From 118e598e3ed65d80014a1835dd4d177e464ea024 Mon Sep 17 00:00:00 2001 From: Azure SDK Bot <53356347+azure-sdk@users.noreply.github.com> Date: Fri, 21 Jan 2022 15:19:23 -0800 Subject: [PATCH] Sync eng/common directory with azure-sdk-tools for PR 2596 (#3267) - Fix bug in Add-ReleaseLease helper script - Enable better local logging for handling token - Enable strict mode to help catch issues like this in the future --- .../pipelines/templates/steps/retain-run.yml | 5 ++-- eng/common/scripts/Add-RetentionLease.ps1 | 29 +++++++++++-------- eng/common/scripts/Invoke-DevOpsAPI.ps1 | 2 +- 3 files changed, 20 insertions(+), 16 deletions(-) diff --git a/eng/common/pipelines/templates/steps/retain-run.yml b/eng/common/pipelines/templates/steps/retain-run.yml index c2ac61866..f7d854143 100644 --- a/eng/common/pipelines/templates/steps/retain-run.yml +++ b/eng/common/pipelines/templates/steps/retain-run.yml @@ -1,6 +1,6 @@ parameters: - name: DaysValid - default: 365 + default: 731 type: number steps: @@ -16,7 +16,6 @@ steps: -Project $(System.TeamProject) -DefinitionId $(System.DefinitionId) -RunId $(Build.BuildId) - -OwnerId Pipeline - -DaysValid ${{parameters.DaysValid}} + -DaysValid ${{ parameters.DaysValid }} -AccessToken $env:SYSTEM_ACCESSTOKEN -Debug \ No newline at end of file diff --git a/eng/common/scripts/Add-RetentionLease.ps1 b/eng/common/scripts/Add-RetentionLease.ps1 index dd56c20a5..cbc677730 100644 --- a/eng/common/scripts/Add-RetentionLease.ps1 +++ b/eng/common/scripts/Add-RetentionLease.ps1 @@ -12,28 +12,33 @@ param( [Parameter(Mandatory = $true)] [int]$RunId, - [Parameter(Mandatory = $true)] - [string]$OwnerId, - [Parameter(Mandatory = $true)] [int]$DaysValid, - [Parameter(Mandatory = $true)] - [string]$AccessToken + [Parameter(Mandatory = $false)] + [string]$OwnerId = "azure-sdk-pipeline-automation", + + [Parameter(Mandatory = $false)] + [string]$AccessToken = $env:DEVOPS_PAT ) +Set-StrictMode -Version 3 + +. (Join-Path $PSScriptRoot common.ps1) + $unencodedAuthToken = "nobody:$AccessToken" $unencodedAuthTokenBytes = [System.Text.Encoding]::UTF8.GetBytes($unencodedAuthToken) $encodedAuthToken = [System.Convert]::ToBase64String($unencodedAuthTokenBytes) -# We are doing this here so that there is zero chance that this token is emitted in Azure Pipelines -# build logs. Azure Pipelines will see this text and register the secret as a value it should *** out -# before being transmitted to the server (and shown in logs). It means if the value is accidentally -# leaked anywhere else that it won't be visible. The downside is that when the script is executed -# on a local development box, it will be visible. -Write-Host "##vso[task.setvariable variable=_throwawayencodedaccesstoken;issecret=true;]$($encodedAuthToken)" +if ($isDevOpsRun) { + # We are doing this here so that there is zero chance that this token is emitted in Azure Pipelines + # build logs. Azure Pipelines will see this text and register the secret as a value it should *** out + # before being transmitted to the server (and shown in logs). It means if the value is accidentally + # leaked anywhere else that it won't be visible. The downside is that when the script is executed + # on a local development box, it will be visible. + Write-Host "##vso[task.setvariable variable=_throwawayencodedaccesstoken;issecret=true;]$($encodedAuthToken)" +} -. (Join-Path $PSScriptRoot common.ps1) LogDebug "Checking for existing leases on run: $RunId" $existingLeases = Get-RetentionLeases -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -Base64EncodedAuthToken $encodedAuthToken diff --git a/eng/common/scripts/Invoke-DevOpsAPI.ps1 b/eng/common/scripts/Invoke-DevOpsAPI.ps1 index 41f4796d4..bc89aa88b 100644 --- a/eng/common/scripts/Invoke-DevOpsAPI.ps1 +++ b/eng/common/scripts/Invoke-DevOpsAPI.ps1 @@ -137,7 +137,7 @@ function Add-RetentionLease { $RunId, $OwnerId, $DaysValid, - $Base64AuthToken + $Base64EncodedAuthToken ) $parameter = @{}