[POC][US 20499] Control Tower auth probe in PR package-build check (internal)#17855
Draft
PawelWMS wants to merge 2 commits into
Draft
[POC][US 20499] Control Tower auth probe in PR package-build check (internal)#17855PawelWMS wants to merge 2 commits into
PawelWMS wants to merge 2 commits into
Conversation
POC for US 20499 (sources-upload prcheck). Verify the passed service connection authenticates to Control Tower from BOTH internal and fork PRs before wiring the real source-scan/upload flow. Adds an early AzureCLI@2 step that acquires a token via the WIF service connection and does a read-only GET /api/Workflow/plans (no build is submitted), failing the check on any non-200. A new probeOnly parameter (default true) gates the change-detection + scratch-build steps so the POC run stops right after the probe. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Hello, and thank you for opening this pull request! 👋🏼 We appreciate the contribution. We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted. Commits in this repo will typically be prefixed with Details: |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR is an explicitly-draft proof-of-concept for US 20499. It adds a Control Tower authentication probe to the raw stages template for the [PR-check] scratch package build ADO pipeline, to verify that the WIF service connection can authenticate against Control Tower from a PR before the real source-scan/upload flow is wired in. The probe acquires a token via the service connection and issues a read-only GET /api/Workflow/plans, failing the check on any non-200. A new probeOnly parameter (default true) gates the existing change-detection + scratch-build steps so the POC run stops right after the probe.
Changes:
- Adds a
probeOnlyboolean parameter (defaulttrue) topr-package-build-stages.yml. - Adds an unconditional
AzureCLI@2probe step doing inlineaz account get-access-token+curlagainst/api/Workflow/plans. - Wraps the existing real build steps in
${{ if eq(parameters.probeOnly, false) }}so they are skipped by default.
Comment on lines
+110
to
+129
| inlineScript: | | ||
| set -euo pipefail | ||
| base_url="${API_BASE_URL%/}" | ||
| url="$base_url/api/Workflow/plans" | ||
| echo "Acquiring Control Tower token for audience: $API_AUDIENCE" | ||
| token="$(az account get-access-token --resource "$API_AUDIENCE" --query accessToken -o tsv)" | ||
| echo "GET $url" | ||
| http_code="$(curl -sS -o /tmp/ct_plans.json -w '%{http_code}' \ | ||
| -H "Authorization: Bearer $token" \ | ||
| -H "Accept: application/json" \ | ||
| "$url")" | ||
| echo "HTTP status: $http_code" | ||
| echo "Response (first 1000 bytes):" | ||
| head -c 1000 /tmp/ct_plans.json || true | ||
| echo | ||
| if [ "$http_code" != "200" ]; then | ||
| echo "##[error]Control Tower auth probe failed (HTTP $http_code)." | ||
| exit 1 | ||
| fi | ||
| echo "Control Tower auth probe succeeded (HTTP 200)." |
Point the POC auth probe at the Azure Front Door endpoint (ApiBaseAFDUrl) instead of the direct APIM URL. The real scratch-build step keeps using ApiBaseDirectUrl. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
POC for US 20499 (sources-upload prcheck)
Verifies the passed service connection can authenticate to Control Tower from an internal PR before wiring the real source-scan/upload flow.
What this changes
.github/workflows/ado/templates/pr-package-build-stages.yml:
probeOnlyparameter (defaulttrue).AzureCLI@2probe step that acquires a token via the WIF service connection and does a read-onlyGET /api/Workflow/plans(no build submitted), failing the check on any non-200.probeOnly == false, so the POC run stops right after the probe.How to test
Trigger the
[PR-check] scratch package buildvalidation (def 5465). Expect the probe to authenticate and return the plans list, then stop.Draft — POC only, not for merge.