Add github app/azure keyvault auth helper#1316
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds a heavily modified fork of microsoft/create-github-app-token-via-key-vault into beachball as a standalone, copy-pastable github-app-token CLI. It mints (and revokes) GitHub App installation tokens by signing the app JWT with an Azure Key Vault key via the Azure CLI, so the app's private key never needs to be stored as a CI secret. It fits into beachball's CI-integration story as an alternative way to obtain a short-lived, repo-scoped token for beachball publish on any CI platform. To ship it, the build tooling is extended to emit an explicit .mjs bundle, and the docs are updated.
Changes:
- New
src/githubAuth/module: token creation/revocation helpers, Azure CLI signing, request/retry helpers, a commander-based CLI (create/revoke), types, tests, and a README. - Build tooling:
bundleNode.tsnow accepts entry/out args and emits.mjsfor non-action packages; a patched@ms-cloudpack/esbuild-node-helpersallows overriding externals;distis added to beachball's publishedfiles;undiciadded as a dev dependency for test mocking. - Docs:
ci-integration.mdupdated to point at the new helper;esrp-npm-releasedependency reclassification.
Reviewed changes
Copilot reviewed 24 out of 25 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
packages/beachball/src/githubAuth/createAppTokenHelper.ts |
Core JWT creation, installation discovery, token minting, and caching |
packages/beachball/src/githubAuth/signWithAzureCli.ts |
Shells out to az keyvault key sign (RS256) to sign the JWT |
packages/beachball/src/githubAuth/requestHelpers.ts |
fetch wrappers, GitHub headers, and transient retry logic |
packages/beachball/src/githubAuth/revokeAppToken.ts |
Revokes an installation token via DELETE /installation/token |
packages/beachball/src/githubAuth/validationHelpers.ts |
Permission/repository parsing and validation helpers |
packages/beachball/src/githubAuth/appTokenCli.ts |
Commander CLI wiring for create/revoke |
packages/beachball/src/githubAuth/appTokenBin.ts |
Bin entry that runs the CLI and formats errors |
packages/beachball/src/githubAuth/types.ts |
Shared interfaces for options and tokens |
packages/beachball/src/githubAuth/README.md |
Usage docs (has a token vs create command mismatch) |
packages/beachball/src/__tests__/githubAuth/* |
Unit tests + undici-based mock helpers |
packages/beachball/src/env.ts |
Exposes isAzurePipelines on env |
scripts/bundleNode.ts |
Parametrized entry/out and .mjs output (regresses esrp-npm-release) |
packages/beachball/package.json |
Adds bundle script, dist to files, undici dev dep |
scripts/package.json / .yarn/patches/...patch / .prettierrc.json5 |
Patches esbuild helper to allow overriding externals |
packages/esrp-npm-release/package.json |
Moves runtime deps from devDependencies to dependencies |
docs/concepts/ci-integration.md |
Documents the new helper as a token option |
yarn.lock |
Lockfile updates for the patch and undici |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Add a heavily modified fork of the https://github.com/microsoft/create-github-app-token-via-key-vault CLI and internal APIs. See
packages/beachball/src/githubAuth/README.mdfor how it works.This functionality will be integrated into the core of Beachball in a separate PR. I'm not sure if the CLI will continue to exist, so I didn't make a
binentry for it--currently it's designed to be run by path or have its bundle copy-pasted between repos. In theory it should exist as a standalone published package, but a new package is more overhead since beachball doesn't have a scope.