From e95d7c2560302d2f38b7d24895147c2b6eb5443e Mon Sep 17 00:00:00 2001
From: Slawomir Koszewski <slawek@koszewscy.waw.pl>
Date: Sat, 14 Feb 2026 21:03:27 +0100
Subject: [PATCH] release: cut v1.0.5 with optional token-hash logging

- add printTokenHashes input (default false)\n- gate SHA256 hash output behind input flag\n- update marketplace overview example to consume outputs clearly\n- bump task and extension versions to 1.0.5
---
 README.md                            |  3 ++-
 overview.md                          | 14 ++++++++++++++
 task/AzureFederatedAuth/src/index.ts | 14 +++++++++-----
 task/AzureFederatedAuth/task.json    | 10 +++++++++-
 vss-extension.json                   |  2 +-
 5 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 3c97d59..43d8d80 100644
--- a/README.md
+++ b/README.md
@@ -39,7 +39,7 @@ AZDO_PAT='<your-pat>' ./scripts/publish.sh <vsix-path> <publisher-id> <org1> <or
 Example:
 
 ```bash
-AZDO_PAT="$AZDO_PAT" ./scripts/publish.sh ./build/skoszewski-lab.azuredevops-get-oidc-token-task-1.0.3.vsix skoszewski-lab org-a org-b org-c
+AZDO_PAT="$AZDO_PAT" ./scripts/publish.sh ./build/skoszewski-lab.azuredevops-get-oidc-token-task-1.0.5.vsix skoszewski-lab org-a org-b org-c
 ```
 
 ### Manual publish (Web UI)
@@ -58,6 +58,7 @@ You can publish the generated `.vsix` manually in the Visual Studio Marketplace
   inputs:
     serviceConnectionARM: 'my-arm-service-connection'
     setGitAccessToken: true
+    printTokenHashes: false
 ```
 
 See `examples/azure-pipelines-smoke.yml` for a full smoke validation pipeline.
diff --git a/overview.md b/overview.md
index 1baa38d..48f2710 100644
--- a/overview.md
+++ b/overview.md
@@ -15,6 +15,7 @@ It is designed for pipelines that need ARM federation variables without storing
 
 - `serviceConnectionARM` (required): Azure Resource Manager service connection
 - `setGitAccessToken` (optional): exchanges OIDC assertion for Azure DevOps scope and sets `GIT_ACCESS_TOKEN`
+- `printTokenHashes` (optional, default `false`): prints SHA256 token hashes in logs
 
 ## Prerequisites
 
@@ -29,6 +30,19 @@ It is designed for pipelines that need ARM federation variables without storing
   inputs:
     serviceConnectionARM: 'my-arm-service-connection'
     setGitAccessToken: true
+    printTokenHashes: false
+
+- bash: |
+    echo "Tenant: $ARM_TENANT_ID"
+    if [[ ! "$ARM_CLIENT_ID" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$ ]]; then
+      echo "ARM_CLIENT_ID is missing or not a GUID"
+      exit 1
+    fi
+    test -n "${ARM_OIDC_TOKEN:-}" && echo "ARM_OIDC_TOKEN is set and not empty"
+    test -n "${GIT_ACCESS_TOKEN:-}" && echo "GIT_ACCESS_TOKEN is set and not empty"
+  env:
+    ARM_OIDC_TOKEN: $(ARM_OIDC_TOKEN)
+    GIT_ACCESS_TOKEN: $(GIT_ACCESS_TOKEN)
 ```
 
 ## Repository
diff --git a/task/AzureFederatedAuth/src/index.ts b/task/AzureFederatedAuth/src/index.ts
index 4393835..f5a4094 100644
--- a/task/AzureFederatedAuth/src/index.ts
+++ b/task/AzureFederatedAuth/src/index.ts
@@ -141,6 +141,7 @@ async function run(): Promise<void> {
   try {
     const endpointId = tl.getInput('serviceConnectionARM', true);
     const setGitAccessToken = tl.getBoolInput('setGitAccessToken', false);
+    const printTokenHashes = tl.getBoolInput('printTokenHashes', false);
     if (!endpointId) {
       throw new Error('Task input serviceConnectionARM is required.');
     }
@@ -154,21 +155,24 @@ async function run(): Promise<void> {
     const token = await requestOidcToken(requestUrl, accessToken);
     const metadata = getServiceConnectionMetadata(endpointId);
 
-    const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
-
     tl.setVariable('ARM_OIDC_TOKEN', token, true);
     tl.setVariable('ARM_TENANT_ID', metadata.tenantId);
     tl.setVariable('ARM_CLIENT_ID', metadata.clientId);
 
     console.log('Successfully retrieved OIDC token.');
-    console.log(`OIDC Token SHA256: ${tokenHash}`);
+    if (printTokenHashes) {
+      const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+      console.log(`OIDC Token SHA256: ${tokenHash}`);
+    }
 
     if (setGitAccessToken) {
       console.log('Exchanging OIDC token for Azure DevOps scoped Git access token...');
       const gitToken = await exchangeOidcForAzureDevOpsToken(metadata.tenantId, metadata.clientId, token);
-      const gitTokenHash = crypto.createHash('sha256').update(gitToken).digest('hex');
       tl.setVariable('GIT_ACCESS_TOKEN', gitToken, true);
-      console.log(`GIT Access Token SHA256: ${gitTokenHash}`);
+      if (printTokenHashes) {
+        const gitTokenHash = crypto.createHash('sha256').update(gitToken).digest('hex');
+        console.log(`GIT Access Token SHA256: ${gitTokenHash}`);
+      }
     }
 
     tl.setResult(tl.TaskResult.Succeeded, 'ARM OIDC variables configured.');
diff --git a/task/AzureFederatedAuth/task.json b/task/AzureFederatedAuth/task.json
index 260d720..b54daaf 100644
--- a/task/AzureFederatedAuth/task.json
+++ b/task/AzureFederatedAuth/task.json
@@ -10,7 +10,7 @@
   "version": {
     "Major": 1,
     "Minor": 0,
-    "Patch": 4
+    "Patch": 5
   },
   "instanceNameFormat": "Configure federated auth: $(serviceConnectionARM)",
   "inputs": [
@@ -29,6 +29,14 @@
       "defaultValue": "false",
       "required": false,
       "helpMarkDown": "Exchange OIDC for Azure DevOps scope and set secret GIT_ACCESS_TOKEN."
+    },
+    {
+      "name": "printTokenHashes",
+      "type": "boolean",
+      "label": "Print SHA256 token hashes to logs",
+      "defaultValue": "false",
+      "required": false,
+      "helpMarkDown": "When enabled, prints SHA256 hashes of ARM_OIDC_TOKEN and GIT_ACCESS_TOKEN (if requested)."
     }
   ],
   "execution": {
diff --git a/vss-extension.json b/vss-extension.json
index 82ef04e..25ac539 100644
--- a/vss-extension.json
+++ b/vss-extension.json
@@ -2,7 +2,7 @@
   "manifestVersion": 1,
   "id": "azuredevops-get-oidc-token-task",
   "name": "Azure DevOps AzureFederatedAuth Task",
-  "version": "1.0.4",
+  "version": "1.0.5",
   "publisher": "skoszewski-lab",
   "targets": [
     {