Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ADO: Change full checkout
persistCredentials default to false
A change in beachball behavior means we need to make sure we have (the right) credentials ready to run beachball commands in our various ADO pipelines. I made some temporary workarounds to unblock pipelines: - [Add persistCredentials: true to checkout](ba5b008) - [Update publish.yml to not set credentials until after running credscan](19ef068) - [Parameterize persistCredentials, default to true](462407c) - [Update publish.yml to not persist credentials](8f60783) This PR updates our pipelines to use the most appropriate credentials for the tasks they need to run. - Bug fix (non-breaking change which fixes an issue) The temporary workarounds made **all** "full checkouts" in ADO persist the credentials used to checkout the repo, but that will override using any other credentials later in the pipeline. In the case of publish, we actually need rnbot's admin credentials, so the publish pipeline reverts to the previous behavior of no longer persisting creds at checkout and instead configuring for rnbot's creds. However, many other tasks do trivial/temporary local repo operations using rnbot's credentials. This is an unnecessary (and potentially risky) elevation that we shouldn't do anymore. This PR sets "full checkouts" back to not persisting credentials by default, because most tasks don't need them. Then, in the places where we do need credentials for later git/beachball commands, we choose from this prioritized list: 1. If possible, set `persistCredentials` to `true`, and use the (less-powerful) credentials 2. Otherwise, and only if the tasks require it, continue using rnbot's credentials N/A If you added tests that prove your changes are effective or that your feature works, add a few sentences here detailing the added test scenarios.
- Loading branch information
1 parent
c767e45
commit 3594cd3