release: cut v1.0.5 with optional token-hash logging

- add printTokenHashes input (default false)\n- gate SHA256 hash output behind input flag\n- update marketplace overview example to consume outputs clearly\n- bump task and extension versions to 1.0.5
2026-02-14 21:03:27 +01:00
parent 52a73c16b3
commit e95d7c2560
5 changed files with 35 additions and 8 deletions
--- a/README.md
+++ b/README.md
@@ -39,7 +39,7 @@ AZDO_PAT='<your-pat>' ./scripts/publish.sh <vsix-path> <publisher-id> <org1> <or
 Example:

 ```bash
-AZDO_PAT="$AZDO_PAT" ./scripts/publish.sh ./build/skoszewski-lab.azuredevops-get-oidc-token-task-1.0.3.vsix skoszewski-lab org-a org-b org-c
+AZDO_PAT="$AZDO_PAT" ./scripts/publish.sh ./build/skoszewski-lab.azuredevops-get-oidc-token-task-1.0.5.vsix skoszewski-lab org-a org-b org-c
 ```

 ### Manual publish (Web UI)
@@ -58,6 +58,7 @@ You can publish the generated `.vsix` manually in the Visual Studio Marketplace
  inputs:
    serviceConnectionARM: 'my-arm-service-connection'
    setGitAccessToken: true
+    printTokenHashes: false
 ```

 See `examples/azure-pipelines-smoke.yml` for a full smoke validation pipeline.
--- a/overview.md
+++ b/overview.md
@@ -15,6 +15,7 @@ It is designed for pipelines that need ARM federation variables without storing

 - `serviceConnectionARM` (required): Azure Resource Manager service connection
 - `setGitAccessToken` (optional): exchanges OIDC assertion for Azure DevOps scope and sets `GIT_ACCESS_TOKEN`
+- `printTokenHashes` (optional, default `false`): prints SHA256 token hashes in logs

 ## Prerequisites

@@ -29,6 +30,19 @@ It is designed for pipelines that need ARM federation variables without storing
  inputs:
    serviceConnectionARM: 'my-arm-service-connection'
    setGitAccessToken: true
+    printTokenHashes: false
+
+- bash: |
+    echo "Tenant: $ARM_TENANT_ID"
+    if [[ ! "$ARM_CLIENT_ID" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$ ]]; then
+      echo "ARM_CLIENT_ID is missing or not a GUID"
+      exit 1
+    fi
+    test -n "${ARM_OIDC_TOKEN:-}" && echo "ARM_OIDC_TOKEN is set and not empty"
+    test -n "${GIT_ACCESS_TOKEN:-}" && echo "GIT_ACCESS_TOKEN is set and not empty"
+  env:
+    ARM_OIDC_TOKEN: $(ARM_OIDC_TOKEN)
+    GIT_ACCESS_TOKEN: $(GIT_ACCESS_TOKEN)
 ```

 ## Repository
--- a/task/AzureFederatedAuth/src/index.ts
+++ b/task/AzureFederatedAuth/src/index.ts
@@ -141,6 +141,7 @@ async function run(): Promise<void> {
  try {
    const endpointId = tl.getInput('serviceConnectionARM', true);
    const setGitAccessToken = tl.getBoolInput('setGitAccessToken', false);
+    const printTokenHashes = tl.getBoolInput('printTokenHashes', false);
    if (!endpointId) {
      throw new Error('Task input serviceConnectionARM is required.');
    }
@@ -154,21 +155,24 @@ async function run(): Promise<void> {
    const token = await requestOidcToken(requestUrl, accessToken);
    const metadata = getServiceConnectionMetadata(endpointId);

-    const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
-
    tl.setVariable('ARM_OIDC_TOKEN', token, true);
    tl.setVariable('ARM_TENANT_ID', metadata.tenantId);
    tl.setVariable('ARM_CLIENT_ID', metadata.clientId);

    console.log('Successfully retrieved OIDC token.');
-    console.log(`OIDC Token SHA256: ${tokenHash}`);
+    if (printTokenHashes) {
+      const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+      console.log(`OIDC Token SHA256: ${tokenHash}`);
+    }

    if (setGitAccessToken) {
      console.log('Exchanging OIDC token for Azure DevOps scoped Git access token...');
      const gitToken = await exchangeOidcForAzureDevOpsToken(metadata.tenantId, metadata.clientId, token);
-      const gitTokenHash = crypto.createHash('sha256').update(gitToken).digest('hex');
      tl.setVariable('GIT_ACCESS_TOKEN', gitToken, true);
-      console.log(`GIT Access Token SHA256: ${gitTokenHash}`);
+      if (printTokenHashes) {
+        const gitTokenHash = crypto.createHash('sha256').update(gitToken).digest('hex');
+        console.log(`GIT Access Token SHA256: ${gitTokenHash}`);
+      }
    }

    tl.setResult(tl.TaskResult.Succeeded, 'ARM OIDC variables configured.');
--- a/task/AzureFederatedAuth/task.json
+++ b/task/AzureFederatedAuth/task.json
@@ -10,7 +10,7 @@
  "version": {
    "Major": 1,
    "Minor": 0,
-    "Patch": 4
+    "Patch": 5
  },
  "instanceNameFormat": "Configure federated auth: $(serviceConnectionARM)",
  "inputs": [
@@ -29,6 +29,14 @@
      "defaultValue": "false",
      "required": false,
      "helpMarkDown": "Exchange OIDC for Azure DevOps scope and set secret GIT_ACCESS_TOKEN."
+    },
+    {
+      "name": "printTokenHashes",
+      "type": "boolean",
+      "label": "Print SHA256 token hashes to logs",
+      "defaultValue": "false",
+      "required": false,
+      "helpMarkDown": "When enabled, prints SHA256 hashes of ARM_OIDC_TOKEN and GIT_ACCESS_TOKEN (if requested)."
    }
  ],
  "execution": {
--- a/vss-extension.json
+++ b/vss-extension.json
@@ -2,7 +2,7 @@
  "manifestVersion": 1,
  "id": "azuredevops-get-oidc-token-task",
  "name": "Azure DevOps AzureFederatedAuth Task",
-  "version": "1.0.4",
+  "version": "1.0.5",
  "publisher": "skoszewski-lab",
  "targets": [
    {