From 7452ae7ed26cf41667f2fc85c46011a5259f7e31 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 13 Mar 2026 15:21:04 +0000 Subject: [PATCH 1/5] Initial plan From 68ab53dd1740754398402a57b6137a7ba11eb84f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 13 Mar 2026 15:24:29 +0000 Subject: [PATCH 2/5] Add Key Vault underscore warning and document AUTHCONTEXT secret resolution lookup chain Co-authored-by: spetersenms <79980472+spetersenms@users.noreply.github.com> --- Actions/ReadSecrets/ReadSecretsHelper.psm1 | 1 + Scenarios/RegisterProductionEnvironment.md | 3 +++ Scenarios/RegisterSandboxEnvironment.md | 3 +++ Scenarios/secrets.md | 25 ++++++++++++++++++++-- 4 files changed, 30 insertions(+), 2 deletions(-) diff --git a/Actions/ReadSecrets/ReadSecretsHelper.psm1 b/Actions/ReadSecrets/ReadSecretsHelper.psm1 index c00c8f4c4e..b6a6c61466 100644 --- a/Actions/ReadSecrets/ReadSecretsHelper.psm1 +++ b/Actions/ReadSecrets/ReadSecretsHelper.psm1 @@ -157,6 +157,7 @@ function GetKeyVaultSecret { } if ($secret.Contains('_')) { # Secret name contains a '_', which is not allowed in Key Vault secret names + Write-Host "::warning::Secret name '$secret' contains an underscore ('_'), which is not supported in Azure Key Vault. The Key Vault lookup will be skipped for this secret. Consider using a dash ('-') instead (e.g., '$($secret.Replace('_','-'))') when storing secrets in Azure Key Vault." return $null } diff --git a/Scenarios/RegisterProductionEnvironment.md b/Scenarios/RegisterProductionEnvironment.md index 29b65afff8..1d007ccbfc 100644 --- a/Scenarios/RegisterProductionEnvironment.md +++ b/Scenarios/RegisterProductionEnvironment.md @@ -9,6 +9,9 @@ ![Publish to MYPROD](https://github.com/user-attachments/assets/fdb05510-2785-483a-b2f3-98a2fe36bfc4) +> [!NOTE] +> **GitHub Environment secrets** (defined under the environment in GitHub) are only injected into jobs that explicitly declare an `environment:` property. The AL-Go Initialization job that performs the auth check does **not** have this property, so environment-scoped `AUTHCONTEXT` secrets are **not** available at that step. The secret **is** available in the downstream deploy job. If you prefer the secret to be resolved during the initialization auth check as well, define it as a **repository secret** using the naming convention `-AuthContext` (e.g., `MYPROD-AuthContext`) instead of as an environment secret named `AUTHCONTEXT`. See [secrets documentation](secrets.md#AuthContext) for the full lookup order. + 1. When running the **Publish to Environment** workflow, you should see that the app is deployed to the **MYPROD** environment only. ![MYPROD](https://github.com/user-attachments/assets/04dab8af-57b4-4bc3-a0c2-6e6869d8df34) diff --git a/Scenarios/RegisterSandboxEnvironment.md b/Scenarios/RegisterSandboxEnvironment.md index 0a40c6bbc5..7cab643589 100644 --- a/Scenarios/RegisterSandboxEnvironment.md +++ b/Scenarios/RegisterSandboxEnvironment.md @@ -18,6 +18,9 @@ > [!NOTE] > The secret **NEEDS** to be compressed JSON and there should **NOT** be a newline after the secret value. +> [!NOTE] +> **GitHub Environment secrets** (defined under the environment in GitHub) are only injected into jobs that explicitly declare an `environment:` property. The AL-Go Initialization job that performs the auth check does **not** have this property, so environment-scoped `AUTHCONTEXT` secrets are **not** available at that step. The secret **is** available in the downstream deploy job, which is sufficient for deployment. If you prefer the secret to be resolved during the initialization auth check as well, define it as a **repository secret** using the naming convention `-AuthContext` (e.g., `QA-AuthContext`) instead of as an environment secret named `AUTHCONTEXT`. See [secrets documentation](secrets.md#AuthContext) for the full lookup order. + 3. Navigate to **Actions**, select the **Publish To Environment** workflow and choose **Run workflow**. Enter **latest** in the **App version** field and the **name of your environment** or keep the * in the **environment to receive the new version** field. Click **Run workflow**. ![Publish To Environment](https://github.com/user-attachments/assets/9299009a-b429-477d-b1d0-c5bf96455a93) diff --git a/Scenarios/secrets.md b/Scenarios/secrets.md index 42d6f2652e..031b8e0dfa 100644 --- a/Scenarios/secrets.md +++ b/Scenarios/secrets.md @@ -58,7 +58,7 @@ If your GitHub organization might have many organizational secrets, please only The following is a list of secrets and a brief description: - [Azure_Credentials](#Azure_Credentials) - Connect to Azure -- [AuthContext or \\_AuthContext](#AuthContext) - Deploy to an environment +- [AuthContext, \-AuthContext, or \\_AuthContext](#AuthContext) - Deploy to an environment - [AppSourceContext](#AppSourceContext) - Deliver to AppSource - [StorageContext](#StorageContext) - Deliver to storage - [GitHubPackagesContext](#GitHubPackagesContext) - Deliver to GitHub Packages @@ -107,7 +107,28 @@ With this setup, you can create a setting called `keyVaultCodesignCertificateNam ## **AuthContext** -> Deploy to an environment -Whenever AL-Go for GitHub is doing to deploy to an environment, it will need an AuthContext secret. The AuthContext secret can be provided underneath the environment in GitHub. If you are using a private repository in the free GitHub plan, you do not have environments. Then you can create an AuthContext secret in the repository. If you have multiple environments, you can create different AuthContext secrets by using the environment name followed by an underscore and AuthContext (f.ex. **QA_AuthContext**). +Whenever AL-Go for GitHub deploys to an environment, it needs an AuthContext secret. AL-Go resolves the AuthContext secret by looking up the following secret names **in order**, using the first one that resolves to a non-empty value: + +1. **`-AuthContext`** (dash variant, e.g. `QA-AuthContext`) – checked first +2. **`_AuthContext`** (underscore variant, e.g. `QA_AuthContext`) – checked second +3. **`AuthContext`** (generic fallback) – checked last + +> [!IMPORTANT] +> **Azure Key Vault users:** Azure Key Vault does not allow underscores (`_`) in secret names. If Azure Key Vault is configured as your secrets provider, any secret whose name contains an underscore will be **skipped** during Key Vault lookup (a warning will be emitted in the workflow log). This means the underscore variant `_AuthContext` will not be found in Azure Key Vault. Use the **dash variant** `-AuthContext` when storing per-environment AuthContext secrets in Azure Key Vault, as dashes are permitted in Key Vault secret names. + +> [!WARNING] +> **Multi-environment and multi-tenant repos:** If neither `-AuthContext` nor `_AuthContext` resolves to a value, AL-Go **silently falls back** to the generic `AuthContext` secret. The workflow log will only show `Using AuthContext secret as AuthContext` — no warning is emitted that a per-environment secret was expected but not found. In repositories with multiple environments (for example, different customer tenants), this means a missing per-environment secret will cause all environments to deploy using the same shared credentials, which may not be the intended behavior. Ensure all environments that require credential isolation have a per-environment `-AuthContext` or `_AuthContext` secret defined. + +> [!NOTE] +> **GitHub Environment secrets scope:** GitHub Actions only injects environment-scoped secrets into jobs that explicitly declare an `environment:` property. The `AuthContext` resolution in the **Initialization job** (which performs the auth check before deployment) does **not** have an `environment:` property set. This means an `AUTHCONTEXT` secret defined as a **GitHub Environment secret** will not be visible to the auth-check step in the Initialization job. To ensure the AuthContext secret is found during initialization, define it as a **repository secret** or **organization secret** using the per-environment naming convention (`-AuthContext` or `_AuthContext`), rather than as a GitHub Environment secret named `AUTHCONTEXT`. + +The AuthContext secret can be provided in the following ways: + +- As a **GitHub Environment secret** named `AUTHCONTEXT` under the environment (note the scope limitation above — this is available in the deploy job but not the initialization auth-check) +- As a **repository or organization secret** named `-AuthContext` or `_AuthContext` (recommended for per-environment isolation) +- As a **repository or organization secret** named `AuthContext` (generic fallback for all environments) + +If you are using a private repository with the free GitHub plan and do not have access to GitHub Environments, use the per-environment naming convention as a repository secret. ### Managed identity From 454ccbac8cc31c56a8dcea3b1ffefb1dfb60317b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 20 Mar 2026 15:17:59 +0000 Subject: [PATCH 3/5] Remove incorrect GitHub Environment secret scope notes; auth check in Init only runs for unknown environments Co-authored-by: spetersenms <79980472+spetersenms@users.noreply.github.com> --- Scenarios/RegisterSandboxEnvironment.md | 3 --- Scenarios/secrets.md | 5 +---- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/Scenarios/RegisterSandboxEnvironment.md b/Scenarios/RegisterSandboxEnvironment.md index 7cab643589..0a40c6bbc5 100644 --- a/Scenarios/RegisterSandboxEnvironment.md +++ b/Scenarios/RegisterSandboxEnvironment.md @@ -18,9 +18,6 @@ > [!NOTE] > The secret **NEEDS** to be compressed JSON and there should **NOT** be a newline after the secret value. -> [!NOTE] -> **GitHub Environment secrets** (defined under the environment in GitHub) are only injected into jobs that explicitly declare an `environment:` property. The AL-Go Initialization job that performs the auth check does **not** have this property, so environment-scoped `AUTHCONTEXT` secrets are **not** available at that step. The secret **is** available in the downstream deploy job, which is sufficient for deployment. If you prefer the secret to be resolved during the initialization auth check as well, define it as a **repository secret** using the naming convention `-AuthContext` (e.g., `QA-AuthContext`) instead of as an environment secret named `AUTHCONTEXT`. See [secrets documentation](secrets.md#AuthContext) for the full lookup order. - 3. Navigate to **Actions**, select the **Publish To Environment** workflow and choose **Run workflow**. Enter **latest** in the **App version** field and the **name of your environment** or keep the * in the **environment to receive the new version** field. Click **Run workflow**. ![Publish To Environment](https://github.com/user-attachments/assets/9299009a-b429-477d-b1d0-c5bf96455a93) diff --git a/Scenarios/secrets.md b/Scenarios/secrets.md index 031b8e0dfa..c200970eaf 100644 --- a/Scenarios/secrets.md +++ b/Scenarios/secrets.md @@ -119,12 +119,9 @@ Whenever AL-Go for GitHub deploys to an environment, it needs an AuthContext sec > [!WARNING] > **Multi-environment and multi-tenant repos:** If neither `-AuthContext` nor `_AuthContext` resolves to a value, AL-Go **silently falls back** to the generic `AuthContext` secret. The workflow log will only show `Using AuthContext secret as AuthContext` — no warning is emitted that a per-environment secret was expected but not found. In repositories with multiple environments (for example, different customer tenants), this means a missing per-environment secret will cause all environments to deploy using the same shared credentials, which may not be the intended behavior. Ensure all environments that require credential isolation have a per-environment `-AuthContext` or `_AuthContext` secret defined. -> [!NOTE] -> **GitHub Environment secrets scope:** GitHub Actions only injects environment-scoped secrets into jobs that explicitly declare an `environment:` property. The `AuthContext` resolution in the **Initialization job** (which performs the auth check before deployment) does **not** have an `environment:` property set. This means an `AUTHCONTEXT` secret defined as a **GitHub Environment secret** will not be visible to the auth-check step in the Initialization job. To ensure the AuthContext secret is found during initialization, define it as a **repository secret** or **organization secret** using the per-environment naming convention (`-AuthContext` or `_AuthContext`), rather than as a GitHub Environment secret named `AUTHCONTEXT`. - The AuthContext secret can be provided in the following ways: -- As a **GitHub Environment secret** named `AUTHCONTEXT` under the environment (note the scope limitation above — this is available in the deploy job but not the initialization auth-check) +- As a **GitHub Environment secret** named `AUTHCONTEXT` under the environment (available in the deploy job when targeting that GitHub Environment) - As a **repository or organization secret** named `-AuthContext` or `_AuthContext` (recommended for per-environment isolation) - As a **repository or organization secret** named `AuthContext` (generic fallback for all environments) From a6dcd29186fba615ee28e9aed26ef1f7433c09a3 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 7 Apr 2026 12:51:28 +0000 Subject: [PATCH 4/5] Fix mdformat violations and remove incorrect RegisterProductionEnvironment auth note Agent-Logs-Url: https://github.com/microsoft/AL-Go/sessions/6e8636e1-2925-4f31-91c1-b9ab5af389cd Co-authored-by: spetersenms <79980472+spetersenms@users.noreply.github.com> --- Scenarios/RegisterProductionEnvironment.md | 3 --- Scenarios/secrets.md | 4 ++-- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/Scenarios/RegisterProductionEnvironment.md b/Scenarios/RegisterProductionEnvironment.md index 1d007ccbfc..29b65afff8 100644 --- a/Scenarios/RegisterProductionEnvironment.md +++ b/Scenarios/RegisterProductionEnvironment.md @@ -9,9 +9,6 @@ ![Publish to MYPROD](https://github.com/user-attachments/assets/fdb05510-2785-483a-b2f3-98a2fe36bfc4) -> [!NOTE] -> **GitHub Environment secrets** (defined under the environment in GitHub) are only injected into jobs that explicitly declare an `environment:` property. The AL-Go Initialization job that performs the auth check does **not** have this property, so environment-scoped `AUTHCONTEXT` secrets are **not** available at that step. The secret **is** available in the downstream deploy job. If you prefer the secret to be resolved during the initialization auth check as well, define it as a **repository secret** using the naming convention `-AuthContext` (e.g., `MYPROD-AuthContext`) instead of as an environment secret named `AUTHCONTEXT`. See [secrets documentation](secrets.md#AuthContext) for the full lookup order. - 1. When running the **Publish to Environment** workflow, you should see that the app is deployed to the **MYPROD** environment only. ![MYPROD](https://github.com/user-attachments/assets/04dab8af-57b4-4bc3-a0c2-6e6869d8df34) diff --git a/Scenarios/secrets.md b/Scenarios/secrets.md index c200970eaf..80ce912342 100644 --- a/Scenarios/secrets.md +++ b/Scenarios/secrets.md @@ -110,8 +110,8 @@ With this setup, you can create a setting called `keyVaultCodesignCertificateNam Whenever AL-Go for GitHub deploys to an environment, it needs an AuthContext secret. AL-Go resolves the AuthContext secret by looking up the following secret names **in order**, using the first one that resolves to a non-empty value: 1. **`-AuthContext`** (dash variant, e.g. `QA-AuthContext`) – checked first -2. **`_AuthContext`** (underscore variant, e.g. `QA_AuthContext`) – checked second -3. **`AuthContext`** (generic fallback) – checked last +1. **`_AuthContext`** (underscore variant, e.g. `QA_AuthContext`) – checked second +1. **`AuthContext`** (generic fallback) – checked last > [!IMPORTANT] > **Azure Key Vault users:** Azure Key Vault does not allow underscores (`_`) in secret names. If Azure Key Vault is configured as your secrets provider, any secret whose name contains an underscore will be **skipped** during Key Vault lookup (a warning will be emitted in the workflow log). This means the underscore variant `_AuthContext` will not be found in Azure Key Vault. Use the **dash variant** `-AuthContext` when storing per-environment AuthContext secrets in Azure Key Vault, as dashes are permitted in Key Vault secret names. From c75a13f75ad58bdbd778c028e6d3995968db7263 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 30 Apr 2026 09:32:09 +0000 Subject: [PATCH 5/5] Use OutputWarning from DebugLogHelper instead of manual Write-Host warning Agent-Logs-Url: https://github.com/microsoft/AL-Go/sessions/768bb54d-e3b0-4311-84bd-5d8359b3db6a Co-authored-by: spetersenms <79980472+spetersenms@users.noreply.github.com> --- Actions/ReadSecrets/ReadSecretsHelper.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Actions/ReadSecrets/ReadSecretsHelper.psm1 b/Actions/ReadSecrets/ReadSecretsHelper.psm1 index b6a6c61466..df8b47a091 100644 --- a/Actions/ReadSecrets/ReadSecretsHelper.psm1 +++ b/Actions/ReadSecrets/ReadSecretsHelper.psm1 @@ -157,7 +157,7 @@ function GetKeyVaultSecret { } if ($secret.Contains('_')) { # Secret name contains a '_', which is not allowed in Key Vault secret names - Write-Host "::warning::Secret name '$secret' contains an underscore ('_'), which is not supported in Azure Key Vault. The Key Vault lookup will be skipped for this secret. Consider using a dash ('-') instead (e.g., '$($secret.Replace('_','-'))') when storing secrets in Azure Key Vault." + OutputWarning "Secret name '$secret' contains an underscore ('_'), which is not supported in Azure Key Vault. The Key Vault lookup will be skipped for this secret. Consider using a dash ('-') instead (e.g., '$($secret.Replace('_','-'))') when storing secrets in Azure Key Vault." return $null }