Update application to support secretless auth

Update the SeQuester C# application to support secretless authentication.

Author: BillWagner

actions/sequester/ImportIssues/Program.cs

@@ -104,11 +104,21 @@ private static async Task<QuestGitHubService> CreateService(ImportOptions option
         {
             Console.WriteLine("Warning: Imported work items won't be assigned based on GitHub assignee.");
         }
+        bool useBearerToken = (options.ApiKeys.QuestAccessToken is not null);
+        string? token = useBearerToken ?
+            options.ApiKeys.QuestAccessToken :
+            options.ApiKeys.QuestKey;
+
+        if (string.IsNullOrWhiteSpace(token))
+        {
+            throw new InvalidOperationException("Azure DevOps token is missing.");
+        }
 
         return new QuestGitHubService(
                 gitHubClient,
                 ospoClient,
-                options.ApiKeys.QuestKey,
+                token,
+                useBearerToken,
                 options.AzureDevOps.Org,
                 options.AzureDevOps.Project,
                 options.AzureDevOps.AreaPath,

actions/sequester/Quest2GitHub/AzDoClientServices/QuestClient.cs

@@ -1,4 +1,5 @@
-using Polly;
+using System.Net.Http;
+using Polly;
 using Polly.Contrib.WaitAndRetry;
 using Polly.Retry;
 
@@ -35,14 +36,16 @@ public sealed class QuestClient : IDisposable
     /// <param name="token">The personal access token</param>
     /// <param name="org">The Azure DevOps organization</param>
     /// <param name="project">The Azure DevOps project</param>
-    public QuestClient(string token, string org, string project)
+    /// <param name="useBearerToken">True to use a just in time bearer token, false assumes PAT</param>
+    public QuestClient(string token, string org, string project, bool useBearerToken)
     {
         QuestOrg = org;
         QuestProject = project;
         _client = new HttpClient();
         _client.DefaultRequestHeaders.Accept.Add(
             new MediaTypeWithQualityHeaderValue(MediaTypeNames.Application.Json));
-        _client.DefaultRequestHeaders.Authorization =
+        _client.DefaultRequestHeaders.Authorization = useBearerToken ?
+            new AuthenticationHeaderValue("Bearer", token) :
             new AuthenticationHeaderValue("Basic",
                 Convert.ToBase64String(Encoding.ASCII.GetBytes($":{token}")));
 

actions/sequester/Quest2GitHub/Options/ApiKeys.cs

@@ -36,6 +36,18 @@ public sealed record class ApiKeys
     /// </remarks>
     public string? AzureAccessToken { get; init; }
 
+    /// <summary>
+    /// The client ID for identifying this app with AzureDevOps.
+    /// </summary>
+    /// <remarks>
+    /// Assign this from an environment variable with the following key, <c>ImportOptions__ApiKeys__AzureAccessToken</c>:
+    /// <code>
+    /// env:
+    ///   ImportOptions__ApiKeys__QuestAccessToken: ${{ secrets.QUEST_ACCESS_TOKEN }}
+    /// </code>
+    /// </remarks>
+    public string? QuestAccessToken { get; init; }
+
     /// <summary>
     /// The Azure DevOps API key.
     /// </summary>

actions/sequester/Quest2GitHub/Options/EnvironmentVariableReader.cs

@@ -5,7 +5,8 @@ internal sealed class EnvironmentVariableReader
     internal static ApiKeys GetApiKeys()
     {
         var githubToken = CoalesceEnvVar(("ImportOptions__ApiKeys__GitHubToken", "GitHubKey"));
-        var questKey = CoalesceEnvVar(("ImportOptions__ApiKeys__QuestKey", "QuestKey"));
+        // This is optional so that developers can run the app locally without setting up the devOps token.
+        var questToken = CoalesceEnvVar(("ImportOptions__ApiKeys__QuestAccessToken", "QuestAccessToken"), false);
 
         // These keys are used when the app is run as an org enabled action. They are optional. 
         // If missing, the action runs using repo-only rights.
@@ -14,11 +15,15 @@ internal static ApiKeys GetApiKeys()
 
         var azureAccessToken = CoalesceEnvVar(("ImportOptions__ApiKeys__AzureAccessToken", "AZURE_ACCESS_TOKEN"), false);
 
+        // This key is the PAT for Quest access. It's now a legacy key. Secretless should be better.
+        var questKey = CoalesceEnvVar(("ImportOptions__ApiKeys__QuestKey", "QuestKey"), false);
+
         if (!int.TryParse(appIDString, out int appID)) appID = 0;
 
         return new ApiKeys()
         {
             GitHubToken = githubToken,
+            QuestAccessToken =  questToken,
             AzureAccessToken = azureAccessToken,
             QuestKey = questKey,
             SequesterPrivateKey = oauthPrivateKey,

actions/sequester/Quest2GitHub/QuestGitHubService.cs

@@ -31,6 +31,7 @@ public class QuestGitHubService(
     IGitHubClient ghClient,
     OspoClient? ospoClient,
     string azdoKey,
+    bool useBearerToken,
     string questOrg,
     string questProject,
     string areaPath,
@@ -41,7 +42,7 @@ public class QuestGitHubService(
     IEnumerable<LabelToTagMap> tagMap) : IDisposable
 {
     private const string LinkedWorkItemComment = "Associated WorkItem - ";
-    private readonly QuestClient _azdoClient = new(azdoKey, questOrg, questProject);
+    private readonly QuestClient _azdoClient = new(azdoKey, questOrg, questProject, useBearerToken);
     private readonly OspoClient? _ospoClient = ospoClient;
     private readonly string _questLinkString = $"https://dev.azure.com/{questOrg}/{questProject}/_workitems/edit/";