Use Az.KeyVault to get github PAT instead of pipeline variable (#22912)

* Use Az.KeyVault to get github PAT instead of pipeline variable

* Use Az.KeyVault to get github PAT instead of pipeline variable

Author: wyunchi-ms

.azure-pipelines/code-gen.yml

@@ -1,4 +1,3 @@
-# Variable 'BotAccessToken' was defined in the Variables tab
 # Multi-job configuration must be converted to matrix strategy: https://docs.microsoft.com/en-us/azure/devops/pipelines/process/phases?view=azure-devops&tabs=yaml#multi-job-configuration
 parameters:
 - name: TargetBranch
@@ -31,7 +30,7 @@ jobs:
     inputs:
       command: custom
       verbose: false
-      customCommand: install -g  autorest@latest
+      customCommand: install -g autorest@latest
   - task: PowerShell@2
     displayName: Generate
     inputs:
@@ -46,6 +45,16 @@ jobs:
         }
       workingDirectory: src/${{ parameters.ServiceName }}
 
+  - task: AzurePowerShell@5
+    inputs:
+      azureSubscription: '$(AzureSubscription)'
+      ScriptType: 'InlineScript'
+      Inline: |
+        $GithubToken = Get-AzKeyVaultSecret -VaultName $(KeyVaultName) -Name $(KeyVaultAccount) -AsPlainText
+        Write-Host "##vso[task.setvariable variable=GithubToken;issecret=true]$GithubToken"
+      azurePowerShellVersion: 'LatestVersion'
+    displayName: Get Github PAT from Key Vault
+
   - task: PowerShell@2
     displayName: Build
     inputs:
@@ -92,7 +101,7 @@ jobs:
       git add ./src;
       git add tools/CreateMappings_rules.json;
       git commit -m "Move ${{ parameters.ServiceName }} to ${{ parameters.TargetBranch }}";
-      git remote set-url origin https://azure-powershell-bot:$(BotAccessToken)@github.com/Azure/azure-powershell.git;
+      git remote set-url origin https://azure-powershell-bot:$(GithubToken)@github.com/Azure/azure-powershell.git;
       git push origin codegen/${{ parameters.ServiceName }} --force;
     displayName: Create codegen/${{ parameters.ServiceName }} branch
   - pwsh: |
@@ -102,5 +111,5 @@ jobs:
       $SourceBranch = "$(Build.SourceBranch)"
       $SourceBranch = $BaseBranch.Replace("refs/heads/", "")
       $Description = "Migrate ${{ parameters.ServiceName }} from $SourceBranch to ${{ parameters.TargetBranch }}"
-      ./tools/Github/CreatePR.ps1 -Title $Title -HeadBranch $HeadBranch -BaseBranch $BaseBranch -BotAccessToken $(BotAccessToken) -Description $Description
+      ./tools/Github/CreatePR.ps1 -Title $Title -HeadBranch $HeadBranch -BaseBranch $BaseBranch -BotAccessToken $(GithubToken) -Description $Description
     displayName: Create PR to main branch

.azure-pipelines/code-sign.yml

@@ -12,13 +12,23 @@ jobs:
   variables:
     LocalRepoName: 'LocalRepo'
   steps:
+  - task: AzurePowerShell@5
+    inputs:
+      azureSubscription: '$(AzureSubscription)'
+      ScriptType: 'InlineScript'
+      Inline: |
+        $GithubToken = Get-AzKeyVaultSecret -VaultName $(KeyVaultName) -Name $(KeyVaultAccount) -AsPlainText
+        Write-Host "##vso[task.setvariable variable=GithubToken;issecret=true]$GithubToken"
+      azurePowerShellVersion: 'LatestVersion'
+    displayName: Get Github PAT from Key Vault
+
   - task: PowerShell@2
     displayName: checkout OOBbranch
     inputs:
       targetType: 'inline'
       script: |
           if ('${{ parameters.OOBBranch }}' -ne 'none') {
-            git remote set-url origin https://azure-powershell-bot:$Token@github.com/Azure/azure-powershell.git;
+            git remote set-url origin https://azure-powershell-bot:$GithubToken@github.com/Azure/azure-powershell.git;
             git fetch origin
             git checkout -b ${{ parameters.OOBBranch }} origin/${{ parameters.OOBBranch }}
           }

.azure-pipelines/security-tools.yml

@@ -38,13 +38,23 @@ jobs:
     inputs:
       targetType: inline
       script: npm install autorest@latest;$env:NODE_OPTIONS="--max-old-space-size=65536"
+
+  - task: AzurePowerShell@5
+    inputs:
+      azureSubscription: '$(AzureSubscription)'
+      ScriptType: 'InlineScript'
+      Inline: |
+        $GithubToken = Get-AzKeyVaultSecret -VaultName $(KeyVaultName) -Name $(KeyVaultAccount) -AsPlainText
+        Write-Host "##vso[task.setvariable variable=GithubToken;issecret=true]$GithubToken"
+      azurePowerShellVersion: 'LatestVersion'
+    displayName: Get Github PAT from Key Vault
   - task: PowerShell@2
     displayName: Build
     inputs:
       targetType: inline
       script: dotnet msbuild build.proj /t:"Build;GenerateHelp" /p:"PullRequestNumber=$(System.PullRequest.PullRequestNumber);IsSecurityCheck=true"
     env:
-      OCTOKITPAT: $(OCTOKITPAT)
+      OCTOKITPAT: $(GithubToken)
   - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3
     displayName: Run CredScan
     condition: in(variables['system.pullRequest.targetBranch'], 'generation', 'main')

.azure-pipelines/sync-MSdoc.yml

@@ -15,7 +15,6 @@ trigger:
 variables:
   TargetedRepo: azure-docs-powershell
   TargetedBranchName: sync-upcoming-breaking-changes
-  GithubToken: $(GITHUB_TOKEN)
 
 jobs:
 - job: Sync
@@ -27,6 +26,15 @@ jobs:
         BranchName: ${{ variables.TargetedBranchName }}
 
   steps:
+  - task: AzurePowerShell@5
+    inputs:
+      azureSubscription: '$(AzureSubscription)'
+      ScriptType: 'InlineScript'
+      Inline: |
+        $GithubToken = Get-AzKeyVaultSecret -VaultName $(KeyVaultName) -Name $(KeyVaultAccount) -AsPlainText
+        Write-Host "##vso[task.setvariable variable=GithubToken;issecret=true]$GithubToken"
+      azurePowerShellVersion: 'LatestVersion'
+    displayName: Get Github PAT from Key Vault
   - task: PowerShell@2
     displayName: Sync branch
     inputs:

.azure-pipelines/sync-tools-folder.yml

@@ -29,7 +29,6 @@ trigger:
 
 variables:
   GenerationBranchName: generation
-  GithubToken: $(GITHUB_TOKEN)
 
 jobs:
 - job: Sync
@@ -41,6 +40,15 @@ jobs:
         BranchName: ${{ variables.GenerationBranchName }}
 
   steps:
+  - task: AzurePowerShell@5
+    inputs:
+      azureSubscription: '$(AzureSubscription)'
+      ScriptType: 'InlineScript'
+      Inline: |
+        $GithubToken = Get-AzKeyVaultSecret -VaultName $(KeyVaultName) -Name $(KeyVaultAccount) -AsPlainText
+        Write-Host "##vso[task.setvariable variable=GithubToken;issecret=true]$GithubToken"
+      azurePowerShellVersion: 'LatestVersion'
+    displayName: Get Github PAT from Key Vault
   - task: PowerShell@2
     displayName: Sync branch
     inputs:

.azure-pipelines/test-coverage.yml

@@ -123,6 +123,16 @@ jobs:
       filePath: ./tools/TestFx/Coverage/SaveTestCoverageResult.ps1
       arguments: CITest $(KustoTenantId) $(KustoServicePrincipalId) $(KustoServicePrincipalSecret) $(KustoClusterName) $(KustoClusterRegion)
 
+  - task: AzurePowerShell@5
+    inputs:
+      azureSubscription: '$(AzureSubscription)'
+      ScriptType: 'InlineScript'
+      Inline: |
+        $GithubToken = Get-AzKeyVaultSecret -VaultName $(KeyVaultName) -Name $(KeyVaultAccount) -AsPlainText
+        Write-Host "##vso[task.setvariable variable=GithubToken;issecret=true]$GithubToken"
+      azurePowerShellVersion: 'LatestVersion'
+    displayName: Get Github PAT from Key Vault
+
   - task: PowerShell@2
     displayName: Update Test Coverage Baseline
     condition: succeeded()
@@ -138,14 +148,14 @@ jobs:
         git config user.name "azure-powershell-bot"
         git add $blCsv
         git commit -m "Update with the latest test coverage data"
-        git remote set-url origin https://azure-powershell-bot:$(BotAccessToken)@github.com/Azure/azure-powershell.git
+        git remote set-url origin https://azure-powershell-bot:$(GithubToken)@github.com/Azure/azure-powershell.git
         git push origin testcoverage-baseline --force
 
         $title = "Update test coverage baseline"
         $headBranch = "testcoverage-baseline"
         $targetBranch = "main"
         $description = "Update with the latest test coverage baseline data"
-        ./tools/Github/CreatePR.ps1 -Title $title -HeadBranch $headBranch -BaseBranch $targetBranch -BotAccessToken $(BotAccessToken) -Description $description
+        ./tools/Github/CreatePR.ps1 -Title $title -HeadBranch $headBranch -BaseBranch $targetBranch -BotAccessToken $(GithubToken) -Description $description
 
   - task: PublishPipelineArtifact@1
     displayName: Publish Test Coverage Result

.azure-pipelines/util/analyze-steps.yml

@@ -28,6 +28,16 @@ steps:
       tar -xvzf "Az-Cmdlets-latest/Az-Cmdlets-latest.tar.gz" -C "Az-Cmdlets-latest"
       . Az-Cmdlets-latest/InstallModule.ps1
     pwsh: true
+
+- task: AzurePowerShell@5
+  inputs:
+    azureSubscription: '$(AzureSubscription)'
+    ScriptType: 'InlineScript'
+    Inline: |
+      $GithubToken = Get-AzKeyVaultSecret -VaultName $(KeyVaultName) -Name $(KeyVaultAccount) -AsPlainText
+      Write-Host "##vso[task.setvariable variable=GithubToken;issecret=true]$GithubToken"
+    azurePowerShellVersion: 'LatestVersion'
+  displayName: Get Github PAT from Key Vault
 
 - task: DotNetCoreCLI@2
   displayName: 'Generate Help'
@@ -36,7 +46,7 @@ steps:
     custom: msbuild
     arguments: 'build.proj /t:GenerateHelp /p:Configuration=${{ parameters.configuration }};PullRequestNumber=$(System.PullRequest.PullRequestNumber)'
   env:
-      OCTOKITPAT: $(OCTOKITPAT)
+      OCTOKITPAT: $(GithubToken)
       PowerShellPlatform: ${{ parameters.powerShellPlatform }}
 
 - task: DotNetCoreCLI@2
@@ -46,7 +56,7 @@ steps:
     custom: msbuild
     arguments: 'build.proj /t:StaticAnalysis /p:Configuration=${{ parameters.configuration }};PullRequestNumber=$(System.PullRequest.PullRequestNumber)'
   env:
-      OCTOKITPAT: $(OCTOKITPAT)
+      OCTOKITPAT: $(GithubToken)
       IsGenerateBased: ${{ parameters.IsGenerateBased }}
 
 - template: publish-artifacts-steps.yml

.azure-pipelines/util/build-steps.yml

@@ -28,6 +28,15 @@ steps:
   inputs:
     packageType: sdk
     version: 6.0.x
+- task: AzurePowerShell@5
+  inputs:
+    azureSubscription: '$(AzureSubscription)'
+    ScriptType: 'InlineScript'
+    Inline: |
+      $GithubToken = Get-AzKeyVaultSecret -VaultName $(KeyVaultName) -Name $(KeyVaultAccount) -AsPlainText
+      Write-Host "##vso[task.setvariable variable=GithubToken;issecret=true]$GithubToken"
+    azurePowerShellVersion: 'LatestVersion'
+  displayName: Get Github PAT from Key Vault
 
 - task: DotNetCoreCLI@2
   displayName: Build
@@ -36,7 +45,7 @@ steps:
     custom: msbuild
     arguments: 'build.proj /t:Build /p:Configuration=${{ parameters.configuration }};TestFramework=${{ parameters.testFramework }};PullRequestNumber=$(System.PullRequest.PullRequestNumber)'
   env:
-      OCTOKITPAT: $(OCTOKITPAT)
+      OCTOKITPAT: $(GithubToken)
       PowerShellPlatform: ${{ parameters.powerShellPlatform }}
 
 - task: PowerShell@2

.azure-pipelines/util/test-steps.yml

@@ -16,6 +16,16 @@ steps:
     packageType: sdk
     version: 6.0.x
 
+- task: AzurePowerShell@5
+  inputs:
+    azureSubscription: '$(AzureSubscription)'
+    ScriptType: 'InlineScript'
+    Inline: |
+      $GithubToken = Get-AzKeyVaultSecret -VaultName $(KeyVaultName) -Name $(KeyVaultAccount) -AsPlainText
+      Write-Host "##vso[task.setvariable variable=GithubToken;issecret=true]$GithubToken"
+    azurePowerShellVersion: 'LatestVersion'
+  displayName: Get Github PAT from Key Vault
+
 - task: PowerShell@2
   displayName: Remove pre-installed Az modules
   inputs:
@@ -30,7 +40,7 @@ steps:
     custom: msbuild
     arguments: 'build.proj /t:${{ parameters.testTarget }} /p:Configuration=${{ parameters.configuration }};TestFramework=${{ parameters.testFramework }};PullRequestNumber=$(System.PullRequest.PullRequestNumber)'
   env:
-    OCTOKITPAT: $(OCTOKITPAT)
+    OCTOKITPAT: $(GithubToken)
     PowerShellPlatform: ${{ parameters.powerShellPlatform }}
   continueOnError: true
 

.azure-pipelines/ux-portal.yml

@@ -1,4 +1,3 @@
-# Variable 'BotAccessToken' was defined in the Variables tab
 # Multi-job configuration must be converted to matrix strategy: https://docs.microsoft.com/en-us/azure/devops/pipelines/process/phases?view=azure-devops&tabs=yaml#multi-job-configuration
 parameters: 
 - name: AzurePowerShellVersion