Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADO: Change full checkout persistCredentials default back to false #10553

Merged
merged 1 commit into from
Sep 13, 2022
Merged

ADO: Change full checkout persistCredentials default back to false #10553

merged 1 commit into from
Sep 13, 2022

Commits on Sep 12, 2022

  1. ADO: Change full checkout persistCredentials default to false 

    A change in beachball behavior means we need to make sure we have (the
right) credentials ready to run beachball commands in our various ADO
pipelines.

I made some temporary workarounds to unblock pipelines:

- [Add persistCredentials: true to
  checkout](microsoft@ba5b008)
- [Update publish.yml to not set credentials until after running
  credscan](microsoft@19ef068)
- [Parameterize persistCredentials, default to
  true](microsoft@462407c)
- [Update publish.yml to not persist
  credentials](microsoft@8f60783)

This PR updates our pipelines to use the most appropriate credentials
for the tasks they need to run.

- Bug fix (non-breaking change which fixes an issue)

The temporary workarounds made **all** "full checkouts" in ADO persist
the credentials used to checkout the repo, but that will override using
any other credentials later in the pipeline.

In the case of publish, we actually need rnbot's admin credentials, so
the publish pipeline reverts to the previous behavior of no longer
persisting creds at checkout and instead configuring for rnbot's creds.

However, many other tasks do trivial/temporary local repo operations
using rnbot's credentials. This is an unnecessary (and potentially
risky) elevation that we shouldn't do anymore.

This PR sets "full checkouts" back to not persisting credentials by
default, because most tasks don't need them. Then, in the places where
we do need credentials for later git/beachball commands, we choose from
this prioritized list:

1. If possible, set `persistCredentials` to `true`, and use the
   (less-powerful) credentials
2. Otherwise, and only if the tasks require it, continue using rnbot's
   credentials

N/A

If you added tests that prove your changes are effective or that your
feature works, add a few sentences here detailing the added test
scenarios.
    @jonthysell
    jonthysell committed Sep 12, 2022
    Configuration menu
    Copy the full SHA
    3594cd3 View commit details
    Browse the repository at this point in the history