release: cut v1.0.5 with optional token-hash logging

- add printTokenHashes input (default false)\n- gate SHA256 hash output behind input flag\n- update marketplace overview example to consume outputs clearly\n- bump task and extension versions to 1.0.5
2026-02-14 21:03:27 +01:00
parent 52a73c16b3
commit e95d7c2560
5 changed files with 35 additions and 8 deletions
--- a/task/AzureFederatedAuth/src/index.ts
+++ b/task/AzureFederatedAuth/src/index.ts
@@ -141,6 +141,7 @@ async function run(): Promise<void> {
  try {
    const endpointId = tl.getInput('serviceConnectionARM', true);
    const setGitAccessToken = tl.getBoolInput('setGitAccessToken', false);
+    const printTokenHashes = tl.getBoolInput('printTokenHashes', false);
    if (!endpointId) {
      throw new Error('Task input serviceConnectionARM is required.');
    }
@@ -154,21 +155,24 @@ async function run(): Promise<void> {
    const token = await requestOidcToken(requestUrl, accessToken);
    const metadata = getServiceConnectionMetadata(endpointId);

-    const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
-
    tl.setVariable('ARM_OIDC_TOKEN', token, true);
    tl.setVariable('ARM_TENANT_ID', metadata.tenantId);
    tl.setVariable('ARM_CLIENT_ID', metadata.clientId);

    console.log('Successfully retrieved OIDC token.');
-    console.log(`OIDC Token SHA256: ${tokenHash}`);
+    if (printTokenHashes) {
+      const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+      console.log(`OIDC Token SHA256: ${tokenHash}`);
+    }

    if (setGitAccessToken) {
      console.log('Exchanging OIDC token for Azure DevOps scoped Git access token...');
      const gitToken = await exchangeOidcForAzureDevOpsToken(metadata.tenantId, metadata.clientId, token);
-      const gitTokenHash = crypto.createHash('sha256').update(gitToken).digest('hex');
      tl.setVariable('GIT_ACCESS_TOKEN', gitToken, true);
-      console.log(`GIT Access Token SHA256: ${gitTokenHash}`);
+      if (printTokenHashes) {
+        const gitTokenHash = crypto.createHash('sha256').update(gitToken).digest('hex');
+        console.log(`GIT Access Token SHA256: ${gitTokenHash}`);
+      }
    }

    tl.setResult(tl.TaskResult.Succeeded, 'ARM OIDC variables configured.');
--- a/task/AzureFederatedAuth/task.json
+++ b/task/AzureFederatedAuth/task.json
@@ -10,7 +10,7 @@
  "version": {
    "Major": 1,
    "Minor": 0,
-    "Patch": 4
+    "Patch": 5
  },
  "instanceNameFormat": "Configure federated auth: $(serviceConnectionARM)",
  "inputs": [
@@ -29,6 +29,14 @@
      "defaultValue": "false",
      "required": false,
      "helpMarkDown": "Exchange OIDC for Azure DevOps scope and set secret GIT_ACCESS_TOKEN."
+    },
+    {
+      "name": "printTokenHashes",
+      "type": "boolean",
+      "label": "Print SHA256 token hashes to logs",
+      "defaultValue": "false",
+      "required": false,
+      "helpMarkDown": "When enabled, prints SHA256 hashes of ARM_OIDC_TOKEN and GIT_ACCESS_TOKEN (if requested)."
    }
  ],
  "execution": {