch
from
aeb3f77 to
2584bed
Compare
There was a problem hiding this comment.
Pull request overview
This PR updates the Cryptography Azure DevOps pipeline to remove the “should run” GitHub label/API check (and associated PAT requirement) by switching to local templates and relying on existing path-based triggers.
Changes:
- Switch
Activities/Cryptography/azure-pipelines.ymlto use a new localstage.start.ymltemplate instead of@common. - Add local pipeline templates (
stage.start.yml,stage.shouldrun.yml) implementing a token-free “should run” flow. - Update
.gitignoreto ignore several local/agent workspace folders.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| Activities/Cryptography/azure-pipelines.yml | Uses local stage template and adds a pre-test .NET 6 SDK install step. |
| Activities/.pipelines/templates/stage.start.yml | New local stage template that wires build/test/sonar stages and a local should-run job. |
| Activities/.pipelines/templates/stage.shouldrun.yml | New local should-run job that always sets BuildShouldRun=true without GitHub API access. |
| .gitignore | Ignores additional local/agent working directories. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| preTestRun: | ||
| - ${{ parameters.preTestRun }} | ||
| postTestRun: | ||
| - ${{ parameters.postTestRun }} |
There was a problem hiding this comment.
preTestRun/postTestRun are also passed as a nested list (`preTestRun:
- ${{ parameters.preTestRun }}
), which will break stepList expansion in the downstream test template. Pass the list directly (or expand witheach`) so the final YAML contains a flat sequence of steps.
| variables: | ||
| RunAnalysis: 'false' |
There was a problem hiding this comment.
The PublishSonar stage condition depends on variables['RunAnalysis'] == 'true', but this stage defines RunAnalysis: 'false' locally and there is no code in this template that can flip it to true before the stage condition is evaluated. As written, PublishSonar will never run; either remove this stage, or source RunAnalysis from a pipeline/global variable (don’t override it at stage scope), or base the condition on an output variable from an earlier stage/job.
| variables: | |
| RunAnalysis: 'false' |
| # Local should-run check — no GitHub API token needed | ||
| - template: stage.shouldrun.yml | ||
| parameters: | ||
| projectName: ${{ parameters.projectName }} | ||
| tagName: ${{ parameters.tagName }} | ||
|
|
There was a problem hiding this comment.
DetermineShouldRun currently always sets $shouldRun = $true, so the extra job and the BuildShouldRun-based conditions don’t provide any functional gating but do add time/complexity to every run. If the intent is to always run (as the PR description states), consider removing the should-run job and simplifying the Test/PublishSonar conditions accordingly.
| parameters: | ||
| projectName: '' | ||
| tagName: '' | ||
|
|
There was a problem hiding this comment.
projectName and tagName parameters are declared but not used anywhere in this template. Consider removing them (or using them in log output) to avoid implying they affect behavior.
| preBuild: | ||
| - ${{ parameters.preBuild }} | ||
| postBuild: | ||
| - ${{ parameters.postBuild }} |
There was a problem hiding this comment.
preBuild/postBuild are being passed as a nested list (`preBuild:
- ${{ parameters.preBuild }}
), which will produce an invalid stepList (or a list containing a list) when the child template expects a flat step list. Pass the stepList directly (or use aneach` expansion) so the resulting YAML is a flat list of steps.
|
Replacement for the GitHub API label check.
It always sets BuildShouldRun=true because path-based triggers already ensure the pipeline only runs on relevant changes. No GithubAuthToken needed.