From f80f2d799936e3168694c3a42e6a3510ab63deb6 Mon Sep 17 00:00:00 2001
From: Azure SDK Bot <53356347+azure-sdk@users.noreply.github.com>
Date: Thu, 13 Jun 2024 12:10:14 -0400
Subject: [PATCH] Sync eng/common directory with azure-sdk-tools for PR 8388
 (#5704)

* Removal of the devops release PAT

* Don't pass in the access token, just use the AzureCLI task and do everything in the scripts

* Updates for feedback

---------

Co-authored-by: James Suplizio <jasupliz@microsoft.com>
---
 .../templates/steps/validate-all-packages.yml | 27 +++++------
 .../Helpers/DevOps-WorkItem-Helpers.ps1       | 29 ++++--------
 .../Update-DevOps-Release-WorkItem.ps1        | 15 ++----
 eng/common/scripts/Validate-All-Packages.ps1  |  4 +-
 eng/common/scripts/Validate-Package.ps1       | 46 ++++++++-----------
 5 files changed, 46 insertions(+), 75 deletions(-)

diff --git a/eng/common/pipelines/templates/steps/validate-all-packages.yml b/eng/common/pipelines/templates/steps/validate-all-packages.yml
index db374478a..679d8830a 100644
--- a/eng/common/pipelines/templates/steps/validate-all-packages.yml
+++ b/eng/common/pipelines/templates/steps/validate-all-packages.yml
@@ -10,20 +10,21 @@ steps:
       displayName: "Set as release build"
       condition: and(succeeded(), eq(variables['SetAsReleaseBuild'], ''))
 
-    - task: Powershell@2
+    - task: AzureCLI@2
       inputs:
-        filePath: $(Build.SourcesDirectory)/eng/common/scripts/Validate-All-Packages.ps1
-        arguments: >
-          -ArtifactList ('${{ convertToJson(parameters.Artifacts) }}' | ConvertFrom-Json | Select-Object Name)
-          -ArtifactPath ${{ parameters.ArtifactPath }}
-          -RepoRoot $(Build.SourcesDirectory)
-          -APIKey $(azuresdk-apiview-apikey)
-          -ConfigFileDir '${{ parameters.ConfigFileDir }}'
-          -BuildDefinition $(System.CollectionUri)$(System.TeamProject)/_build?definitionId=$(System.DefinitionId)
-          -PipelineUrl $(System.CollectionUri)$(System.TeamProject)/_build/results?buildId=$(Build.BuildId)
-          -Devops_pat '$(azuresdk-azure-sdk-devops-release-work-item-pat)'
-          -IsReleaseBuild $$(SetAsReleaseBuild)
-        pwsh: true
+        azureSubscription: opensource-api-connection
+        scriptType: pscore
+        scriptLocation: inlineScript
+        inlineScript: |
+          $(Build.SourcesDirectory)/eng/common/scripts/Validate-All-Packages.ps1 `
+            -ArtifactList ('${{ convertToJson(parameters.Artifacts) }}' | ConvertFrom-Json | Select-Object Name) `
+            -ArtifactPath ${{ parameters.ArtifactPath }} `
+            -RepoRoot $(Build.SourcesDirectory) `
+            -APIKey $(azuresdk-apiview-apikey) `
+            -ConfigFileDir '${{ parameters.ConfigFileDir }}' `
+            -BuildDefinition $(System.CollectionUri)$(System.TeamProject)/_build?definitionId=$(System.DefinitionId) `
+            -PipelineUrl $(System.CollectionUri)$(System.TeamProject)/_build/results?buildId=$(Build.BuildId) `
+            -IsReleaseBuild $$(SetAsReleaseBuild)
         workingDirectory: $(Pipeline.Workspace)
       displayName: Validate packages and update work items
       continueOnError: true
diff --git a/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1 b/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1
index 805486245..4707517d8 100644
--- a/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1
+++ b/eng/common/scripts/Helpers/DevOps-WorkItem-Helpers.ps1
@@ -5,19 +5,15 @@ $ReleaseDevOpsCommonParametersWithProject = $ReleaseDevOpsCommonParameters + @("
 
 function Get-DevOpsRestHeaders()
 {
-  $headers = $null
-  if (Get-Variable -Name "devops_pat" -ValueOnly -ErrorAction "Ignore")
-  {
-    $encodedToken = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes([string]::Format("{0}:{1}", "", $devops_pat)))
-    $headers = @{ Authorization = "Basic $encodedToken" }
-  }
-  else
-  {
-    # Get a temp access token from the logged in az cli user for azure devops resource
-    $jwt_accessToken = (az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" --query "accessToken" --output tsv)
-    $headers = @{ Authorization = "Bearer $jwt_accessToken" }
+  # Get a temp access token from the logged in az cli user for azure devops resource
+  $headerAccessToken = (az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" --query "accessToken" --output tsv)
+
+  if ([System.String]::IsNullOrEmpty($headerAccessToken)) {
+    throw "Unable to create the DevOpsRestHeader due to access token being null or empty. The caller needs to be logged in with az login to an account with enough permissions to edit work items in the azure-sdk Release team project."
   }
 
+  $headers = @{ Authorization = "Bearer $headerAccessToken" }
+
   return $headers
 }
 
@@ -103,15 +99,6 @@ function Invoke-Query($fields, $wiql, $output = $true)
   return $workItems
 }
 
-function LoginToAzureDevops([string]$devops_pat)
-{
-  if (!$devops_pat) {
-    return
-  }
-  # based on the docs at https://aka.ms/azure-devops-cli-auth the recommendation is to set this env variable to login
-  $env:AZURE_DEVOPS_EXT_PAT = $devops_pat
-}
-
 function BuildHashKeyNoNull()
 {
   $filterNulls = $args | Where-Object { $_ }
@@ -374,7 +361,7 @@ function CreateWorkItem($title, $type, $iteration, $area, $fields, $assignedTo,
   {
     CreateWorkItemRelation $workItemId $parentId "parent" $outputCommand
   }
-  
+
   # Add a work item as related if given.
   if ($relatedId)
   {
diff --git a/eng/common/scripts/Update-DevOps-Release-WorkItem.ps1 b/eng/common/scripts/Update-DevOps-Release-WorkItem.ps1
index 11f0505f6..aa3f98860 100644
--- a/eng/common/scripts/Update-DevOps-Release-WorkItem.ps1
+++ b/eng/common/scripts/Update-DevOps-Release-WorkItem.ps1
@@ -15,7 +15,6 @@ param(
   [string]$packageNewLibrary = "true",
   [string]$relatedWorkItemId = $null,
   [string]$tag = $null,
-  [string]$devops_pat = $env:DEVOPS_PAT,
   [bool]$inRelease = $true
 )
 #Requires -Version 6.0
@@ -29,16 +28,10 @@ if (!(Get-Command az -ErrorAction SilentlyContinue)) {
 . (Join-Path $PSScriptRoot SemVer.ps1)
 . (Join-Path $PSScriptRoot Helpers DevOps-WorkItem-Helpers.ps1)
 
-if (!$devops_pat) {
-  az account show *> $null
-  if (!$?) {
-    Write-Host 'Running az login...'
-    az login *> $null
-  }
-}
-else {
-  # Login using PAT
-  LoginToAzureDevops $devops_pat
+az account show *> $null
+if (!$?) {
+  Write-Host 'Running az login...'
+  az login *> $null
 }
 
 az extension show -n azure-devops *> $null
diff --git a/eng/common/scripts/Validate-All-Packages.ps1 b/eng/common/scripts/Validate-All-Packages.ps1
index 46d76195b..f327c4552 100644
--- a/eng/common/scripts/Validate-All-Packages.ps1
+++ b/eng/common/scripts/Validate-All-Packages.ps1
@@ -12,7 +12,6 @@ Param (
   [string]$BuildDefinition,
   [string]$PipelineUrl,
   [string]$APIViewUri  = "https://apiview.dev/AutoReview/GetReviewStatus",
-  [string]$Devops_pat = $env:DEVOPS_PAT,
   [bool] $IsReleaseBuild = $false
 )
 
@@ -33,8 +32,7 @@ function ProcessPackage($PackageName, $ConfigFileDir)
         -APIKey $APIKey `
         -BuildDefinition $BuildDefinition `
         -PipelineUrl $PipelineUrl `
-        -ConfigFileDir $ConfigFileDir `
-        -Devops_pat $Devops_pat
+        -ConfigFileDir $ConfigFileDir
     if ($LASTEXITCODE -ne 0) {
         Write-Error "Failed to validate package $PackageName"
         exit 1
diff --git a/eng/common/scripts/Validate-Package.ps1 b/eng/common/scripts/Validate-Package.ps1
index 4b9b9d864..070d7b23d 100644
--- a/eng/common/scripts/Validate-Package.ps1
+++ b/eng/common/scripts/Validate-Package.ps1
@@ -2,20 +2,19 @@
 
 [CmdletBinding()]
 param (
-  [Parameter(Mandatory = $true)]  
+  [Parameter(Mandatory = $true)]
   [string] $PackageName,
-  [Parameter(Mandatory = $true)] 
+  [Parameter(Mandatory = $true)]
   [string] $ArtifactPath,
   [Parameter(Mandatory=$True)]
   [string] $RepoRoot,
   [Parameter(Mandatory=$True)]
-  [string] $APIKey,  
+  [string] $APIKey,
   [Parameter(Mandatory=$True)]
   [string] $ConfigFileDir,
   [string] $BuildDefinition,
   [string] $PipelineUrl,
   [string] $APIViewUri,
-  [string] $Devops_pat = $env:DEVOPS_PAT,
   [bool] $IsReleaseBuild = $false
 )
 Set-StrictMode -Version 3
@@ -24,16 +23,10 @@ Set-StrictMode -Version 3
 . ${PSScriptRoot}\Helpers\ApiView-Helpers.ps1
 . ${PSScriptRoot}\Helpers\DevOps-WorkItem-Helpers.ps1
 
-if (!$Devops_pat) {
-  az account show *> $null
-  if (!$?) {
-    Write-Host 'Running az login...'
-    az login *> $null
-  }
-}
-else {
-  # Login using PAT
-  LoginToAzureDevops $Devops_pat
+az account show *> $null
+if (!$?) {
+  Write-Host 'Running az login...'
+  az login *> $null
 }
 
 az extension show -n azure-devops *> $null
@@ -57,12 +50,12 @@ function ValidateChangeLog($changeLogPath, $versionString, $validationStatus)
             Message = ""
         }
         $changeLogFullPath = Join-Path $RepoRoot $changeLogPath
-        Write-Host "Path to change log: [$changeLogFullPath]"        
+        Write-Host "Path to change log: [$changeLogFullPath]"
         if (Test-Path $changeLogFullPath)
         {
             Confirm-ChangeLogEntry -ChangeLogLocation $changeLogFullPath -VersionString $versionString -ForRelease $true -ChangeLogStatus $ChangeLogStatus -SuppressErrors $true
             $validationStatus.Status = if ($ChangeLogStatus.IsValid) { "Success" } else { "Failed" }
-            $validationStatus.Message = $ChangeLogStatus.Message 
+            $validationStatus.Message = $ChangeLogStatus.Message
         }
         else {
             $validationStatus.Status = "Failed"
@@ -83,7 +76,7 @@ function VerifyAPIReview($packageName, $packageVersion, $language)
     $APIReviewValidation = [PSCustomObject]@{
         Name = "API Review Approval"
         Status = "Pending"
-        Message = ""    
+        Message = ""
     }
     $PackageNameValidation = [PSCustomObject]@{
         Name = "Package Name Approval"
@@ -101,7 +94,7 @@ function VerifyAPIReview($packageName, $packageVersion, $language)
             IsApproved = $false
             Details = ""
         }
-        Write-Host "Checking API review status for package $packageName with version $packageVersion. language [$language]." 
+        Write-Host "Checking API review status for package $packageName with version $packageVersion. language [$language]."
         Check-ApiReviewStatus $packageName $packageVersion $language $APIViewUri $APIKey $apiStatus $packageNameStatus
 
         Write-Host "API review approval details: $($apiStatus.Details)"
@@ -132,14 +125,14 @@ function VerifyAPIReview($packageName, $packageVersion, $language)
 
 function IsVersionShipped($packageName, $packageVersion)
 {
-    # This function will decide if a package version is already shipped or not  
+    # This function will decide if a package version is already shipped or not
     Write-Host "Checking if a version is already shipped for package $packageName with version $packageVersion."
     $parsedNewVersion = [AzureEngSemanticVersion]::new($packageVersion)
     $versionMajorMinor = "" + $parsedNewVersion.Major + "." + $parsedNewVersion.Minor
     $workItem = FindPackageWorkItem -lang $LanguageDisplayName -packageName $packageName -version $versionMajorMinor -includeClosed $true -outputCommand $false
     if ($workItem)
     {
-        # Check if the package version is already shipped    
+        # Check if the package version is already shipped
         $shippedVersionSet = ParseVersionSetFromMDField $workItem.fields["Custom.ShippedPackages"]
         if ($shippedVersionSet.ContainsKey($packageVersion)) {
             return $true
@@ -163,8 +156,8 @@ function CreateUpdatePackageWorkItem($pkgInfo)
         $setReleaseState = $false
         $plannedDate = "unknown"
     }
-        
-    # Create or update package work item  
+
+    # Create or update package work item
     &$EngCommonScriptsDir/Update-DevOps-Release-WorkItem.ps1 `
         -language $LanguageDisplayName `
         -packageName $packageName `
@@ -175,9 +168,8 @@ function CreateUpdatePackageWorkItem($pkgInfo)
         -packageNewLibrary $pkgInfo.IsNewSDK `
         -serviceName "unknown" `
         -packageDisplayName "unknown" `
-        -inRelease $IsReleaseBuild `
-        -devops_pat $Devops_pat
-    
+        -inRelease $IsReleaseBuild
+
     if ($LASTEXITCODE -ne 0)
     {
         Write-Host "Update of the Devops Release WorkItem failed."
@@ -244,7 +236,7 @@ $updatedWi = CreateUpdatePackageWorkItem $pkgInfo
 # Update validation status in package work item
 if ($updatedWi) {
     Write-Host "Updating validation status in package work item."
-    $updatedWi = UpdateValidationStatus $pkgValidationDetails $BuildDefinition $PipelineUrl    
+    $updatedWi = UpdateValidationStatus $pkgValidationDetails $BuildDefinition $PipelineUrl
 }
 
 # Fail the build if any validation is not successful for a release build
@@ -254,7 +246,7 @@ Write-Host "Package Name status:" $apireviewDetails.PackageNameApproval.Status
 
 if ($IsReleaseBuild)
 {
-    if (!$updatedWi -or $changelogStatus.Status -ne "Success" -or $apireviewDetails.ApiviewApproval.Status -ne "Approved" -or $apireviewDetails.PackageNameApproval.Status -ne "Approved") {        
+    if (!$updatedWi -or $changelogStatus.Status -ne "Success" -or $apireviewDetails.ApiviewApproval.Status -ne "Approved" -or $apireviewDetails.PackageNameApproval.Status -ne "Approved") {
         Write-Error "At least one of the Validations above failed for package $pkgName with version $versionString."
         exit 1
     }