Replace PAT with job access token to improve security. (#25006)

vidai-msft · web-flow · commit aa7fa33dd61d · 2024-05-29T14:21:25.000+08:00
* Replace PAT with job access token to improve security.

* Terminate the process when wiki content cannot be retrieved.

* Add null check for contacts list
diff --git a/.azure-pipelines/sync-aliases.yml b/.azure-pipelines/sync-aliases.yml
@@ -6,34 +6,38 @@ schedules:
     include:
     - main
 
+# The 'resources' and 'uses' below are used to resolve the error 'Repository associated with wiki ID <WikiId> does not exist or you do not have permissions for the operation you are attempting.'
+resources:
+  repositories:
+  - repository: ServiceContactList
+    type: git
+    name: internal.wiki
+
 jobs:
 - job: UpdateYaml
   displayName: Update resourceManagement.yml
   pool: pool-windows-2019
+  uses:
+    repositories:
+    - ServiceContactList
 
   steps:
   - task: UseDotNet@2
     displayName: Install .NET 8 SDK
     inputs:
       packageType: sdk
       version: 8.0.x
-  - template: util/get-github-pat-steps.yml
 
   - pwsh: |
       dotnet --version
       dotnet new tool-manifest --force
       dotnet tool install powershell --version 7.4.*
     displayName: Install PowerShell 7.4.x
 
-  - template: util/get-keyvault-secret-steps.yml
-    parameters:
-      serviceConnectionName: $(AzureSubscription)
-      keyVaultName: $(KeyVaultName)
-      secretName: $(ADOTokenName)
-      outVar: 'ADOToken'
-
   - pwsh: |
-      dotnet tool run pwsh -NoLogo -NoProfile -NonInteractive -File "./tools/Github/ParseServiceContactsList.ps1 -ADOToken $(ADOToken)"
+      dotnet tool run pwsh -NoLogo -NoProfile -NonInteractive -File "./tools/Github/ParseServiceContactsList.ps1 -AccessToken $env:SYSTEM_ACCESSTOKEN"
+    env:
+      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
     displayName: Update resourceManagement.yml file locally
 
   - pwsh: |
@@ -47,6 +51,8 @@ jobs:
       }
     displayName: Check if Wiki table has any changes
 
+  - template: util/get-github-pat-steps.yml
+
   - pwsh: |
       git config --global user.email "65331932+azure-powershell-bot@users.noreply.github.com"
       git config --global user.name "azure-powershell-bot"
diff --git a/tools/Github/ParseServiceContactsList.ps1 b/tools/Github/ParseServiceContactsList.ps1
@@ -19,7 +19,7 @@
 #>
 param(
     [Parameter(Mandatory = $true)]
-    [string]$ADOToken
+    [string] $AccessToken
 )
 
 function InitializeRequiredPackages {
@@ -37,7 +37,6 @@ function InitializeRequiredPackages {
     $requiredPackages = @(
         @{ PackageName = "Newtonsoft.Json"; PackageVersion = "13.0.2"; DllName = "Newtonsoft.Json.dll" },
         @{ PackageName = "YamlDotNet"; PackageVersion = "13.2.0"; DllName = "YamlDotNet.dll" }
-
     )
 
     $requiredPackages | ForEach-Object {
@@ -51,71 +50,73 @@ function InitializeRequiredPackages {
 
 # get wiki content
 $username = ""
-$password = $ADOToken
+$password = $AccessToken
 $pair = "{0}:{1}" -f ($username, $password)
 $bytes = [System.Text.Encoding]::ASCII.GetBytes($pair)
 $token = [System.Convert]::ToBase64String($bytes)
 $headers = @{
     Authorization = "Basic {0}" -f ($token)
 }
 
-$response = Invoke-RestMethod 'https://dev.azure.com/azclitools/internal/_apis/wiki/wikis/internal.wiki/pages?path=/Service%20Contact%20List&includeContent=true' -Headers $headers
+$response = Invoke-RestMethod 'https://dev.azure.com/azclitools/internal/_apis/wiki/wikis/internal.wiki/pages?path=/Service%20Contact%20List&includeContent=true' -Headers $headers -ErrorAction Stop
 $contactsList = ($response.content -split "\n") | Where-Object { $_ -like '|*' } | Select-Object -Skip 2
 
-$idxServiceTeamLabel = 2
-$idxPSNotifyGithubHandler = 6
-$serviceContacts = [System.Collections.Generic.SortedList[System.String, PSCustomObject]]::new()
-
-foreach ($contacts in $contactsList) {
-    $items = $contacts -split "\|"
-    $colServiceTeamLabel = $items[$idxServiceTeamLabel]
-    if (![string]::IsNullOrWhiteSpace($colServiceTeamLabel)) {
-        $serviceTeamLabel = $colServiceTeamLabel.Trim()
-        $colPSNotifyGithubHandler = $items[$idxPSNotifyGithubHandler]
-
-        if (![string]::IsNullOrWhiteSpace($colPSNotifyGithubHandler)) {
-            $psNotifyGithubHandler = $colPSNotifyGithubHandler.Trim()
-            [array]$mentionees = $psNotifyGithubHandler.Split(",", [StringSplitOptions]::RemoveEmptyEntries) | ForEach-Object {
-                $_.Trim()
-            }
-
-            $serviceContacts.Add($serviceTeamLabel, [PSCustomObject]@{
-                if   = @(
-                    [PSCustomObject]@{
-                        or  = @(
-                            [PSCustomObject]@{
-                                labelAdded = [PSCustomObject]@{
-                                    label = 'Service Attention'
-                                }
-                            },
-                            [PSCustomObject]@{
-                                labelAdded = [PSCustomObject]@{
-                                    label = $serviceTeamLabel
+if ($null -ne $contactsList) {
+    $idxServiceTeamLabel = 2
+    $idxPSNotifyGithubHandler = 6
+    $serviceContacts = [System.Collections.Generic.SortedList[System.String, PSCustomObject]]::new()
+
+    foreach ($contacts in $contactsList) {
+        $items = $contacts -split "\|"
+        $colServiceTeamLabel = $items[$idxServiceTeamLabel]
+        if (![string]::IsNullOrWhiteSpace($colServiceTeamLabel)) {
+            $serviceTeamLabel = $colServiceTeamLabel.Trim()
+            $colPSNotifyGithubHandler = $items[$idxPSNotifyGithubHandler]
+
+            if (![string]::IsNullOrWhiteSpace($colPSNotifyGithubHandler)) {
+                $psNotifyGithubHandler = $colPSNotifyGithubHandler.Trim()
+                [array]$mentionees = $psNotifyGithubHandler.Split(",", [StringSplitOptions]::RemoveEmptyEntries) | ForEach-Object {
+                    $_.Trim()
+                }
+
+                $serviceContacts.Add($serviceTeamLabel, [PSCustomObject]@{
+                    if   = @(
+                        [PSCustomObject]@{
+                            or  = @(
+                                [PSCustomObject]@{
+                                    labelAdded = [PSCustomObject]@{
+                                        label = 'Service Attention'
+                                    }
+                                },
+                                [PSCustomObject]@{
+                                    labelAdded = [PSCustomObject]@{
+                                        label = $serviceTeamLabel
+                                    }
                                 }
+                            )
+                        },
+                        [PSCustomObject]@{
+                            hasLabel = [PSCustomObject]@{
+                                label = 'Service Attention'
+                            }
+                        },
+                        [PSCustomObject]@{
+                            hasLabel = [PSCustomObject]@{
+                                label = $serviceTeamLabel
                             }
-                        )
-                    },
-                    [PSCustomObject]@{
-                        hasLabel = [PSCustomObject]@{
-                            label = 'Service Attention'
-                        }
-                    },
-                    [PSCustomObject]@{
-                        hasLabel = [PSCustomObject]@{
-                            label = $serviceTeamLabel
                         }
-                    }
-                )
-                then = @(
-                    [PSCustomObject]@{
-                        mentionUsers = [PSCustomObject]@{
-                            mentionees       = $mentionees
-                            replyTemplate    = 'Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc ${mentionees}.'
-                            assignMentionees = 'False'
+                    )
+                    then = @(
+                        [PSCustomObject]@{
+                            mentionUsers = [PSCustomObject]@{
+                                mentionees       = $mentionees
+                                replyTemplate    = 'Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc ${mentionees}.'
+                                assignMentionees = 'False'
+                            }
                         }
-                    }
-                )
-            })
+                    )
+                })
+            }
         }
     }
 }
