Skip to content

[POC][US 20499] Control Tower auth probe in PR package-build check (fork)#17856

Draft
PawelWMS wants to merge 2 commits into
microsoft:4.0from
PawelWMS:sources-upload-prcheck
Draft

[POC][US 20499] Control Tower auth probe in PR package-build check (fork)#17856
PawelWMS wants to merge 2 commits into
microsoft:4.0from
PawelWMS:sources-upload-prcheck

Conversation

@PawelWMS

Copy link
Copy Markdown
Contributor

POC for US 20499 (sources-upload prcheck) — FORK PR

Same change as the internal PR, but raised from a fork (PawelWMS/CBL-Mariner) to test whether the passed service connection / CT variable group are available to a fork-triggered ADO PR validation run.

What this changes

.github/workflows/ado/templates/pr-package-build-stages.yml:

  • Adds a probeOnly parameter (default true).
  • Adds an early AzureCLI@2 probe step: token via the WIF service connection + read-only GET /api/Workflow/plans (no build), failing on any non-200.
  • Gates the real change-detection + scratch-build steps behind probeOnly == false so the run stops after the probe.

What we're checking

Whether a fork PR can authenticate to Control Tower. If the variable group / service connection are withheld from forks, the probe fails — that's the signal.

Draft — POC only, not for merge.

POC for US 20499 (sources-upload prcheck). Verify the passed service
connection authenticates to Control Tower from BOTH internal and fork
PRs before wiring the real source-scan/upload flow.

Adds an early AzureCLI@2 step that acquires a token via the WIF service
connection and does a read-only GET /api/Workflow/plans (no build is
submitted), failing the check on any non-200. A new probeOnly parameter
(default true) gates the change-detection + scratch-build steps so the
POC run stops right after the probe.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 29, 2026 23:52
@github-actions

Copy link
Copy Markdown

Hello, and thank you for opening this pull request! 👋🏼 We appreciate the contribution.

We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted.

Commits in this repo will typically be prefixed with fix:, feat:, docs:, chore:, refactor:, test:, or ci: to indicate the type of change being proposed. The linked specification has more details.

Details:

No release type found in pull request title "[POC][US 20499] Control Tower auth probe in PR package-build check (fork)". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/

Available types:
 - feat: A new feature
 - fix: A bug fix
 - docs: Documentation only changes
 - style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
 - refactor: A code change that neither fixes a bug nor adds a feature
 - perf: A code change that improves performance
 - test: Adding missing tests or correcting existing tests
 - build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
 - ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
 - chore: Other changes that don't modify src or test files
 - revert: Reverts a previous commit

@PawelWMS

Copy link
Copy Markdown
Contributor Author

/azp run

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines could not run because the pipeline triggers exclude this branch/path.

@PawelWMS

Copy link
Copy Markdown
Contributor Author

/azp run

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines could not run because the pipeline triggers exclude this branch/path.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This POC modifies the ADO PR package-build raw stages template to test whether a fork PR can authenticate to Control Tower using the passed WIF service connection and ControlTower-PRCheck variable group. It adds a probeOnly parameter (default true) and an early AzureCLI@2 step that acquires a token and does a read-only GET /api/Workflow/plans, gating the existing change-detection + scratch-build steps behind probeOnly == false. It fits into the broader effort to wire a Control Tower-backed PR check, validating the auth path before the full flow is enabled.

Changes:

  • Adds a probeOnly boolean parameter defaulting to true.
  • Adds an inline az account get-access-token + curl probe against /api/Workflow/plans, failing on any non-200.
  • Wraps the original full-history/azldev/change-set/scratch-build steps in an ${{ if eq(parameters.probeOnly, false) }} block.

Comment on lines +110 to +120
inlineScript: |
set -euo pipefail
base_url="${API_BASE_URL%/}"
url="$base_url/api/Workflow/plans"
echo "Acquiring Control Tower token for audience: $API_AUDIENCE"
token="$(az account get-access-token --resource "$API_AUDIENCE" --query accessToken -o tsv)"
echo "GET $url"
http_code="$(curl -sS -o /tmp/ct_plans.json -w '%{http_code}' \
-H "Authorization: Bearer $token" \
-H "Accept: application/json" \
"$url")"
Comment on lines +121 to +128
echo "HTTP status: $http_code"
echo "Response (first 1000 bytes):"
head -c 1000 /tmp/ct_plans.json || true
echo
if [ "$http_code" != "200" ]; then
echo "##[error]Control Tower auth probe failed (HTTP $http_code)."
exit 1
fi
Comment on lines +69 to +71
- name: probeOnly
type: boolean
default: true
Point the POC auth probe at the Azure Front Door endpoint (ApiBaseAFDUrl)
instead of the direct APIM URL. The real scratch-build step keeps using
ApiBaseDirectUrl.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@PawelWMS

Copy link
Copy Markdown
Contributor Author

/azp run

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines could not run because the pipeline triggers exclude this branch/path.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants