[POC][US 20499] Control Tower auth probe in PR package-build check (fork)#17856
[POC][US 20499] Control Tower auth probe in PR package-build check (fork)#17856PawelWMS wants to merge 2 commits into
Conversation
POC for US 20499 (sources-upload prcheck). Verify the passed service connection authenticates to Control Tower from BOTH internal and fork PRs before wiring the real source-scan/upload flow. Adds an early AzureCLI@2 step that acquires a token via the WIF service connection and does a read-only GET /api/Workflow/plans (no build is submitted), failing the check on any non-200. A new probeOnly parameter (default true) gates the change-detection + scratch-build steps so the POC run stops right after the probe. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Hello, and thank you for opening this pull request! 👋🏼 We appreciate the contribution. We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted. Commits in this repo will typically be prefixed with Details: |
|
/azp run |
|
Azure Pipelines could not run because the pipeline triggers exclude this branch/path. |
|
/azp run |
|
Azure Pipelines could not run because the pipeline triggers exclude this branch/path. |
There was a problem hiding this comment.
Pull request overview
This POC modifies the ADO PR package-build raw stages template to test whether a fork PR can authenticate to Control Tower using the passed WIF service connection and ControlTower-PRCheck variable group. It adds a probeOnly parameter (default true) and an early AzureCLI@2 step that acquires a token and does a read-only GET /api/Workflow/plans, gating the existing change-detection + scratch-build steps behind probeOnly == false. It fits into the broader effort to wire a Control Tower-backed PR check, validating the auth path before the full flow is enabled.
Changes:
- Adds a
probeOnlyboolean parameter defaulting totrue. - Adds an inline
az account get-access-token+curlprobe against/api/Workflow/plans, failing on any non-200. - Wraps the original full-history/azldev/change-set/scratch-build steps in an
${{ if eq(parameters.probeOnly, false) }}block.
| inlineScript: | | ||
| set -euo pipefail | ||
| base_url="${API_BASE_URL%/}" | ||
| url="$base_url/api/Workflow/plans" | ||
| echo "Acquiring Control Tower token for audience: $API_AUDIENCE" | ||
| token="$(az account get-access-token --resource "$API_AUDIENCE" --query accessToken -o tsv)" | ||
| echo "GET $url" | ||
| http_code="$(curl -sS -o /tmp/ct_plans.json -w '%{http_code}' \ | ||
| -H "Authorization: Bearer $token" \ | ||
| -H "Accept: application/json" \ | ||
| "$url")" |
| echo "HTTP status: $http_code" | ||
| echo "Response (first 1000 bytes):" | ||
| head -c 1000 /tmp/ct_plans.json || true | ||
| echo | ||
| if [ "$http_code" != "200" ]; then | ||
| echo "##[error]Control Tower auth probe failed (HTTP $http_code)." | ||
| exit 1 | ||
| fi |
| - name: probeOnly | ||
| type: boolean | ||
| default: true |
Point the POC auth probe at the Azure Front Door endpoint (ApiBaseAFDUrl) instead of the direct APIM URL. The real scratch-build step keeps using ApiBaseDirectUrl. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
/azp run |
|
Azure Pipelines could not run because the pipeline triggers exclude this branch/path. |
POC for US 20499 (sources-upload prcheck) — FORK PR
Same change as the internal PR, but raised from a fork (
PawelWMS/CBL-Mariner) to test whether the passed service connection / CT variable group are available to a fork-triggered ADO PR validation run.What this changes
.github/workflows/ado/templates/pr-package-build-stages.yml:
probeOnlyparameter (defaulttrue).AzureCLI@2probe step: token via the WIF service connection + read-onlyGET /api/Workflow/plans(no build), failing on any non-200.probeOnly == falseso the run stops after the probe.What we're checking
Whether a fork PR can authenticate to Control Tower. If the variable group / service connection are withheld from forks, the probe fails — that's the signal.
Draft — POC only, not for merge.