Sync eng/common directory with azure-sdk-tools for PR 14219

[azure-sdk]

Sync eng/common directory with azure-sdk-tools for PR Azure/azure-sdk-tools#14219 See eng/common workflow

[Copilot]

Pull request overview

Syncs eng/common GitHub-login tooling with azure-sdk-tools PR 14219 by extending the existing Key Vault–signed GitHub App token flow to work in GitHub Actions (in addition to Azure DevOps).

Changes:

• Update login-to-github.ps1 to document GitHub Actions usage and export tokens via GITHUB_ENV with masking.
• Add a composite GitHub Action wrapper that invokes the shared PowerShell script with inputs.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
eng/common/scripts/login-to-github.ps1	Adds GitHub Actions export/masking behavior and updates help text; tweaks signing error output.
eng/common/actions/login-to-github/action.yml	Introduces a composite action wrapper to call the shared login script in GitHub Actions.

Comments suppressed due to low confidence (3)

eng/common/scripts/login-to-github.ps1:108

• az keyvault key sign ... | ConvertFrom-Json will attempt JSON parsing even when az fails, which can throw before the $LASTEXITCODE check and also makes the error path unreliable (on non-JSON output $SignResultJson may never be set). Consider capturing the raw command output first, checking $LASTEXITCODE, and only then parsing JSON (and include the raw output/stderr in the thrown error).

  $SignResultJson = az keyvault key sign `
      --vault-name $VaultName `
      --name $KeyName `
      --algorithm RS256 `
      --digest $Base64Value | ConvertFrom-Json

  if ($LASTEXITCODE -ne 0) {
    throw "Failed to sign JWT with Azure Key Vault. Error: $($SignResultJson | ConvertTo-Json -Compress)"
  }

eng/common/actions/login-to-github/action.yml:96

• The composite action’s inline PowerShell uses Join-Path to build $scriptPath. For consistent cross-platform path handling, prefer [System.IO.Path]::Combine(...) here (and optionally Resolve-Path before invoking) instead of Join-Path.

        $scriptPath = Join-Path $env:ACTION_PATH ".." ".." "scripts" "login-to-github.ps1"
        $owners = $env:INPUT_TOKEN_OWNERS -split ',' | ForEach-Object { $_.Trim() }

eng/common/actions/login-to-github/action.yml:51

• The documentation/examples suggest using owners like azure-sdk and then referencing ${{ env.GH_TOKEN_<Owner> }}. If the owner contains - or other non-identifier characters, the resulting env var name will be hard to reference reliably in GitHub Actions and shells. Either document the required owner format / access pattern (e.g. bracket notation) or align the docs with a sanitized owner-to-variable-name mapping implemented by the script.

# Usage (multiple owners):
#         - uses: ./eng/common/actions/login-to-github
#           with:
#             token-owners: Azure,azure-sdk,MicrosoftDocs
#
#         - run: gh pr list --repo Azure/azure-sdk-tools
#           env:
#             GH_TOKEN: ${{ env.GH_TOKEN_Azure }}
#
# Tokens are exported to GITHUB_ENV so all subsequent steps can reference
# them as ${{ env.GH_TOKEN }} (single owner) or ${{ env.GH_TOKEN_<Owner> }}
# (multiple owners). This matches the Azure DevOps behavior where tokens
# are set as pipeline variables.