Fix forked repo local SQL Server passwords #3950
Conversation
paulmedynski
added
the
Area\Engineering
There was a problem hiding this comment.
Pull request overview
This PR fixes an issue introduced in #3928 where the removal of a password generation mechanism broke pipeline runs from forked repositories. Forked repos don't have access to Azure DevOps Library variable groups, which contain the $(Password) variable needed for local SQL Server configuration. The fix re-introduces password generation for forked PRs and removes redundant condition parameters from SQL Server configuration templates.
Changes:
- Adds password generation logic for forked repos using
System.PullRequest.IsForkcheck in the test job template - Removes redundant
conditionparameter and its uses from all SQL Server configuration step templates (Windows, Linux, macOS) - Removes condition parameter overrides from the build stage that were calling these templates
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| eng/pipelines/common/templates/jobs/ci-run-tests-job.yml | Adds password generation step for forked repos using GUID; sets Password variable before SQL Server setup |
| eng/pipelines/stages/build-azure-package-ci-stage.yml | Removes condition parameter overrides when calling SQL Server setup templates |
| eng/pipelines/common/templates/steps/configure-sql-server-win-step.yml | Removes condition parameter definition and all condition attributes from steps |
| eng/pipelines/common/templates/steps/configure-sql-server-macos-step.yml | Removes condition parameter definition and condition attribute from step |
| eng/pipelines/common/templates/steps/configure-sql-server-linux-step.yml | Removes condition parameter definition and condition attribute from step |
| # Test Configuration properties", brought in by common/templates/libraries/ci-build-variables.yml. | ||
|
|
||
| parameters: | ||
| - name: condition |
There was a problem hiding this comment.
These condition parameters were not being used. The OS-specific config templates were already being used only for the appropriate OS anyway.
|
@paulmedynski Happy to help verify this |
|
@ErikEJ - Sure, have at 'er. Can you make a PR based on the branch of this PR and submit it as draft? That should use these changes and let us see how the PR runs perform. |
Codecov Report✅ All modified and coverable lines are covered by tests.
Additional details and impacted files@@ Coverage Diff @@
## main #3950 +/- ##
==========================================
- Coverage 74.53% 67.23% -7.31%
==========================================
Files 266 260 -6
Lines 42915 65704 +22789
==========================================
+ Hits 31987 44176 +12189
- Misses 10928 21528 +10600
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
I'm testing these changes with my own fork via #3952. |
- Re-introduce a pipeline-generated random password for forked builds.
- Addressed Copilot feedback.
eng/pipelines/common/templates/steps/update-config-file-step.yml
Outdated
Show resolved
Hide resolved
paulmedynski
force-pushed
the
dev/paul/db-password
branch
from
a567b28 to
0948c0b
Compare
- Adding diagnostics to help understand why AAD Password auth is failing.
- Removed forced debug flag. - Addressed Copilot comments.
paulmedynski
left a comment
paulmedynski
left a comment
There was a problem hiding this comment.
Commentary for reviewers, and some things for me to fix.
| default: false | ||
|
|
||
| # The SA password to set when configuring SQL Server. | ||
| - name: saPassword |
There was a problem hiding this comment.
I decided to plumb the SA password down to all of the steps that need it via parameters rather than using (global) variables. This is the approach we will be taking with the new pipelines.
| - template: /eng/pipelines/common/templates/steps/update-config-file-step.yml | ||
| parameters: | ||
| # We use the Library $(Password) variable as the SA password in this pipeline. | ||
| saPassword: $(Password) |
There was a problem hiding this comment.
The ADO.Net pipelines never run against forks, so they always have access to the Library variables. I didn't convert this pipeline to use parameters instead of global variables - it wasn't worth it.
| variables: | ||
| # Bring the SA password from the secrets_stage into scope here. | ||
| - name: saPassword | ||
| value: $[stageDependencies.secrets_stage.secrets_job.outputs['SaPassword.Value']] |
There was a problem hiding this comment.
This is the magic that fetches the SA password from the secrets_stage and expands it into a variable we can use as a parameter to the downstream jobs and steps.
This $[ ... ] syntax is not evaluated if used directly as a parameter value, so we must use this intermediate variable.
| $p.TCPConnectionString="${{parameters.TCPConnectionString }}" | ||
|
|
||
| $p.NPConnectionString="${{parameters.NPConnectionString }}" | ||
| # Some of the connection strings brought in from Azure DevOps Library groups expect a runtime |
There was a problem hiding this comment.
This sneakiness will disappear in the new pipelines because we won't be storing connection strings in Library variables. They will be checked-in with the pipeline YAML.
| # | ||
| # secrets_stage | ||
| # | ||
| # None of the values produced here are actual secrets - they are just random values that are |
There was a problem hiding this comment.
This is mainly here to suppress Copilot complaining.
| # and password of '$(Password)'. The $(Password) variable is defined in the ADO | ||
| # Library "ADO Test Configuration properties", brought in by | ||
| # common/templates/libraries/ci-build-variables.yml. | ||
| # and the provided password. |
There was a problem hiding this comment.
@paulmedynski No password is provided here.
| # Pipeline runs against forks of the repo don't have access to Library secrets, so we | ||
| # omit them entirely from the configProperties, which causes the dependent tests to be | ||
| # skipped. | ||
| ${{ if eq(variables['System.PullRequest.IsFork'], 'False') }}: |
There was a problem hiding this comment.
The docs define this variable with title-case.
| EnclaveEnabled: true | ||
| AADAuthorityURL: $(AADAuthorityURL) | ||
| AADServicePrincipalId: $(AADServicePrincipalId) | ||
| ${{ if eq(variables['system.pullRequest.isFork'], 'False') }}: |
There was a problem hiding this comment.
No need to check for a fork again.
| DebugEmit = GetEnvFlag("TEST_DEBUG_EMIT"); | ||
| SystemAccessToken = GetEnvVar("SYSTEM_ACCESSTOKEN"); | ||
|
|
||
| // Circumvent pipeline masking of things it considers secrets by base64 encoding them. We |
There was a problem hiding this comment.
The whole point of debug mode is to see the config values, regardless of whether or not Azure DevOps thinks they are secrets.
3 participants
Description
#3928 broke forked pipeline runs by removing the generated password used for local SQL Server configuration. This PR re-introduces it with documentation explaining why it exists :)
Testing