Remove GitHub Token From CI Pipeline (Azure#26602)

Remove GitHub Token From CI Pipeline

Author: YanaXu

.azure-pipelines/security-tools.yml

@@ -19,7 +19,7 @@ jobs:
   steps:
   - checkout: self
     fetchTags: false
-  - template: util/get-github-pat-steps.yml
+  - template: util/get-pr-changed-files.yml
   - task: PowerShell@2
     displayName: Install platyPS
     inputs:
@@ -43,8 +43,6 @@ jobs:
     inputs:
       targetType: inline
       script: dotnet msbuild build.proj /t:"Build;GenerateHelp" /p:"PullRequestNumber=$(System.PullRequest.PullRequestNumber);IsSecurityCheck=true"
-    env:
-      OCTOKITPAT: $(GithubToken)
   - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3
     displayName: Run CredScan
     inputs:

.azure-pipelines/util/build-steps.yml

@@ -5,8 +5,7 @@ parameters:
 
 steps:
 - checkout: self
-  persistCredentials: true
-- template: get-github-token-steps.yml
+- template: get-pr-changed-files.yml
 - task: NodeTool@0
   condition: eq(variables.IsGenerateBased, true)
   displayName: Install Autorest
@@ -39,7 +38,6 @@ steps:
     custom: msbuild
     arguments: 'build.proj /t:Build /p:Configuration=${{ parameters.configuration }};TestFramework=${{ parameters.testFramework }};PullRequestNumber=$(System.PullRequest.PullRequestNumber)'
   env:
-      OCTOKITPAT: $(GithubToken)
       PowerShellPlatform: ${{ parameters.powerShellPlatform }}
 
 - task: PowerShell@2

.azure-pipelines/util/get-pr-changed-files.yml

@@ -0,0 +1,24 @@
+steps:
+- task: PowerShell@2
+  displayName: List PR Changed Files
+  inputs:
+    targetType: inline
+    pwsh: true
+    script: |
+      # refer to https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#system-variables-devops-services
+      # get the target branch name
+      $targetBranch = $(System.PullRequest.TargetBranch)
+      # fetch the targetBranch from origin to local branch and rename the branch to 'origin/base'
+      git fetch --no-tags origin "${targetBranch}:origin/base"
+      # refer to https://git-scm.com/docs/git-diff
+      # compare the pr and targetBranch branch, get the changed file list
+      # diff-filter options are ACMRT, which are: Added, Copied, Modified, Renamed , Changed
+      $changedFiles = git --no-pager diff --name-only --diff-filter=ACMRT origin/base -- .
+      Write-Host "Total updated files:" $changedFiles.Count
+      Write-Host "All Updated files:"
+      $changedFiles | Foreach-Object {Write-Host $_}
+      $RepoArtifacts = 'artifacts'
+      if(-not (Test-Path $RepoArtifacts)){
+        New-Item -ItemType Directory -Name $RepoArtifacts
+      }
+      $changedFiles | Out-File $RepoArtifacts/FilesChanged.txt

build.proj

@@ -106,7 +106,6 @@
   <UsingTask Condition="$(OnPremiseBuild)" TaskName="CorporateValidation" AssemblyFile="$(CIToolsPath)/Microsoft.WindowsAzure.Tools.Build.Tasks.OnPremise.dll" />
   <Import Condition="$(OnPremiseBuild)" Project="$(CIToolsPath)/Microsoft.WindowsAzure.Build.OnPremise.msbuild" />
   <UsingTask TaskName="ESRPSignTask" AssemblyFile="$(CISignRepoPath)/tools/sdkbuildtools/tasks/MS.Az.Sdk.OnPremise.Build.Tasks.dll" />
-  <UsingTask TaskName="FilesChangedTask" AssemblyFile="$(RepoArtifacts)Microsoft.Azure.Build.Tasks/Microsoft.Azure.Build.Tasks.dll" />
   <UsingTask TaskName="CIFilterTask" AssemblyFile="$(RepoArtifacts)Microsoft.Azure.Build.Tasks/Microsoft.Azure.Build.Tasks.dll" />
 
   <Target Name="Clean">
@@ -131,16 +130,11 @@
     <!-- Build the Microsoft.Azure.Build.Tasks project -->
     <Exec Command="dotnet publish $(RepoTools)BuildPackagesTask/Microsoft.Azure.Build.Tasks/Microsoft.Azure.Build.Tasks.csproj -c $(Configuration)" />
 
-    <!-- Get all of the files changed in the given pull request -->
-    <FilesChangedTask RepositoryOwner="Azure" RepositoryName="azure-powershell" PullRequestNumber="$(PullRequestNumber)"  OutputFile="$(RepoArtifacts)FilesChanged.txt">
-      <Output TaskParameter="FilesChanged" ItemName="FilesChanged" />
-    </FilesChangedTask>
-
     <Exec Command="$(PowerShellCoreCommandPrefix) &quot;$(RepoTools)PrepareAutorestModule.ps1&quot;" Condition="'$(IsGenerateBased)' == 'true'"/>
     <Exec Command="$(PowerShellCoreCommandPrefix) &quot;$(RepoTools)CreateFilterMappings.ps1&quot;" />
     <Exec Command="$(PowerShellCoreCommandPrefix) &quot;$(RepoTools)PrepareForSecurityCheck.ps1&quot;" Condition="'$(IsSecurityCheck)' == 'true'"/>
 
-    <CIFilterTask FilesChanged="@(FilesChanged)" Mode="$(Configuration)" CsprojMapFilePath="./CsprojMappings.json">
+    <CIFilterTask FilesChangedFile="$(RepoArtifacts)FilesChanged.txt" Mode="$(Configuration)" CsprojMapFilePath="./CsprojMappings.json">
       <Output TaskParameter="BuildCsprojList" ItemName="BuildCsprojList" />
       <Output TaskParameter="TestCsprojList" ItemName="TestCsprojList" />
       <Output TaskParameter="SubTasks" PropertyName="SubTasks" />
@@ -341,4 +335,4 @@ $(RepoArtifacts)$(Configuration)/**/Microsoft.Azure.PowerShell.Authenticators.dl
     <SetEnvVar EnvName="SignedMsiDir" EnvValue="$(SignedOutputRootDir)" />
   </Target>
 
-</Project>
+</Project>

tools/BuildPackagesTask/Microsoft.Azure.Build.Tasks/CIFilterTask.cs

@@ -32,10 +32,15 @@ namespace Microsoft.WindowsAzure.Build.Tasks
     public class CIFilterTask : Task
     {
         /// <summary>
-        /// Gets or sets the files changed in a given pull request.
+        /// Gets or set the OutputFile, store FilesChanged.txt in 'artifacts' folder
         /// </summary>
         [Required]
-        public string[] FilesChanged { get; set; }
+        public string FilesChangedFile { get; set; }
+
+        /// <summary>
+        /// Changed File List
+        /// </summary>
+        private string[] FilesChanged { get; set; }
 
         /// <summary>
         /// Gets or set the Mode, e.g. Release
@@ -186,7 +191,7 @@ private string ProcessSinglePattern(string pattern)
         private Dictionary<string, HashSet<string>> CalculateInfluencedModuleInfoForEachPhase(List<(Regex, List<string>)> ruleList, Dictionary<string, string[]> csprojMap)
         {
             Dictionary<string, HashSet<string>> influencedModuleInfo = new Dictionary<string, HashSet<string>>();
-
+			
             foreach (string filePath in FilesChanged)
             {
                 List<string> phaseList = new List<string>();
@@ -422,6 +427,7 @@ public override bool Execute()
             SubTasks = "";
             var csprojMap = ReadMapFile(CsprojMapFilePath, "CsprojMapFilePath");
 
+            FilesChanged = File.ReadAllLines(FilesChangedFile);
             Console.WriteLine(string.Format("FilesChanged: {0}", FilesChanged.Length));
             if (FilesChanged != null)
             {