release: cut v1.0.5 with optional token-hash logging
- add printTokenHashes input (default false)\n- gate SHA256 hash output behind input flag\n- update marketplace overview example to consume outputs clearly\n- bump task and extension versions to 1.0.5
This commit is contained in:
@@ -39,7 +39,7 @@ AZDO_PAT='<your-pat>' ./scripts/publish.sh <vsix-path> <publisher-id> <org1> <or
|
|||||||
Example:
|
Example:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
AZDO_PAT="$AZDO_PAT" ./scripts/publish.sh ./build/skoszewski-lab.azuredevops-get-oidc-token-task-1.0.3.vsix skoszewski-lab org-a org-b org-c
|
AZDO_PAT="$AZDO_PAT" ./scripts/publish.sh ./build/skoszewski-lab.azuredevops-get-oidc-token-task-1.0.5.vsix skoszewski-lab org-a org-b org-c
|
||||||
```
|
```
|
||||||
|
|
||||||
### Manual publish (Web UI)
|
### Manual publish (Web UI)
|
||||||
@@ -58,6 +58,7 @@ You can publish the generated `.vsix` manually in the Visual Studio Marketplace
|
|||||||
inputs:
|
inputs:
|
||||||
serviceConnectionARM: 'my-arm-service-connection'
|
serviceConnectionARM: 'my-arm-service-connection'
|
||||||
setGitAccessToken: true
|
setGitAccessToken: true
|
||||||
|
printTokenHashes: false
|
||||||
```
|
```
|
||||||
|
|
||||||
See `examples/azure-pipelines-smoke.yml` for a full smoke validation pipeline.
|
See `examples/azure-pipelines-smoke.yml` for a full smoke validation pipeline.
|
||||||
|
|||||||
14
overview.md
14
overview.md
@@ -15,6 +15,7 @@ It is designed for pipelines that need ARM federation variables without storing
|
|||||||
|
|
||||||
- `serviceConnectionARM` (required): Azure Resource Manager service connection
|
- `serviceConnectionARM` (required): Azure Resource Manager service connection
|
||||||
- `setGitAccessToken` (optional): exchanges OIDC assertion for Azure DevOps scope and sets `GIT_ACCESS_TOKEN`
|
- `setGitAccessToken` (optional): exchanges OIDC assertion for Azure DevOps scope and sets `GIT_ACCESS_TOKEN`
|
||||||
|
- `printTokenHashes` (optional, default `false`): prints SHA256 token hashes in logs
|
||||||
|
|
||||||
## Prerequisites
|
## Prerequisites
|
||||||
|
|
||||||
@@ -29,6 +30,19 @@ It is designed for pipelines that need ARM federation variables without storing
|
|||||||
inputs:
|
inputs:
|
||||||
serviceConnectionARM: 'my-arm-service-connection'
|
serviceConnectionARM: 'my-arm-service-connection'
|
||||||
setGitAccessToken: true
|
setGitAccessToken: true
|
||||||
|
printTokenHashes: false
|
||||||
|
|
||||||
|
- bash: |
|
||||||
|
echo "Tenant: $ARM_TENANT_ID"
|
||||||
|
if [[ ! "$ARM_CLIENT_ID" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$ ]]; then
|
||||||
|
echo "ARM_CLIENT_ID is missing or not a GUID"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
test -n "${ARM_OIDC_TOKEN:-}" && echo "ARM_OIDC_TOKEN is set and not empty"
|
||||||
|
test -n "${GIT_ACCESS_TOKEN:-}" && echo "GIT_ACCESS_TOKEN is set and not empty"
|
||||||
|
env:
|
||||||
|
ARM_OIDC_TOKEN: $(ARM_OIDC_TOKEN)
|
||||||
|
GIT_ACCESS_TOKEN: $(GIT_ACCESS_TOKEN)
|
||||||
```
|
```
|
||||||
|
|
||||||
## Repository
|
## Repository
|
||||||
|
|||||||
@@ -141,6 +141,7 @@ async function run(): Promise<void> {
|
|||||||
try {
|
try {
|
||||||
const endpointId = tl.getInput('serviceConnectionARM', true);
|
const endpointId = tl.getInput('serviceConnectionARM', true);
|
||||||
const setGitAccessToken = tl.getBoolInput('setGitAccessToken', false);
|
const setGitAccessToken = tl.getBoolInput('setGitAccessToken', false);
|
||||||
|
const printTokenHashes = tl.getBoolInput('printTokenHashes', false);
|
||||||
if (!endpointId) {
|
if (!endpointId) {
|
||||||
throw new Error('Task input serviceConnectionARM is required.');
|
throw new Error('Task input serviceConnectionARM is required.');
|
||||||
}
|
}
|
||||||
@@ -154,22 +155,25 @@ async function run(): Promise<void> {
|
|||||||
const token = await requestOidcToken(requestUrl, accessToken);
|
const token = await requestOidcToken(requestUrl, accessToken);
|
||||||
const metadata = getServiceConnectionMetadata(endpointId);
|
const metadata = getServiceConnectionMetadata(endpointId);
|
||||||
|
|
||||||
const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
|
|
||||||
|
|
||||||
tl.setVariable('ARM_OIDC_TOKEN', token, true);
|
tl.setVariable('ARM_OIDC_TOKEN', token, true);
|
||||||
tl.setVariable('ARM_TENANT_ID', metadata.tenantId);
|
tl.setVariable('ARM_TENANT_ID', metadata.tenantId);
|
||||||
tl.setVariable('ARM_CLIENT_ID', metadata.clientId);
|
tl.setVariable('ARM_CLIENT_ID', metadata.clientId);
|
||||||
|
|
||||||
console.log('Successfully retrieved OIDC token.');
|
console.log('Successfully retrieved OIDC token.');
|
||||||
|
if (printTokenHashes) {
|
||||||
|
const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
|
||||||
console.log(`OIDC Token SHA256: ${tokenHash}`);
|
console.log(`OIDC Token SHA256: ${tokenHash}`);
|
||||||
|
}
|
||||||
|
|
||||||
if (setGitAccessToken) {
|
if (setGitAccessToken) {
|
||||||
console.log('Exchanging OIDC token for Azure DevOps scoped Git access token...');
|
console.log('Exchanging OIDC token for Azure DevOps scoped Git access token...');
|
||||||
const gitToken = await exchangeOidcForAzureDevOpsToken(metadata.tenantId, metadata.clientId, token);
|
const gitToken = await exchangeOidcForAzureDevOpsToken(metadata.tenantId, metadata.clientId, token);
|
||||||
const gitTokenHash = crypto.createHash('sha256').update(gitToken).digest('hex');
|
|
||||||
tl.setVariable('GIT_ACCESS_TOKEN', gitToken, true);
|
tl.setVariable('GIT_ACCESS_TOKEN', gitToken, true);
|
||||||
|
if (printTokenHashes) {
|
||||||
|
const gitTokenHash = crypto.createHash('sha256').update(gitToken).digest('hex');
|
||||||
console.log(`GIT Access Token SHA256: ${gitTokenHash}`);
|
console.log(`GIT Access Token SHA256: ${gitTokenHash}`);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
tl.setResult(tl.TaskResult.Succeeded, 'ARM OIDC variables configured.');
|
tl.setResult(tl.TaskResult.Succeeded, 'ARM OIDC variables configured.');
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
|
|||||||
@@ -10,7 +10,7 @@
|
|||||||
"version": {
|
"version": {
|
||||||
"Major": 1,
|
"Major": 1,
|
||||||
"Minor": 0,
|
"Minor": 0,
|
||||||
"Patch": 4
|
"Patch": 5
|
||||||
},
|
},
|
||||||
"instanceNameFormat": "Configure federated auth: $(serviceConnectionARM)",
|
"instanceNameFormat": "Configure federated auth: $(serviceConnectionARM)",
|
||||||
"inputs": [
|
"inputs": [
|
||||||
@@ -29,6 +29,14 @@
|
|||||||
"defaultValue": "false",
|
"defaultValue": "false",
|
||||||
"required": false,
|
"required": false,
|
||||||
"helpMarkDown": "Exchange OIDC for Azure DevOps scope and set secret GIT_ACCESS_TOKEN."
|
"helpMarkDown": "Exchange OIDC for Azure DevOps scope and set secret GIT_ACCESS_TOKEN."
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "printTokenHashes",
|
||||||
|
"type": "boolean",
|
||||||
|
"label": "Print SHA256 token hashes to logs",
|
||||||
|
"defaultValue": "false",
|
||||||
|
"required": false,
|
||||||
|
"helpMarkDown": "When enabled, prints SHA256 hashes of ARM_OIDC_TOKEN and GIT_ACCESS_TOKEN (if requested)."
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"execution": {
|
"execution": {
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
"manifestVersion": 1,
|
"manifestVersion": 1,
|
||||||
"id": "azuredevops-get-oidc-token-task",
|
"id": "azuredevops-get-oidc-token-task",
|
||||||
"name": "Azure DevOps AzureFederatedAuth Task",
|
"name": "Azure DevOps AzureFederatedAuth Task",
|
||||||
"version": "1.0.4",
|
"version": "1.0.5",
|
||||||
"publisher": "skoszewski-lab",
|
"publisher": "skoszewski-lab",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
|
|||||||
Reference in New Issue
Block a user