Skip to content

Switch from bot PAT to GitHub App token via Azure Key Vault #63538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jakebailey wants to merge 3 commits into
base: main
Choose a base branch
from
+320 −26
Open

Switch from bot PAT to GitHub App token via Azure Key Vault #63538

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3cededd
Switch from bot PAT to GitHub App token via Azure Key Vault
jakebailey Jun 4, 2026
17c0be8
Tighten App token permissions to least privilege
jakebailey Jun 5, 2026
785f6b1
Tighten remaining workflow token permissions
jakebailey Jun 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 29 additions & 2 deletions .github/workflows/accept-baselines-fix-lints.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ on:

permissions:
contents: read
id-token: write

# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
Expand All @@ -15,11 +16,14 @@ defaults:
jobs:
build:
runs-on: ubuntu-latest
environment:
name: azure
deployment: false

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
persist-credentials: false
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 'lts/*'
Expand All @@ -37,4 +41,27 @@ jobs:
git add ./tests/baselines/reference
git diff --cached
git commit -m "Update Baselines, Applied Lint Fixes, and/or Formatted"
git push
- uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Create GitHub App token
id: app-token
uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
with:
client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
owner: microsoft
repositories: TypeScript
permission-contents: write
- name: Configure git for GitHub App token
shell: bash
env:
GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
set -euo pipefail
basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')"
echo "::add-mask::$basic_auth"
git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}"
- run: git push
24 changes: 23 additions & 1 deletion .github/workflows/close-issues.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ on:

permissions:
contents: read
id-token: write

# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
Expand All @@ -17,15 +18,36 @@ defaults:
jobs:
close-issues:
runs-on: ubuntu-latest
environment:
name: azure
deployment: false
if: github.repository == 'microsoft/TypeScript'
permissions:
contents: read # Apparently required to create issues
id-token: write
issues: write

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Create GitHub App token
id: app-token
uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
with:
client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
owner: microsoft
repositories: TypeScript
permission-issues: write
- name: Close issues
env:
GH_TOKEN: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
GH_TOKEN: ${{ steps.app-token.outputs.token }}
REPO: ${{ github.repository }}
run: |
DATE=$(date --date='2 days ago' --iso-8601)
Expand Down
36 changes: 32 additions & 4 deletions .github/workflows/create-cherry-pick-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ run-name: ${{ github.workflow }}${{ inputs.distinct_id && format(' (bot run {0})

permissions:
contents: read
id-token: write

# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
Expand All @@ -44,15 +45,42 @@ defaults:
jobs:
open-pr:
runs-on: ubuntu-latest
environment:
name: azure
deployment: false
if: github.repository == 'microsoft/TypeScript'

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
filter: blob:none # https://github.blog/2020-12-21-get-up-to-speed-with-partial-clone-and-shallow-clone/
fetch-depth: 0 # Default is 1; need to set to 0 to get the benefits of blob:none.
token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}

persist-credentials: false
- uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Create GitHub App token
id: app-token
uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
with:
client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
owner: microsoft
repositories: TypeScript
permission-contents: write
permission-issues: write
permission-pull-requests: write
- name: Configure git for GitHub App token
shell: bash
env:
GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
set -euo pipefail
basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')"
echo "::add-mask::$basic_auth"
git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}"
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
id: open-pr
env:
Expand All @@ -64,7 +92,7 @@ jobs:
STATUS_COMMENT: ${{ inputs.status_comment }}
with:
retries: 3
github-token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
github-token: ${{ steps.app-token.outputs.token }}
result-encoding: string
script: |
const {
Expand Down Expand Up @@ -182,7 +210,7 @@ jobs:
with:
success_comment: ${{ steps.open-pr.outputs.result }}
failure_comment: 'I was unable to cherry-pick this PR.'
github_token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
github_token: ${{ steps.app-token.outputs.token }}
distinct_id: ${{ inputs.distinct_id }}
source_issue: ${{ inputs.source_issue }}
requesting_user: ${{ inputs.requesting_user }}
Expand Down
31 changes: 29 additions & 2 deletions .github/workflows/lkg.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ on:

permissions:
contents: read
id-token: write

# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
Expand All @@ -20,6 +21,9 @@ defaults:
jobs:
build:
runs-on: ubuntu-latest
environment:
name: azure
deployment: false
steps:
- env:
BRANCH_NAME: ${{ inputs.branch_name }}
Expand All @@ -32,7 +36,7 @@ jobs:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ inputs.branch_name }}
token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
persist-credentials: false
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 'lts/*'
Expand All @@ -48,4 +52,27 @@ jobs:
git config user.email "typescriptbot@microsoft.com"
git config user.name "TypeScript Bot"
git commit -m 'Update LKG'
git push
- uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Create GitHub App token
id: app-token
uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
with:
client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
owner: microsoft
repositories: TypeScript
permission-contents: write
- name: Configure git for GitHub App token
shell: bash
env:
GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
set -euo pipefail
basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')"
echo "::add-mask::$basic_auth"
git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}"
- run: git push
35 changes: 32 additions & 3 deletions .github/workflows/new-release-branch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ run-name: ${{ github.workflow }}${{ inputs.distinct_id && format(' (bot run {0})

permissions:
contents: read
id-token: write

# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
Expand All @@ -48,13 +49,16 @@ defaults:
jobs:
build:
runs-on: ubuntu-latest
environment:
name: azure
deployment: false

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
filter: blob:none # https://github.blog/2020-12-21-get-up-to-speed-with-partial-clone-and-shallow-clone/
fetch-depth: 0 # Default is 1; need to set to 0 to get the benefits of blob:none.
token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
persist-credentials: false
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 'lts/*'
Expand Down Expand Up @@ -85,14 +89,39 @@ jobs:
git config user.email "typescriptbot@microsoft.com"
git config user.name "TypeScript Bot"
git commit -m "Bump version to $PACKAGE_VERSION and LKG"
git push --set-upstream origin "$BRANCH_NAME"
- uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Create GitHub App token
id: app-token
uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
with:
client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
owner: microsoft
repositories: TypeScript
permission-contents: write
- name: Configure git for GitHub App token
shell: bash
env:
GITHUB_APP_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
set -euo pipefail
basic_auth="$(node -e 'process.stdout.write(Buffer.from("x-access-token:" + process.env.GITHUB_APP_TOKEN).toString("base64"))')"
echo "::add-mask::$basic_auth"
git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic ${basic_auth}"
- env:
BRANCH_NAME: ${{ inputs.branch_name }}
run: git push --set-upstream origin "$BRANCH_NAME"

- uses: microsoft/typescript-bot-test-triggerer/.github/actions/post-workflow-result@master
if: ${{ !cancelled() && inputs.distinct_id }}
with:
success_comment: "I've created ${{ inputs.branch_name }} with version ${{ inputs.package_version }} for you."
failure_comment: 'I was unable to create the new release branch.'
github_token: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
github_token: ${{ steps.app-token.outputs.token }}
distinct_id: ${{ inputs.distinct_id }}
source_issue: ${{ inputs.source_issue }}
requesting_user: ${{ inputs.requesting_user }}
Expand Down
27 changes: 25 additions & 2 deletions .github/workflows/pr-modified-files.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ concurrency:

permissions:
contents: read
id-token: write

# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
Expand All @@ -27,17 +28,39 @@ defaults:
jobs:
manage-prs:
runs-on: ubuntu-latest
environment:
name: azure
deployment: false
if: github.repository == 'microsoft/TypeScript'

# No need to set explicit permissions; we are using typescript-bot's token, not github-actions' token.
# No need to set explicit permissions; we are using the GitHub App token, not github-actions' token.

env:
GH_TOKEN: ${{ secrets.TS_BOT_GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.pull_request.number }}
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
REPO: ${{ github.repository }}

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Create GitHub App token
id: app-token
uses: microsoft/create-github-app-token-via-key-vault@5ba0d436e9c3cac52feff4d1f2f66f9698ce4a2d # v1
with:
client-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID }}
owner: microsoft
repositories: TypeScript
permission-issues: write
permission-pull-requests: write
- name: Export GitHub App token
run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
- name: Check if PR author is in pr_owners.txt
id: pr_owner
run: |
Expand Down
Loading
Loading