Move GitHub PAT to vault (#175)

jakebailey · web-flow · commit fd2571c04ebb · 2024-12-04T12:17:56.000-08:00
diff --git a/azure-pipelines-gitTests-template.yml b/azure-pipelines-gitTests-template.yml
@@ -41,6 +41,13 @@ parameters:
 jobs:
 - job: ListRepos
   steps:
+  - task: AzureKeyVault@2
+    inputs:
+      azureSubscription: 'TypeScript Public CI'
+      KeyVaultName: 'jststeam-passwords'
+      SecretsFilter: 'typescript-bot-github-PAT-error-deltas'
+    displayName: Get secrets
+    retryCountOnTaskFailure: 3
   - task: UseNode@1
     inputs:
       version: '20.x'
@@ -52,7 +59,7 @@ jobs:
       node dist/listTopRepos ${{ parameters.LANGUAGE }} ${{ parameters.REPO_COUNT }} ${{ parameters.REPO_START_INDEX }} artifacts/repos.json
     displayName: 'List top TS repos'
     env:
-      GITHUB_PAT: $(GITHUB_PAT)
+      GITHUB_PAT: $(typescript-bot-github-PAT-error-deltas)
   - publish: artifacts
     artifact: RepoList
 - job: DetectNewErrors
@@ -62,6 +69,13 @@ jobs:
   strategy:
     parallel: ${{ parameters.MACHINE_COUNT }}
   steps:
+  - task: AzureKeyVault@2
+    inputs:
+      azureSubscription: 'TypeScript Public CI'
+      KeyVaultName: 'jststeam-passwords'
+      SecretsFilter: 'typescript-bot-github-PAT-error-deltas'
+    displayName: Get secrets
+    retryCountOnTaskFailure: 3
   - download: current
     artifact: RepoList
   - task: UseNode@1
@@ -77,12 +91,19 @@ jobs:
     displayName: 'Run TypeScript on repos'
     continueOnError: true
     env:
-      GITHUB_PAT: $(GITHUB_PAT)
+      GITHUB_PAT: $(typescript-bot-github-PAT-error-deltas)
   - publish: 'RepoResults$(System.JobPositionInPhase)'
     artifact: 'RepoResults$(System.JobPositionInPhase)'
 - job: ReportNewErrors
   dependsOn: DetectNewErrors
   steps:
+  - task: AzureKeyVault@2
+    inputs:
+      azureSubscription: 'TypeScript Public CI'
+      KeyVaultName: 'jststeam-passwords'
+      SecretsFilter: 'typescript-bot-github-PAT-error-deltas'
+    displayName: Get secrets
+    retryCountOnTaskFailure: 3
   - download: current
   - task: UseNode@1
     inputs:
@@ -94,4 +115,4 @@ jobs:
       node dist/postGithubIssue ${{ parameters.ENTRYPOINT }} ${{ parameters.LANGUAGE }} ${{ parameters.REPO_COUNT }} ${{ parameters.REPO_START_INDEX }} '$(Pipeline.Workspace)' '$(System.TeamFoundationCollectionUri)$(System.TeamProject)/_build/results?buildId=$(Build.BuildId)' '$(System.TeamFoundationCollectionUri)$(System.TeamProject)/_build/results?buildId=$(Build.BuildId)&view=artifacts&type=publishedArtifacts' ${{ parameters.POST_RESULT }} '$(System.TeamFoundationCollectionUri)$(System.TeamProject)/_apis/build/builds/$(Build.BuildId)/artifacts'
     displayName: 'Create issue from new errors'
     env:
-      GITHUB_PAT: $(GITHUB_PAT)
+      GITHUB_PAT: $(typescript-bot-github-PAT-error-deltas)
diff --git a/azure-pipelines-userTests.yml b/azure-pipelines-userTests.yml
@@ -72,6 +72,13 @@ variables:
 jobs:
 - job: ListRepos
   steps:
+  - task: AzureKeyVault@2
+    inputs:
+      azureSubscription: 'TypeScript Public CI'
+      KeyVaultName: 'jststeam-passwords'
+      SecretsFilter: 'typescript-bot-github-PAT-error-deltas'
+    displayName: Get secrets
+    retryCountOnTaskFailure: 3
   - task: UseNode@1
     inputs:
       version: '20.x'
@@ -83,7 +90,7 @@ jobs:
   - script: node dist/listTopRepos TypeScript ${{ parameters.REPO_COUNT }} 0 artifacts/repos.json
     condition: eq('${{ parameters.TOP_REPOS }}', 'true')
     env:
-      GITHUB_PAT: $(GITHUB_PAT)
+      GITHUB_PAT: $(typescript-bot-github-PAT-error-deltas)
     displayName: 'List top TS repos'
   - script: node dist/listUserTestRepos ./userTests artifacts/repos.json
     condition: ne('${{ parameters.TOP_REPOS }}', 'true')
@@ -96,6 +103,13 @@ jobs:
   strategy:
     parallel: ${{ parameters.MACHINE_COUNT }}
   steps:
+  - task: AzureKeyVault@2
+    inputs:
+      azureSubscription: 'TypeScript Public CI'
+      KeyVaultName: 'jststeam-passwords'
+      SecretsFilter: 'typescript-bot-github-PAT-error-deltas'
+    displayName: Get secrets
+    retryCountOnTaskFailure: 3
   - download: current
     artifact: RepoList
   - task: UseNode@1
@@ -110,12 +124,19 @@ jobs:
       node dist/checkUserTestRepos ${{ parameters.ENTRYPOINT }} ${{ parameters.OLD_TS_REPO_URL }} ${{ parameters.OLD_HEAD_REF }} ${{ parameters.SOURCE_ISSUE }} ${{ parameters.TOP_REPOS }} '$(Pipeline.Workspace)/RepoList/repos.json' $(System.TotalJobsInPhase) $(System.JobPositionInPhase) 'RepoResults$(System.JobPositionInPhase)' ${{ parameters.DIAGNOSTIC_OUTPUT }} ${{ parameters.PRNG_SEED }}
     displayName: 'Run user tests'
     env:
-      GITHUB_PAT: $(GITHUB_PAT)
+      GITHUB_PAT: $(typescript-bot-github-PAT-error-deltas)
   - publish: 'RepoResults$(System.JobPositionInPhase)'
     artifact: 'RepoResults$(System.JobPositionInPhase)'
 - job: ReportNewErrors
   dependsOn: DetectNewErrors
   steps:
+  - task: AzureKeyVault@2
+    inputs:
+      azureSubscription: 'TypeScript Public CI'
+      KeyVaultName: 'jststeam-passwords'
+      SecretsFilter: 'typescript-bot-github-PAT-error-deltas'
+    displayName: Get secrets
+    retryCountOnTaskFailure: 3
   - download: current
   - task: UseNode@1
     inputs:
@@ -127,4 +148,4 @@ jobs:
       node dist/postGithubComments ${{ parameters.ENTRYPOINT }} ${{ parameters.REQUESTING_USER }} ${{ parameters.SOURCE_ISSUE }} ${{ parameters.STATUS_COMMENT }} ${{ parameters.DISTINCT_ID }} ${{ parameters.TOP_REPOS }} '$(Pipeline.Workspace)' '$(System.TeamFoundationCollectionUri)$(System.TeamProject)/_build/results?buildId=$(Build.BuildId)&view=artifacts&type=publishedArtifacts' ${{ parameters.POST_RESULT }} ${{ parameters.REPO_COUNT }} '$(System.TeamFoundationCollectionUri)$(System.TeamProject)/_apis/build/builds/$(Build.BuildId)/artifacts'
     displayName: 'Update PR comment with new errors'
     env:
-      GITHUB_PAT: $(GITHUB_PAT)
+      GITHUB_PAT: $(typescript-bot-github-PAT-error-deltas)
